Hi,

We have a RB that is setup in hotspot mode using a Radius server. It is working fine with the internal network being issued DHCP addresses to clients connecting.

What we need to do is give some of our hardware, mainly AP's behind the RB direct access to the internet so they can be remotely managed. At the moment this isn't possible as they would have to authenticate to the radius server which isn't possible.

Is there a way / rule that can be applied that gives specific IP address's on the LAN access through the gateway without authenticating via the Radius.

Thanks

You can do that with ip-binding. If 192.168.0.2 isn't the IP you want bypassed, change that.

You can also bypass by mac address if you prefer.

Hi, Thanks for the reply that is very helpful.

The RB is quite new to me still so I tend to do most things via the WinBox, I presume there is a menu somewhere for IP binding.

Also, is it possible to add a whole subnet as bypass, I am thinking of adding all my infrastructure behind the RB onto a separate LAN to add another level of security.

i.e.
Infrastructure- 10.0.0.1 /24 with the RB being the gateway of 10.0.0.1
DHCP Clients - 192.0.0.1 /24, these al authenticate via the Radius and then bind to the gateway of 10.0.0.1 to get to the internet.

Many Thanks

Yes. For Winbox, it is under "IP - Hotspot - IP Bindings"

You can do that with ip-binding.

Code: Select all

/ip hotspot ip-binding
add address=192.168.0.2 type=bypassed

This is a bypass authentication, am I right?

Is there a way to bypass all? in other words, bypass the whole hotspot (no nat, proxy, etc.)?

The purpose of this is that I need to monitor the network (10.21.0.0/24) of radios that are connected at hotspot interface. The hotspot network is 10.20.0.0/16.

First, you need to disable the hotspot NAT. Then when you use ip-binding, it will bypass everything. At least last time I checked.

First, you need to disable the hotspot NAT.

Code: Select all

/ip hotspot
set 0 address-pool=none

Then when you use ip-binding, it will bypass everything. At least last time I checked.

But it works for the two networks?

I wanted to do the bypass to only one network, a network that is configured radios. The other network, hotspot, will continue to operate normally.

Firewall <--> RB (HotSpot Interface) <--> APs Radios (10.21.0.0/24) --> Wireless Hotspot Clients (10.22.0.0/16)

I need that my firewall to access the network of Radios via routing only.

That is, in my RB I need to bypass the entire hotspot for the network 10.21.0.0/24).

Is it possible?