Page 1 of 1

Using Mikrotik web proxy in hotspot setup

Posted: Thu Dec 02, 2010 10:07 am
by wilburt
Hi MT experts,

I am trying to setup a simple web proxy using the in built web proxy feature of the MikroTik. I have been able to setup it up using the information from http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy

and for the most part it succesfully blocks the sites as listed in the proxy. However I can't access any other sites. All I get is the following message

"There is a loop in network for HTTP traffic..."

In my HS server profile I have setup the HTTP proxy as my HS gateway and the proxy port as 8080 and in my web proxy I have followed the steps in the link above.

What should I do?

Thanks in advance

Re: Using Mikrotik web proxy in hotspot setup

Posted: Thu Dec 02, 2010 4:27 pm
by fewi
The Hotspot itself is already a proxy, so you're looping to yourself. To bypass the automatic proxy for authenticated users, insert the following NAT rule:
/ip nat firewall
add chain=pre-hotspot dst-address=!local hotspot=auth action=accept
That has other side effects. If it does not work well for you you can try rewriting your proxy rules to work in the 'output' rather than the 'forward' chain, but that will also have side effects.

Overall the cleanest solution would be to use a third party proxy.

Re: Using Mikrotik web proxy in hotspot setup

Posted: Fri Dec 03, 2010 1:37 am
by wilburt
Thanks for the information. Is it possible to use the out of the box hotspot proxy to deny certain website after users have authenticated or for trial users?

Re: Using Mikrotik web proxy in hotspot setup

Posted: Fri Dec 03, 2010 4:42 am
by fewi
Walled garden rules are only evaluated before authentication - at least according to the documentation. Try it out - just configure "/ip hotspot walled-garden" like you would the proxy. Worth a shot. I don't think it will work, though.

Re: Using Mikrotik web proxy in hotspot setup

Posted: Fri Dec 03, 2010 6:08 am
by wilburt
Yeah... tried it and it doesn't work after authentication. Looks like a third party webproxy might be the only answer.

Thanks for your insight and knowledge!

Re: Using Mikrotik web proxy in hotspot setup

Posted: Fri Dec 03, 2010 6:15 am
by Feklar
Yes you can, but you need to force guests to use the proxy after they sign in. This can be done with a simple NAT rule or you can check to enable "use transparent proxy" in the user profile. The transparent proxy only works for HTTP, not HTTPS.
http://wiki.mikrotik.com/wiki/Manual:IP/Proxy

With the NAT rule it looks something like this and needs to come before the hotspot rules in the firewall, you can also put it on the pre-hotspot chain:
/ip firewall nat
add chain=dst-nat action=redirect to-port=8080 dst-port=80 protocol=tcp hotspot=auth src-address=192.168.1.0/24
If you want to do this for only certain profiles then you need to use it at the profile level, or use a dynamic address list that a guest is going to be added to upon signing in, another option in the user profiles, or done with a Radius attribute.

Re: Using Mikrotik web proxy in hotspot setup

Posted: Fri Dec 03, 2010 6:47 am
by fewi
Nice! That's a neat workaround.

Using the pre-hotspot chain would be more reliable since that hooks directly into the provided customization, and the hotspot NAT rules are dynamic and may change position. I'd also add "dst-address-type=!local" so that the servlets (such as status) continue to make it through and continue to work.

Re: Using Mikrotik web proxy in hotspot setup

Posted: Sat Dec 14, 2013 10:17 am
by dunga
Hello Fewi,
You said add the rule before pre-hotspot chain,

I dont understand you very well. how is it done
Nice! That's a neat workaround.

Using the pre-hotspot chain would be more reliable since that hooks directly into the provided customization, and the hotspot NAT rules are dynamic and may change position. I'd also add "dst-address-type=!local" so that the servlets (such as status) continue to make it through and continue to work.
I need your help.

Thanks