Community discussions

MikroTik App
 
daviddem
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Sun Sep 18, 2011 12:16 pm

Hotspot and ssh questions

Tue Dec 27, 2011 7:17 am

OK I got my first 450G up and running. Basically using it as a pumped up home/SOHO all in one router, WAN IP on ether1-gateway and LAN on bridged ether2-5. I set up a hotspot on it, do user accounting with userman, and I use the integrated web proxy on port 8080 to transparently do some filtering and blocking (not caching) for the hotspot authenticated clients (while unauthenticated clients get no access at all). All that seems to be working fine, but I have a few specific questions/issues.

1) What in the world does the "transparent proxy" tick box in the hotspot user profiles do? The documentation is very vague and I found no post explaining this clearly. The way I got my transparent filtering/blocking proxy to work is by setting up a rule in the NAT pre-hotspot firewall table, redirecting packets originating from the LAN with dst-port 80 to dst-port 8080 (which the integrated proxy listens on). But then, what does the "transparent proxy" tick box do? I can see no firewall rule added when I tick it.

2) I can't get ssh to work from the WAN side. The ssh service is running on port 22. User and key are defined. I can ssh from the LAN when authenticated in the hotspot. I also set up a rule in the walled garden ip, and I am able to connect from the LAN even if I am not authenticated in the hotspot. To connect from the WAN side, I set up a rule in the input table to accept all connections (for testing purposes, I will harden that later) with dst-port 22 on ether1-gateway. But this does not work. I keep getting connection timeout or connection refused, depending on which ssh client I use and the counter on the firewall rule obstinately sticks to zero. I know for a fact that the isp does not block this port, because if I disconnect the 450G and plug my old dd-wrt linksys back, then I can ssh into it from the WAN side. Do the hotspot NAT rules somehow interfere with this? I tried to add a "return" static entry at the end of the hs-unauth NAT table if dst-port 22 is matched on interface ether1-gateway (similar to the dynamic entries added by the walled garden on the LAN side). Still no luck. I can't think of anything else now. I can't get at the router just now but I will post the config later. Anyone else had similar issues?
 
jandafields
Forum Guru
Forum Guru
Posts: 1515
Joined: Mon Sep 19, 2005 6:12 pm

Re: Hotspot and ssh questions

Thu Dec 29, 2011 12:14 am

Regarding the transparent proxy box, read this thread: http://forum.mikrotik.com/viewtopic.php?f=2&t=55661
Basically, you use either the checkbox or the NAT rules. You have more control with the NAT rules.
 
jandafields
Forum Guru
Forum Guru
Posts: 1515
Joined: Mon Sep 19, 2005 6:12 pm

Re: Hotspot and ssh questions

Thu Dec 29, 2011 12:17 am

Regarding the SSH Question:

Make sure nothing in NAT is catching port 22. You may need to setup an "accept" rule in NAT at the top of the rules for that port 22 since you have hostpot automatic NAT rules that might be catching everything without you realizing it... Some NAT rules are processed before INPUT rules, so your input accept rule is not getting used.

Reset all the counters on your NAT rules, and I bet you will see them increasing when you try to SSH to port 22.
 
daviddem
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Sun Sep 18, 2011 12:16 pm

Re: Hotspot and ssh questions

Thu Dec 29, 2011 5:24 am

Thanks for that. Yes, in the meantime I figured out that the "transparent proxy" tick box and the NAT rule are pretty much doing the same thing when it comes to proxying. Also see here, at the bottom of the page, firewall rules 10, 11 and 14.

Concerning the ssh problem, I ended up tracing it to my ISP having recently installed a firewall in front of my IPs.

Who is online

Users browsing this forum: No registered users and 26 guests