Community discussions

MUM Europe 2020
 
crashz
just joined
Topic Author
Posts: 5
Joined: Tue May 08, 2007 12:25 pm

Please help..hotspot and walled garden

Tue May 08, 2007 12:35 pm

Helllo people. I have problem. I want create hotspot on mikrotik.Everything is fine bat i want block all http page except http://www.onet.pl. i want create two group..Full permision to surf in net and restricted permision..Full permision is work fine bat how work restricted??..To surf only one page..www.onet.pl..rest is blocked

please answer me ..thanks
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue May 08, 2007 4:53 pm

As you know HotSpot provides authentication methods, e.g. login/password method for authorization.
You may issue login/passwords for first group (full access), second group will be redirected to HotSpot login page, but http://www.onet.pl will be accessible for any user, other pages only for authorized users.
Walled-garden entries configuration is available at
'ip hotspot walled-garden add dst-host=', to specify specific domain that will be accessible.
 
crashz
just joined
Topic Author
Posts: 5
Joined: Tue May 08, 2007 12:25 pm

Tue May 08, 2007 5:14 pm

Oki..bat all user in my network must logon on hotspot.and i want some group have been restricted..that group must have only permision to http://www.onet.pl site...other site is blocked...how to do it??
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue May 08, 2007 5:19 pm

One of the way how you can achieve this create different HotSpot user profiles and specify firewall chains,
one for full access users,
second for restricted users.
Second user's firewall chain should contain rule that allows traffic to this webpage and drop other traffic.
 
crashz
just joined
Topic Author
Posts: 5
Joined: Tue May 08, 2007 12:25 pm

Tue May 08, 2007 7:09 pm

Ok..did you show me how to write this procedure?? exemple?
 
User avatar
usrox
just joined
Posts: 24
Joined: Sat Sep 17, 2005 7:59 am

Wed May 09, 2007 12:16 pm

Hello, you can use incoming/outgoing-filter on user-profile to put your own filter-rules on your user-profiles, so you can make different access type for you user.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed May 09, 2007 12:52 pm

Note, do not forget to add one 'jump' rule to 'chain=forward' 'jump-target=hotspot', that redirects traffic from 'forward' chain to 'hostpot' chain. Traffic from HotSpot chain will be redirected correct to incoming/outgoing filter specified chains.
 
crashz
just joined
Topic Author
Posts: 5
Joined: Tue May 08, 2007 12:25 pm

Wed May 09, 2007 2:06 pm

:( don't know how to doit.Do you be show me step by step how to doit restricted group?? I have full acces..is very simple..block acces but i dont have restricted...Only one page must be open..rest is block..please help...step by step...procedure..


thanks
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed May 09, 2007 3:07 pm

Procedure were described at the previous topics.
- Create two 'ip hotspot user profiles', one for normal user and second for one-page allowed users.
- Specify 'Incoming Filter' and 'Outgoing Filter' for second groups.
- Add firewall rule that allows specific page and second rule to block any other traffic.
- Add another firewall rule that will redirect traffic from chain=forward to chain=hotspot.
 
crashz
just joined
Topic Author
Posts: 5
Joined: Tue May 08, 2007 12:25 pm

Wed May 09, 2007 4:44 pm

What put to Icoming Filter and what put to odgoing filter to restricted group. ?? Do you can put some screenshot how to do it?? step by step...becose im newbie....big thanks
 
FASSIA
just joined
Posts: 23
Joined: Mon Apr 17, 2006 6:02 pm

Wed May 16, 2007 6:12 pm

Hi people,

I try to do the same thing ( http://forum.mikrotik.com/viewtopic.php?t=15749 )

MMM
If I can make I will post with results.

Thanks Sergejs for the procedure, I will try it.

Regards!
 
FASSIA
just joined
Posts: 23
Joined: Mon Apr 17, 2006 6:02 pm

Wed May 16, 2007 6:36 pm

Okey, it do not work. =(

- Create two 'ip hotspot user profiles', one for normal user and second for one-page allowed users.
I do it, but how can assignate a profile to a specific user via radius?

- Specify 'Incoming Filter' and 'Outgoing Filter' for second groups.
I do it, but also I reply with radius a filter-id mark, named "nopago"

- Add firewall rule that allows specific page and second rule to block any other traffic.
I add two in "nopago" chain. One return the request with dst-address 10.1.2.27 (web server). The another one reject all tcp traffic.

- Add another firewall rule that will redirect traffic from chain=forward to chain=hotspot.
I add in foward chain a rule to make it jump to hotspot.

I do not know what I doing wrong, but it doesn't work.

Regards.
 
FASSIA
just joined
Posts: 23
Joined: Mon Apr 17, 2006 6:02 pm

Wed May 16, 2007 11:50 pm

Hi,

I did some test this afternoon and I couldn't reach to any result.

I try to use the pre-hs-input but nothing happend.

Here are my filter reules, check it out:

(10.1.2.27 is my webserver)
 0   chain=pre-hs-input packet-mark=!Account_Disabled action=return 

 1   chain=pre-hs-input dst-address=!10.1.2.27 packet-mark=Account_Disabled 
     action=reject reject-with=icmp-net-prohibited 
 
FASSIA
just joined
Posts: 23
Joined: Mon Apr 17, 2006 6:02 pm

Thu May 17, 2007 1:23 am

"OH I SOLVE IT"

well, I have a bit help of my boss jeje :P

You have to do as following if you want that certain users surf only the walled garden:

Create 2 forward chain rules.
/ ip firewall filter 
add chain=forward packet-mark=Account_Disabled hotspot=from-client action=jump \
jump-target=hs-unauth comment="" disabled=no 
add chain=forward packet-mark=Account_Disabled hotspot=to-client action=jump \
    jump-target=hs-unauth-to comment="" disabled=no 
This do that all the traffic marked with "Account_Disabled" will be redirected to hs-unauth chain. So the user only surf the walled garden. 8)

ONE MORE THING:

Disable Transparent proxy in the user profile you are using, because it won't work.

HOPE this help someone!
Regards!

Who is online

Users browsing this forum: Bing [Bot], Dude2048, vilpalu and 112 guests