Page 1 of 1

How to: Allow Computer Unrestricted Access In Hospot Setup

Posted: Mon Dec 20, 2004 1:41 pm
by hotspotsolutions
Hi,

I have setup the router as per the dhcp-pool for the hotspot setup, all works a treat, but I have 1 computer that needs unrestricted access to the network.

Currently this pc must login to access any network resources, but because it has a static IP addrss I cannot get it to login.

What I want to do is create a firewall rule to allow this IP address unrestricted access to the network.

I am sure its simple but any help is appreciated.

thankyou

Posted: Mon Dec 20, 2004 5:38 pm
by edzix
under '/ip firewall mangle' add such a rule:
/ip firewall mangle add src-mac-address=<MAC here> disabled=no
and move it above the HotSpot service rule with 'move' command.

You can use also cookies to accomplish this. See:
http://www.mikrotik.com/docs/ros/2.8/ip ... ent#7.41.9

Edgars[/code]

Posted: Fri Jan 07, 2005 7:51 am
by ilero
edzix,

I use the Hotspot enabled method for my users. I also would like to have the ability to select certain customers that can bypass the hotspot login page without using other authentication methods like PPPoE. Just to clarify, I would use the action accept for the above rule? And, I do not have to worry about mark-flow or any other rules? Thanks

Posted: Sat Jan 08, 2005 11:41 pm
by in4ni
Hey Hotspotsolutions did you get that mangle rule to work?

I have tried several mangle rules to do an automatic pass-thru to no avail

It has been my experience that most of the documentation examples dont work. I have yet to figure out how to do a simple one-to-one full nat so a hotspot client with a static ip address can accecpt incoming connections from the internet. When i find the person that can make that happen for me he will be rewarded!

Just my 2Cents

Posted: Sun Jan 09, 2005 1:38 am
by jarosoup
Adding just a mangle rule does not work. Instead of a mangle rule, you need to add a destination-nat rule (src-address = the internal static ip, dst-address=0/0, action=accept) and a forward rule (src-address = the internal ip, dst-address = 0/0, action=accept). Make sure both rules are at the top of their list. As for assigning a static, you can also set this client to dhcp, then add their MAC in the dhcp leases table...then that client will always get that static ip.

Re: How to: Allow Computer Unrestricted Access In Hospot Se

Posted: Sun Jan 09, 2005 9:52 pm
by goldclick
What I do is create a mangle rule with 'hs-auth' flow for the static IP I want unrestricted. This works great for me:

>ip firewall mangle add src-address=192.168.x.x/32 action=passthrough mark-flow=hs-auth

This assumes the ip you want to bypass the login page is 192.168.x.x

Sonny.

Posted: Mon Jan 10, 2005 5:03 am
by wildbill442
I have yet to figure out how to do a simple one-to-one full nat so a hotspot client with a static ip address can accecpt incoming connections from the internet. When i find the person that can make that happen for me he will be rewarded!
This is done through src-nat and dst-nat. You also have to add the public IP address to the Public interface.

dst-nat rules should look similar to this...
1   ;;; Dan
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.18 

 2   ;;; Sales Office
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.12 

 3   ;;; Roger
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.34
src-nat rules should look like this...
;;; Dan
     src-address=10.0.0.18/32 action=nat to-src-address=66.60.xxx.xxx 

 1   ;;; Sales Office
     src-address=10.0.0.12/32 action=nat to-src-address=66.60.xxx.xxx 

 2   ;;; Roger
     src-address=10.0.0.34/32 action=nat to-src-address=66.60.xxx.xxx
Remember to assign the additional IP addresses to the WAN interface on your MT router. That should be it, unless I've forgotten anything...

Posted: Tue Jan 11, 2005 2:32 am
by in4ni
Wildbill, i think you have the DST and SRC rules correct but i think my problem is with the mangle rules for the hotspot authenication.

Posted: Tue Jan 11, 2005 12:29 pm
by jaytcsd
I have a wifi nic in my laptop hard coded for 10.5.50.244/24, gateway 10.5.50.1, with my ISP's dns numbers. It can access the internet (no login screen) and I can control it using vnc from a public IP address nat-ed to the private address. The 10.5.50.0 network is my hotspot, my AP is 10.5.50.100, hooks into a switch with the other port going to the MT router's nic at 10.5.50.1.

If I change the nic in the laptop to dhcp I get the hotspot login page before I get internet access.

Is this what you are tying to do?


>>this has to be first
ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Nat Rule to tunnel traffic to laptop
dst-address=xxx.yyy.100.48/32 flow=hs-auth action=nat
to-dst-address=10.5.50.244


>>standard hotspot rule
1 ;;; redirect unauthorized hotspot clients to hotspot service
in-interface=hotspot protocol=tcp flow=!hs-auth action=redirect
to-dst-port=80

ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; packets for laptop
dst-address=xxx.yyy.100.48/32 action=accept mark-flow=hs-auth

1 ;;; return data from laptop
src-address=10.5.50.244/32 action=accept mark-flow=hs-auth

ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
1 src-address=10.5.50.0/24 action=masquerade

Hope this helps.