Community discussions

MikroTik App
 
moose
just joined
Topic Author
Posts: 7
Joined: Thu Nov 10, 2011 4:11 pm

how to allow internet from address-list

Thu Nov 10, 2011 4:43 pm

Hi all!

I'm trying to make work such scheme:
1. mikrotik gives ip to LAN by DHCP-server. Let suppose the DHCP pool is 192.168.0.0/24, so I
creating a address-list=CLIENTS with 192.168.0.0/24

and before give them access to the Internet, I send CLIENTS to web-server page where they need to login and they will be sending to address-list=CLIENTS_LOGON, here is a code which redirect them to WEB-server:
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.0.0.10 to-ports=80 protocol=tcp dst-address=0.0.0.0/0 src-address-list=clients dst-port=80

The problem is that I dont know how to gives them access when they in address-list=CLIENTS_LOGON and there is the rule above.
I'm confused...

masquerade - does not appropriate, because when user wants to logout on the 10.0.0.10 web-page the page will see IP of output mikrotik interface. I will NAT 192.168.0.0/24 on the WEB-server

Could some one suggest me solution of this problem.
Will much appreciated.
Thank you
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: how to allow internet from address-list

Thu Nov 10, 2011 5:02 pm

Specify an out-interface=[WAN-interface-name] parameter on the masquerade rule so it only fires for traffic to the Internet.

However, it sounds like you're reinventing a Hotspot. Any particular reason you aren't just using a Hotspot with an external splash page?
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
moose
just joined
Topic Author
Posts: 7
Joined: Thu Nov 10, 2011 4:11 pm

Re: how to allow internet from address-list

Thu Nov 10, 2011 5:43 pm

I have such scheme:

USER192.168.0.2---->192.168.1.2Mikrotik(DHCP)10.0.0.1---->10.0.0.10 GATEWAY(NAT,WEB-SERVER)
when user receive 192.168.0.2 on I can ping 0.0.0.0/0 because NAT working on (10.0.0.10 )GATEWAY (it's NATing 192.168.0.0/24)

I redirect all requests on 0.0.0.0/0:80 to 10.0.0.10:80 to login
it's working
but ping working too -it's bad - it's needed to recover too (deny ping to internet when user redirected to 10.0.0.10:80 )

then when user logon, it will appear on address-list CLIENTS_LOGON . I want them do not redirect to webserver but give them internet. And I don't understand how to do it.

Sorry for my bad explanation and poor English )
 
User avatar
winet
Member Candidate
Member Candidate
Posts: 272
Joined: Fri Mar 16, 2007 4:49 pm
Location: Indonesia

Re: how to allow internet from address-list

Thu Nov 10, 2011 5:58 pm

perhaps fewi had to ask him first, "do you know that mikrotik has hotspot feature?" which gives almost exact scheme you're asking.
 
francisconeto
Trainer
Trainer
Posts: 22
Joined: Thu Nov 10, 2011 5:55 pm

Re: how to allow internet from address-list

Thu Nov 10, 2011 6:16 pm

Is there any motive for not use hotspot or you don't know as works hotspot ?
 
moose
just joined
Topic Author
Posts: 7
Joined: Thu Nov 10, 2011 4:11 pm

Re: how to allow internet from address-list

Thu Nov 10, 2011 6:17 pm

I know about hotspot, I think I got it what is needed, I'll answer what I'm thinking, but after I check it )
 
moose
just joined
Topic Author
Posts: 7
Joined: Thu Nov 10, 2011 4:11 pm

Re: how to allow internet from address-list

Fri Nov 11, 2011 1:34 pm

I found such solution

the solution is to add such rule above my redirecting rule :
chain=dstnat action=accept src-address-list=CLIENTS_LOGON dst-address-list=global
above this
chain=dstnat action=dst-nat to-addresses=10.0.0.10 to-ports=80 
     protocol=tcp src-address-list=CLIENTS dst-address=0.0.0.0/0 
     dst-port=80 
but for many address-lists I will need many such rules it's not good

I also tried to mark packets and allow them:
chain=forward action=mark-packet new-packet-mark=allow_CLIENTS 
     passthrough=yes src-address-list=CLIENTS_LOGON dst-address=0.0.0.0/0 
and then
chain=dstnat action=dst-nat to-addresses=10.0.0.10 to-ports=80 
     protocol=tcp src-address=192.168.6.0/24 dst-address=0.0.0.0/0 
     dst-port=80 packet-mark=!allow_CLIENTS 
but it's does not work (

maybe someone can help me
 
User avatar
winet
Member Candidate
Member Candidate
Posts: 272
Joined: Fri Mar 16, 2007 4:49 pm
Location: Indonesia

Re: how to allow internet from address-list

Fri Nov 11, 2011 2:35 pm

perhaps the main problem is language here. we don't know what are you trying to do. we're just assuming you're trying to build a hotspot, and we told you that mikrotik has hotspot feature already, you don't have to set anything else on firewall. i hope you understand what i'm saying now.

check out :
/ip hotspot
when you setup a hotspot to an interface, mikrotik will set the firewall automatically to a redirect page, which mikrotik already has it built-in.
to learn more about it, please open and read:
http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot
 
moose
just joined
Topic Author
Posts: 7
Joined: Thu Nov 10, 2011 4:11 pm

Re: how to allow internet from address-list

Fri Nov 11, 2011 4:11 pm

thank you for an answer, but I don't need hotspot. On the GATEWAY (WEBSERVER, NAT) I have Billing system which allows users and counts traffic. I described a situation and what I want to do, I need a suggestion with Firewall rules and nothing else
 
User avatar
winet
Member Candidate
Member Candidate
Posts: 272
Joined: Fri Mar 16, 2007 4:49 pm
Location: Indonesia

Re: how to allow internet from address-list

Fri Nov 11, 2011 5:35 pm

thank you for an answer, but I don't need hotspot. On the GATEWAY (WEBSERVER, NAT) I have Billing system which allows users and counts traffic. I described a situation and what I want to do, I need a suggestion with Firewall rules and nothing else
ah, so do mikrotik. mikrotik also have billing system for its hotspot, it is called, user manager. however, mikrotik hotspot, could also be set to read data from RADIUS server, if your your billing system support this.
 
moose
just joined
Topic Author
Posts: 7
Joined: Thu Nov 10, 2011 4:11 pm

Re: how to allow internet from address-list

Sat Nov 12, 2011 9:46 am

Thank you about Mikrotik hotspot. :) But I just need a suggestion with firewall

Who is online

Users browsing this forum: No registered users and 134 guests