Community discussions

MikroTik App
 
jarosoup
Long time Member
Long time Member
Topic Author
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

2.9 Hotspot - dynamic firewall rules break static ones

Tue Mar 07, 2006 8:48 am

I've asked this before here and from support, but still no answer (or understanding) for this problem.

When you create a Hotspot and enabled it, it creates dynamic firewall rules. If you add a new static rule, say a dst-nat rule that port-forwards to an internal device, all works fine until you reboot the router. When rebooted (or if you disable and enable the hotspot) the dynamic firewall rules for the hotspot become the first rules in the list, so you static rules never get executed as the hotspot rules hit first (and ultimately block the port-forward request from ever happening).

Please note, this is not about bypassing user IP addresses from the hotspot. These are port forward nat rules for outside requests to internal devices. For example, I've got an AP bridge on the inside of a hotspot network and want to remotely SSH to it. If a create a destination-nat rule the accepts a dst-port of 12345 and nat-to 192.168.1.10 port 22. Then I set my local SSH client to connect to the hotspot IP, port 12345.

Has anyone run into this? Is there something I can do to let a bunch of static dst-nat rules to internal devices through without the hotspot firewall rules breaking our entire outside network monitoring? In all of 2.8, the firewall rules never changed order. Why does this happen on 2.9?
 
milance
just joined
Posts: 21
Joined: Tue Jan 31, 2006 12:32 am
Location: Cuprija

Tue Mar 07, 2006 10:44 am

Also and I have the same problem with the new Mikrotik 2.9.x version. I can write rules how much I want, MT always do like Hotspot Dynamic Rules say... Anyone know the solvation of this problem ???
 
fivenetwork
newbie
Posts: 45
Joined: Thu Jul 08, 2004 4:39 am

Wed Mar 08, 2006 5:56 am

Well, you could workaround this ....

write a script to MOVE the static rule to top of the table. and schedule it to be run every hour.

this is a patch but will keep things working till MT comes up with a proper fix.
 
User avatar
maroon
Member Candidate
Member Candidate
Posts: 233
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

Wed Mar 08, 2006 3:03 pm

same problem too ..

the counters of the static rules counts nthn .. always 0

i think it's a bug... try the latest version of Mikrotik...
 
milance
just joined
Posts: 21
Joined: Tue Jan 31, 2006 12:32 am
Location: Cuprija

Wed Mar 08, 2006 5:02 pm

I try on 2.9.14 ????? Is there some newer verion ???
 
User avatar
maroon
Member Candidate
Member Candidate
Posts: 233
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

Wed Mar 08, 2006 5:34 pm

no this is the latest version !!

Mikrotik Support what do u think the problem is?

Regards,
 
milance
just joined
Posts: 21
Joined: Tue Jan 31, 2006 12:32 am
Location: Cuprija

Wed Mar 08, 2006 5:53 pm

Someone said me that I need to not use pool. And also I try and with static addresses.... Result was always same = stupis Dynamic Hotspot Rule..... The best question for Mikrotik support people is: How to disable that rules, I will write my own...
 
dot-bot
Member Candidate
Member Candidate
Posts: 164
Joined: Tue Oct 11, 2005 7:05 pm

Wed Mar 08, 2006 6:47 pm

Well, you could workaround this ....

write a script to MOVE the static rule to top of the table. and schedule it to be run every hour.

this is a patch but will keep things working till MT comes up with a proper fix.
And risk it not working for an hour until the script is executed ? Could'nt we detect when the sh*t happens and make the script execute on that moment?
 
jarosoup
Long time Member
Long time Member
Topic Author
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Wed Mar 08, 2006 7:16 pm

Yes, running a script would work. It's easier to just login immediately after the reboot and shift rules around *if* it's a planned reboot and we are on a network to do this.

Our biggest problem with this is that we monitor the up/down state and poll snmp from more than 40 devices behind it. When the rules change order after a reboot, we'll get almost 100 alerts that everything is down and again once we change the rules around that everything is back up. We have a few other networks with fewer devices but the same problem.

Perhaps to help Mikrotik, I suggest that instead of the dynamic rules being inserted at the top of the list, that they are inserted last after all static rules. Ideally the placement (both before and after) of static rules should stay the same - ie, the hotspot knows where in the list they existed. But, rarely do we need to place firewall rules after the dynamic hotspot ones. Having those dynamic rules always at the bottom of the list would work for us for now.
 
fivenetwork
newbie
Posts: 45
Joined: Thu Jul 08, 2004 4:39 am

Thu Mar 09, 2006 4:06 am

Heeeyyyy! The script workaround IS a hack job. If the strain on the cpu isnt much then you could have it executed every 5 minutes or even a minute.
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Thu Mar 09, 2006 10:34 am

What's the point? You CAN run a script just once after each reboot. So put the script in there, and you should be set.

And if you disable/reenable the hotspot manually (causing the same problem) you can just run the script manually, too - right?

Best regards,
Christian Meis
Best regards,
Christian Meis
 
milance
just joined
Posts: 21
Joined: Tue Jan 31, 2006 12:32 am
Location: Cuprija

Thu Mar 09, 2006 2:50 pm

yeah, Christian, I think thats you are right....

I will try with writing script later tonight.... Becouse I found that dynamic jump rules made by Hotspot are not good for my configuration (they catch all interfaces with all addresses)... I will try do remove them and to write my own rules... That's must be solvation of this problem...


Best Regards
 
jarosoup
Long time Member
Long time Member
Topic Author
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Thu Mar 09, 2006 6:28 pm

What's the point? You CAN run a script just once after each reboot. So put the script in there, and you should be set.
The point is, after all of the time I've spent in the last 2 years dealing with the Hotspot module (since 2.7) and having Mikrotik unwilling to fix the last final bug that existed in the 2.8 branch because 2.9 was finally released (even though they were aware of this and had the golden supout file to prove what the problem was). I've finally taken the time to start upgrading out 2.8 hotspots to 2.9, only to find a serious design issue that breaks the functionality of what we've got in the field (the dynamic firewall issue).

The behavior of the dynamic firewall rules seems odd...maybe it's just me, but it seems like have any type of dynamic firewall inserting rules at the top of this list is a bad idea. Yes, a script would resolve this to some degree, but IMO is not a solution. Overall, we've been happy with what Mikrotik has done and would like to continue using them for Hotspots - we have certainly purchased enough licenses to show our dedication to using this product.

It would be nice to at least get some feedback from Mikrotik on this issue - it would be nice to at least know if there are any plans to change this behavior.
 
jarosoup
Long time Member
Long time Member
Topic Author
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Thu Mar 09, 2006 6:30 pm

I will try do remove them and to write my own rules... That's must be solvation of this problem...
I don't think this is going to work...If you delete these rules, the next time you reboot they will all come back. I guess you could take the script approach and have it manually delete these...still doesn't seem like a proper solution though.
 
fivenetwork
newbie
Posts: 45
Joined: Thu Jul 08, 2004 4:39 am

Fri Mar 10, 2006 3:55 am

Supposing we do the script route....

The next query that pops into my 'devil's workshop' is how do we trigger it on EACH reboot? Is there a way of determining that the SYSTEM has rebooted and then have the script run, like a AUTOEXEC.BAT ??
 
jarosoup
Long time Member
Long time Member
Topic Author
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Fri Mar 10, 2006 6:49 am

Perhaps by checking the system uptime (ie, trigger if it's less than 60 seconds)?
 
changeip
Forum Guru
Forum Guru
Posts: 3823
Joined: Fri May 28, 2004 5:22 pm

Fri Mar 10, 2006 6:29 pm

Supposing we do the script route....

The next query that pops into my 'devil's workshop' is how do we trigger it on EACH reboot? Is there a way of determining that the SYSTEM has rebooted and then have the script run, like a AUTOEXEC.BAT ??
Check the runcount of the job... if its 0 then its never been run before. (since last boot)

Sam
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Mar 13, 2006 11:30 am

Dynamic hotspot firewall rules catch only hotspot clients. Bypassed
devices will not match those rules. All AP's inside hotspot should be set
as bypassed hosts, thus allowing full access to them from outside.

Does anyone want to monitor some regular hotspot client? No problem -
just add IP of your SNMP server to "/ip hotspot walled-garden ip" list.

Are there some cases, which I have not covered here?
 
milance
just joined
Posts: 21
Joined: Tue Jan 31, 2006 12:32 am
Location: Cuprija

Mon Mar 13, 2006 6:56 pm

I must rewrite my problem again... Nobody give me answer or possibility for my problem

-> I will explain my configuration shortly and some problems ->

I'm using cisco router for frame-raley and for givinig acces for public-addresses.

I'm using Mikrtoik for home users (private addresses) and to control the speed of Public addresses (via queue)

I have 3 LAN ports on MT

LAN 1 > outgoing interface (connected on cisco router)
LAN 2 > incoming interface for users with private addresses (they going out thrue LAN 1 like one public address)
LAN 3 > incoming interface for users with public addresses (they going out thrue LAN 1 like they are)

All traffic come in one switch and going in MT with two cables in LAN2 and LAN3

In version 2.8.28 everything works good.... but in 2.9.14 I have next problems:

1. Half of public addresses doesn't want to work ??!!?? Hotspot takes them in hosts and translate them in private addresses witch don't want to work !!!!
2. some of users with private addresses have <host remove>

I make firewall rules witch reject all trafic of public addresses on LAN2 and all traffic from private addresses on LAN3.... But in arp table I can see some (few) of private addresses, and also in hotspot/hosts I can see some of public addresses.....
Why I put hotspot server and all that on LAN2 if he take addresses from LAN3 ..

Any answer is good answer...
 
jarosoup
Long time Member
Long time Member
Topic Author
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Mon Mar 13, 2006 7:38 pm

Thank you for responding Normis. I will try this and see what happens. My immediate reaction to this solution is that we have to add an extra rule for every device (to add to the bypass list) but if it does what we need, we'll be happy. I'll post back once we've tried this on a live network.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24708
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Tue Mar 14, 2006 1:31 pm

> 1. Half of public addresses doesn't want to work ??!!?? Hotspot takes them
in hosts and translate them in private addresses witch don't want to work !!!
If hotspot clients MUST have some valid IP address, then there is no need for
any NAT at hotspot at all:
/ip hotspot set <_name> address-pool=none

If NAT is required only for unknown IP addresses, then you have to specify
which IP addresses are already valid (public addresses) and must stay the
same. For example, to never change IP addresses from subnet 1.2.3.0/24 create
following rule in ip-binding:
/ip hotspot ip-binding add address=1.2.3.0/24
> 2. some of users with private addresses have <host remove>
Please, find out where are those wrong IP addresses coming from. Hotspot
cannot guess, which of those 2 IP addresses is the one to use. There are 2
workarounds:
1) allow 2 IP addresses for each MAC address:
/ip hotspot set <_name_> addresses-per-mac=2
2) add individual blocked ip-binding rule for every wrong IP/MAC pair:
/ip hotspot ip-binding add mac-address=<mac> address=<wrong-ip> type=blocked

If hotspot does not NAT, then we can accept all valid IP subnets and block
everything else:
/ip hotspot ip-binding add address=<valid-ip-subnet-1>
/ip hotspot ip-binding add address=<valid-ip-subnet-2>
...
/ip hotspot ip-binding add address=<valid-ip-subnet-x>
/ip hotspot ip-binding add address=0.0.0.0/0 type=blocked
Blocked entries will not count as IP addresses for MACs thus avoiding <host
remove> problem.
 
milance
just joined
Posts: 21
Joined: Tue Jan 31, 2006 12:32 am
Location: Cuprija

Wed Mar 15, 2006 10:34 am

Thank you Normis, I will try that in next weekend...
 
jarosoup
Long time Member
Long time Member
Topic Author
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Mon Mar 27, 2006 6:06 am

I just wanted to follow-up with this topic as I've tried the solution offered (using the IP List from the Walled Garden). This seems to work fine for us so far. It's a little awkward as I'm used to directly adding rules to the firewall instead of having all of these dynamic rules created. I'm starting to get used to this approach and will continue this new method unless we run into something. Thanks for clarifying this problem and offering a working solution.
 
Mikro-Man-Tik
just joined
Posts: 18
Joined: Sat Dec 31, 2005 10:40 am

Mon Mar 27, 2006 6:34 pm

hi all..
i thank u can delete all dynamic rule relate with hotshot in firewall and rebuilt it as same dynamic firewall rule as static rules :idea:
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue Mar 28, 2006 8:28 am

I suppose, dynamic HotSpot rules will come back at the top after router reboots.
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Thu Apr 06, 2006 3:02 pm

So now with 2.9.19 there should be a way to keep the static rules before the dynamic rules. Or at least that's my interpretation of the changelog entry
*) added hooks before hotspot dynamic firewall rules for custom modifications;
I don't see any docs, but I suppose that the built-in chain "pre-hs-input" is thought for that?

Best regards,
Christian Meis
Best regards,
Christian Meis
 
jarosoup
Long time Member
Long time Member
Topic Author
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Wed May 10, 2006 12:23 am

I too still need clarification on this. I didn't even notice this new chain "pre-hs-input" until rereading this thread after not finding any new settings for the dynamic rules.

I see that the first jump in the dynamic hotspot chain jumps to pre-hs-input. Just curious if this was the final solution and the intended purpose?

Who is online

Users browsing this forum: Baidu [Spider], ShayanPAL and 75 guests