Community discussions

 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Using Mikrotik web proxy in hotspot setup

Thu Dec 02, 2010 10:07 am

Hi MT experts,

I am trying to setup a simple web proxy using the in built web proxy feature of the MikroTik. I have been able to setup it up using the information from http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy

and for the most part it succesfully blocks the sites as listed in the proxy. However I can't access any other sites. All I get is the following message

"There is a loop in network for HTTP traffic..."

In my HS server profile I have setup the HTTP proxy as my HS gateway and the proxy port as 8080 and in my web proxy I have followed the steps in the link above.

What should I do?

Thanks in advance
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Using Mikrotik web proxy in hotspot setup

Thu Dec 02, 2010 4:27 pm

The Hotspot itself is already a proxy, so you're looping to yourself. To bypass the automatic proxy for authenticated users, insert the following NAT rule:
/ip nat firewall
add chain=pre-hotspot dst-address=!local hotspot=auth action=accept
That has other side effects. If it does not work well for you you can try rewriting your proxy rules to work in the 'output' rather than the 'forward' chain, but that will also have side effects.

Overall the cleanest solution would be to use a third party proxy.
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: Using Mikrotik web proxy in hotspot setup

Fri Dec 03, 2010 1:37 am

Thanks for the information. Is it possible to use the out of the box hotspot proxy to deny certain website after users have authenticated or for trial users?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Using Mikrotik web proxy in hotspot setup

Fri Dec 03, 2010 4:42 am

Walled garden rules are only evaluated before authentication - at least according to the documentation. Try it out - just configure "/ip hotspot walled-garden" like you would the proxy. Worth a shot. I don't think it will work, though.
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: Using Mikrotik web proxy in hotspot setup

Fri Dec 03, 2010 6:08 am

Yeah... tried it and it doesn't work after authentication. Looks like a third party webproxy might be the only answer.

Thanks for your insight and knowledge!
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Using Mikrotik web proxy in hotspot setup

Fri Dec 03, 2010 6:15 am

Yes you can, but you need to force guests to use the proxy after they sign in. This can be done with a simple NAT rule or you can check to enable "use transparent proxy" in the user profile. The transparent proxy only works for HTTP, not HTTPS.
http://wiki.mikrotik.com/wiki/Manual:IP/Proxy

With the NAT rule it looks something like this and needs to come before the hotspot rules in the firewall, you can also put it on the pre-hotspot chain:
/ip firewall nat
add chain=dst-nat action=redirect to-port=8080 dst-port=80 protocol=tcp hotspot=auth src-address=192.168.1.0/24
If you want to do this for only certain profiles then you need to use it at the profile level, or use a dynamic address list that a guest is going to be added to upon signing in, another option in the user profiles, or done with a Radius attribute.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Using Mikrotik web proxy in hotspot setup

Fri Dec 03, 2010 6:47 am

Nice! That's a neat workaround.

Using the pre-hotspot chain would be more reliable since that hooks directly into the provided customization, and the hotspot NAT rules are dynamic and may change position. I'd also add "dst-address-type=!local" so that the servlets (such as status) continue to make it through and continue to work.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: Using Mikrotik web proxy in hotspot setup

Sat Dec 14, 2013 10:17 am

Hello Fewi,
You said add the rule before pre-hotspot chain,

I dont understand you very well. how is it done
Nice! That's a neat workaround.

Using the pre-hotspot chain would be more reliable since that hooks directly into the provided customization, and the hotspot NAT rules are dynamic and may change position. I'd also add "dst-address-type=!local" so that the servlets (such as status) continue to make it through and continue to work.
I need your help.

Thanks

Who is online

Users browsing this forum: No registered users and 25 guests