Community discussions

MikroTik App
 
medube
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Feb 15, 2005 2:50 pm

DHCP Clients only allowed to open permitted pages

Tue May 16, 2006 6:13 pm

Hi all,

Ive created a dhcp-server to assign ips to clients that connect to it. Can someone help me out with the rule to allow these clients only open what i permit them to e.g. client can open http://www.google.com and nothing else without having to log on with their pppoe account.

Something like walled garden feature in Hotspot, but this time i want to achieve it using only firewall rules on my dhcp clients.

All help will be appreicated.

Thanks
 
valens
Trainer
Trainer
Posts: 246
Joined: Tue Jun 01, 2004 5:42 pm
Location: INDONESIA
Contact:

Tue May 16, 2006 7:06 pm

You can do it with simple firewall rule.
src-address=[ip-pool] dst-address=xxxxxxx action=accept
src-address=[ip-pool] dst-address=xxxxxxx action=accept
src-address=[ip-pool] dst-address=xxxxxxx action=accept
src-address=[ip-pool] dst-address=xxxxxxx action=accept
src-address=[ip-pool] dst-address=xxxxxxx action=drop
 
medube
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Feb 15, 2005 2:50 pm

Tue May 16, 2006 11:12 pm

Thanx valens, but if I may ask how do you do this using dst-address to be names and not ip?

Thanks again
 
savage
Forum Guru
Forum Guru
Posts: 1220
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Tue May 16, 2006 11:18 pm

Firewalls doesn't work on names, it works on numbers...

nslookup <name> give you the number

--
C
Regards,
Chris
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Tue May 16, 2006 11:52 pm

And if your names resolve to changing ip addresses (like dyndns names), or belong to big websites (server clusters/load balancers/content delivery networks/... with multiple ip addresses) then you do have a problem...
You HAVE to use ip addresses to configure firewall rules.
So depending on what you want to let your users access, using HotSpot (walled garden) or perhaps a transparent proxy with access rules would be easier.

Best regards,
Christian Meis
 
medube
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Feb 15, 2005 2:50 pm

Sun May 21, 2006 4:50 pm

Hi guys,

Thanks so far for the help.

What I now did was create a dhcp-server and masqueraded all requests from it to only the dst-add i want it to go to. Therefore all requests are dropped except to the permitted one.

Now if I may ask, can anyone tell me how to make all requests to any site be redirected to the one page I have masqueraded to? I have tried creating a dst-nat for it, but instead it redirects to the Mikrotik Page on router.

Thanks again for any help...
 
medube
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Feb 15, 2005 2:50 pm

Wed May 31, 2006 8:19 pm

Common guys any ideas??? :)

Who is online

Users browsing this forum: Bing [Bot], boocko, kyende1 and 219 guests