Community discussions

 
User avatar
marcperea
Trainer
Trainer
Topic Author
Posts: 10
Joined: Wed Feb 03, 2016 11:01 pm
Location: Minot ND
Contact:

Uptime limit without using Hotspot

Wed Feb 03, 2016 11:31 pm

Hello,
I'm trying to figure out the best way to accomplish a time limit feature, exactly like what is available under Hotspot -> User -> Limits -> Limit Uptime, except that I don't use Hotspot - I'm using DHCP and make them static entries with controlled ARP to manage the endpoints on the LAN.

Is there an easy way to accomplish this functionality that I'm too blind to see? I've considered spinning up a free-radius installation and turning on accounting somehow, or enabling IP -> Traffic Flow and putting up a collector that then gets polled periodically to see if a "session/endpoint" is active, but both seem pretty clunky to me. I also considered scripting to check through the endpoints with a firewall rule per endpoint that allows me to get counters, then compare counters to threshold ... but that seems like it wouldn't scale very well and might bring CPU to its knees? Is that a valid concern?

I'm not using Hotspot for a couple of reasons:
1) Not all my endpoints are wireless
2) I want them to do DHCP, or at least not have to authenticate manually
3) Hotspot is one of the features I'm pretty unfamiliar with... I don't mind being called ignorant if there's stuff in there that does what I want and fits 1&2 above, and I just need to RTFM (but please give a pointer!)

So to be clear, I want to implement something like:
User with IP 192.168.88.20 is allowed to use Internet weekdays from 5pm - 9pm, but only for max of 90 minutes. After 90(ish) minutes, the connection should be disabled (drop rule until reset). Same user might have policy to only use Internet for 180 minutes on weekends, and user should not have to actively do anything to start/end session.

Am I missing the easy way to achieve what I want, or anyone have a recommendation? Or is this just something that's going to be a PITA?
Turbocharge your Internet!
http://aerez.net
 
User avatar
marcperea
Trainer
Trainer
Topic Author
Posts: 10
Joined: Wed Feb 03, 2016 11:01 pm
Location: Minot ND
Contact:

Re: Uptime limit without using Hotspot

Tue Mar 08, 2016 12:14 am

Following up, in case anyone else has these questions - I've determined the following through my testing:

1) You can put hotspot on any interface, so you can use a bridge instead of picking wlan, and it can host wireless and wired connections. Nice. It does appear that there's something semi-broken with fasttrack and hotspot which will make you smash head against wall for hours to figure out what's broke if you don't suspect it. I currently have things working with fasttrack disabled, though I suspect I'm just missing a default accept rule on forward for established/related.

2) I'm still working through transparent auto-login. I'd like to allow the user (device doing DHCP) to automatically log in to the network without having to view a popup window or enter credentials. Sounds like MAC-auth, right? That's exactly what I want, except how do I add the user before I know the MAC? At the moment, I popup the auth page and user can pick trial, then periodically I have a scheduler call a script that adds any MAC found in /ip hotspot hosts that isn't already added to user. I feel like this is very clunky, but I don't know what other options I have.

I'm definitely happier showing a user a login page once and then forever accepting their MAC after that than showing it EVERY time, but still - anyone have any other ideas for a better way?

3) I tried turning up a RADIUS server and User Manager, but it sure seems like overkill, and the same caveats above still apply - I have a chicken and egg issue where I need to know the MAC to add the user, but I don't know the MAC until the user has attempted to connect. It would be awesome if TRIAL mode could apply to MAC auth.

It would also be awesome if RADIUS for DHCP sent ACCOUNTING and not just AUTHENTICATION - then I could do this a different way also.

Finally, I'm trying Traffic Flow with ntopNG, and I'm not sure if I'm failing at server admin, but I just get a spinny wheel whenever I want to look at flows, so this seems like a poor path to try to force down to accomplish time limits.
Turbocharge your Internet!
http://aerez.net
 
borisov3252
just joined
Posts: 6
Joined: Tue Jun 19, 2007 12:05 am

Re: Uptime limit without using Hotspot

Sat Feb 09, 2019 3:35 am

Code: Select all

/ip dhcp-server
add address-pool=172.16 disabled=no interface=wlan2 lease-script=":global checkIP [:len [/ip firewall address-list find address=\$leaseActIP list=hotspot-expire-limit]];\r\
\n:global expireIP [/ip dhcp-server lease get [find active-address=\$leaseActIP] expires-after];\r\
\n:if (\$checkIP=0) do={\r\
\n/ip firewall address-list add address=\$leaseActIP list=hotspot-time-limit timeout=00:30:00\r\
\n/ip firewall address-list add address=\$leaseActIP list=hotspot-expire-limit timeout=08:00:00\r\
\n} else={\r\
\n/ip firewall address-list set [find address=\$leaseActIP list=hotspot-expire-limit] timeout=08:00:00\r\
\n}\r\
\n\r\
\n" lease-time=8h name=172.16.0

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade hotspot network and disable masquerade to LAN and time limit" src-address-list=hotspot-time-limit
src-address-list hotspot-expore-limit just a database for expire limit

Who is online

Users browsing this forum: Google [Bot] and 37 guests