Community discussions

MikroTik App
 
Mark66
just joined
Topic Author
Posts: 22
Joined: Mon Apr 27, 2009 8:29 pm

Hotpot on RB450 works only with NAT

Mon Apr 27, 2009 10:20 pm

Greetings to all

We describe the following scenario:
----------------------------
| pc client with dhcp client |
----------------------------
| dynamic ip 10.5.50.254
|
| ip addr 10.5.50.1
----------------------------
| mikrotik rb450 hotspot |
----------------------------
| ip addr 192.168.4.2 (ether1)
|
| ip addr 192.168.4.1
----------------------------------
| pc gateway with nat and sniffer |
----------------------------------
| Dynamic Pubblic IP
|
INTERNET

My router configuration (first I have reset configuration ;-)):
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.4.2/24 192.168.4.0 192.168.4.255 ether1
1 ;;; hotspot network
10.5.50.1/24 10.5.50.0 10.5.50.255 ether4
[admin@MikroTik] > ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 S hotspot1 ether4 hs-pool-4 hot.test.cxm 5m
[admin@MikroTik] > ip hotspot profile print
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap
http-cookie-lifetime=3d split-user-domain=no use-radius=no

1 name="hot.test.cxm" hotspot-address=10.5.50.1 dns-name="hotsptest"
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=https ssl-certificate=cert1 split-user-domain=no use-radius=no
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
[admin@MikroTik] >

It work fine BUT.........

$ sudo tcpdump -i eth0 -n port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:45:07.093820 IP 10.5.50.1.33876 > 72.14.221.19.80: S 1378059382:1378059382(0) win 5840 <mss 1460,sackOK,timestamp 143108 0,nop,wscale 1>
20:45:07.149041 IP 72.14.221.19.80 > 10.5.50.1.33876: S 3778402489:3778402489(0) ack 1378059383 win 5672 <mss 1430,sackOK,timestamp 3466031712 143108,nop,wscale 6>
20:45:07.149511 IP 10.5.50.1.33876 > 72.14.221.19.80: . ack 1 win 2920 <nop,nop,timestamp 143113 3466031712>
20:45:07.149814 IP 10.5.50.1.33876 > 72.14.221.19.80: P 1:379(378) ack 1 win 2920 <nop,nop,timestamp 143113 3466031712>
20:45:07.212547 IP 72.14.221.19.80 > 10.5.50.1.33876: . ack 379 win 106 <nop,nop,timestamp 3466031776 143113>
20:45:07.225217 IP 72.14.221.19.80 > 10.5.50.1.33876: P 1:548(547) ack 379 win 106 <nop,nop,timestamp 3466031788 143113>
20:45:07.225615 IP 10.5.50.1.33876 > 72.14.221.19.80: . ack 548 win 3467 <nop,nop,timestamp 143121 3466031788>

Notice anything strange?

Although there are no rules set nat on the router, the source ip address that come from router and go to Internet is not 10.5.50.254 but 10.5.50.1!!!!!!!!!!!!!!!!!!!!!!!!

It is possible to know how to present the true source IP address of the hotspot client at the outbound interface (ether1) of the router RB450 Mikrotik?

I insist on this particular because under current regulations in my country (Italy) a hotspot that masks the true IP source address of the customer has little sense to be used :-(((

Do you have an example of commands for solving this problem?
Probably something wrong, but would like to know above all that I have to give commands on the router.

Thank you in advance!
 
Mark66
just joined
Topic Author
Posts: 22
Joined: Mon Apr 27, 2009 8:29 pm

Re: Hotpot on RB450 works only with NAT [SOLVED]

Tue Apr 28, 2009 11:10 am

SOLVED

I have disabled transparent proxy with command:

ip hotspot user profile set USERPROFILENAME transparent-proxy=no


I post my ip hotspot export:

/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name=hot.test.cxm hotspot-address=10.5.50.1 html-directory=hotspot \
http-proxy=0.0.0.0:0 login-by=https name=hot.test.cxm rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no ssl-certificate=cert1 \
use-radius=no
/ip hotspot
add address-pool=hs-pool-4 addresses-per-mac=2 disabled=no idle-timeout=5m \
interface=ether4 keepalive-timeout=none name=hotspot1 profile=\
hot.test.cxm
/ip hotspot user profile
set default advertise=no idle-timeout=none keepalive-timeout=2m name=default \
open-status-page=always shared-users=1 status-autorefresh=1m \
transparent-proxy=yes
add idle-timeout=none keepalive-timeout=2m name=noproxy shared-users=1 \
status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment="" disabled=no name=marco password=marco profile=noproxy
[admin@MikroTik] >

Many Thanks

Who is online

Users browsing this forum: rjdza, sindy, spr41178 and 70 guests