Community discussions

MUM Europe 2020
 
User avatar
infomate
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Sat May 21, 2005 2:30 pm
Location: Dumaguete City, Philippines

Hotspot with Web-proxy configuration

Thu Sep 08, 2005 6:55 am

Hi guys,

Im having problems setting up a Web-proxy for my hotspot clients. The documentation is a little vauge (or its me who cant uderstand).
In the docs, it states that the Hotspot is already running on port 8088. The step-by-step hotspot setup uses port 80. Does this mean I have reconfigure my running (with live clients) MT to use port 8088? If I follow the procedure, the web-proxy is on port 3128

If I follow the docs on how to setup the web-proxy, it uses port 8080! and didnt have any information on how to set it up together with a running Hotspot service.

Im confused! :oops: :cry:

I have tried to follow the firewall rule to redirect port 80 request to the transparent web proxy but nothing works.

heres my config.

Hotspot running on port 80
ip hotspot> print
use-ssl: no
hotspot-address: 10.5.50.1
dns-name:
status-autorefresh: 1m
universal-proxy: no
parent-proxy: 10.5.50.1:3128
auth-requires-mac: yes
auth-mac: no
auth-mac-password: no
auth-http-cookie: no
http-cookie-lifetime: 1m
allow-unencrypted-passwords: no
login-mac-universal: no
split-user-domain: no


Firewall DST-NAT
0 ;;; accept SMTP SSL on port 465
dst-address=:465 protocol=tcp flow=!hs-auth action=accept

1 ;;; accept POP3 SSL on port 995
dst-address=:995 protocol=tcp flow=!hs-auth action=accept

2 ;;; redirect unauthorized secure hotspot clients to hotspot service
in-interface=Wired-AP-Hotspot dst-address=:443 protocol=tcp flow=!hs-auth action=redirect
to-dst-port=443

3 ;;; redirect unauthorized hotspot clients to hotspot service
in-interface=Wired-AP-Hotspot protocol=tcp flow=!hs-auth action=redirect to-dst-port=80

4 X ;;; redirect all hotspot request to transparent proxy
in-interface=Wired-AP-Hotspot dst-address=!10.5.50.1/32:80 protocol=tcp action=redirect
to-dst-port=8080

ip web-proxy> print
enabled: yes
src-address: 0.0.0.0
port: 8080
hostname: proxy
transparent-proxy: no
parent-proxy: 0.0.0.0:0
cache-administrator: webmaster
max-object-size: 4096 kB
cache-drive: system
max-cache-size: unlimited
status: running
reserved-for-cache: 402 MB

Any help will be much appreciated.

Robert S.
 
taloot
Member Candidate
Member Candidate
Posts: 276
Joined: Sun Mar 06, 2005 1:12 am
Location: Saudi arabia, Riyadh

Sat Sep 10, 2005 1:39 am

ok
dont do any redirection this one defult for athentication
make sure that u didnt block traffic on port 3128 in ip firewall input chain (opend by defult)
do you want the client to run the proxy transperntly?>??


1st put in client pc 10.5.50.1 <--- defult MT proxy server port 3128 in IE
open any page then,

and go to MT go
ip web-proxy
settings
status
see how many clients connected if this work post ur result
in this
 
User avatar
infomate
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Sat May 21, 2005 2:30 pm
Location: Dumaguete City, Philippines

Sat Sep 10, 2005 3:48 am

Hi taloot,

Ive set the client proxy (on IE) to 10.5.50.1:3128 but it cannot resolve any site. Ive tried to take out parent-proxy on the /ip hotspot but the hotspot only allows the site on my walled garden setting (yahoo.com) and nothing else, any website would then be redirected to the hotspot captive portal (still not client request on the web-proxy). Im assuming that the dst-nat still redirects all traffic to the MT Hotspot.

Ive tried several combination to not putting any source IP on the web-proxy and also followed the docs by putting the same Hotspot IP (10.5.50.1) but still it cannot resolve any address.

I would like to setup my hotspot clients to be able to use the web-rpoxy "transparentlly". Or is there a way to do selective clients only (manually set on the client browser)? Would 402MB be enough?

Robert S.
 
goldclick
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Sep 17, 2004 10:48 pm
Location: Nigeria
Contact:

Sun Sep 11, 2005 12:46 am

Hi taloot,

Ive set the client proxy (on IE) to 10.5.50.1:3128 but it cannot resolve any site. Ive tried to take out parent-proxy on the /ip hotspot but the hotspot only allows the site on my walled garden setting (yahoo.com) and nothing else, any website would then be redirected to the hotspot captive portal (still not client request on the web-proxy). Im assuming that the dst-nat still redirects all traffic to the MT Hotspot.

Ive tried several combination to not putting any source IP on the web-proxy and also followed the docs by putting the same Hotspot IP (10.5.50.1) but still it cannot resolve any address.

I would like to setup my hotspot clients to be able to use the web-rpoxy "transparentlly". Or is there a way to do selective clients only (manually set on the client browser)? Would 402MB be enough?

Robert S.
Setting your client proxy on ie to 3128 or ports other than 80 will not work as hotspot attempts to redirect all tcp traffic to its self till authenticated. From your earlier post, everything seems fine except that you did not turn on transparent proxy.

/ip web-proxy set transparent-proxy=yes

leave your other config as is and do not set proxy on your client browsers. they need to hit the hotspot on port 80 and be redirect to login. Once in, all tcp port 80 is transparently redirected to web-proxy's port 8080.

Let me know if it doesn't work.
 
User avatar
infomate
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Sat May 21, 2005 2:30 pm
Location: Dumaguete City, Philippines

Sun Sep 11, 2005 5:00 am

Thanks goldclick,

Will try it again and do some testing.

Just to add one more thing. Would the clients not authenticating on the Hotspot still be able to use the walled garden (in my case yahoo.com) (clients !hs-auth mark).

I remember trying to use yahoo, but it took a sometime so I assumed that it did not work. will try again though.

Robert S.
 
taloot
Member Candidate
Member Candidate
Posts: 276
Joined: Sun Mar 06, 2005 1:12 am
Location: Saudi arabia, Riyadh

Sun Sep 11, 2005 12:40 pm

ahhha now i undertsand what do you mean

dont do any redirection by ur self
and please provide me ur firewall chain forward and input

delet number 4
 
User avatar
infomate
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Sat May 21, 2005 2:30 pm
Location: Dumaguete City, Philippines

Fri Sep 16, 2005 5:06 pm

I ve got my web-proxy working now. Its my firewall thats blocking in comming packets to MT. ( last line on my input firewall - drop and log everything else). i've added an accept rule before it to accept traffice to dst-port 8080.

Thanks everybody!

Robert S.

Who is online

Users browsing this forum: akops, aveliky, daveavagnina, jindranix, llag, LSan83 and 63 guests