Community discussions

 
chesk
just joined
Topic Author
Posts: 2
Joined: Sun Jun 02, 2019 4:06 pm

Hotspot login - redirect to radius server local with public IP

Sun Jun 02, 2019 4:29 pm

Following the tutorial for configuring the mikrotik with spotipo (social login) I can not access the login site.

We have 5 public IPs, one of them the xx.xx.xx.133 we use for hotspot.
The spotipo server has a local address 192.168.0.11, to which NAT is made, both of the LAN 192.168.x.x network and the hotspot / dhcp server 10.100.x.x.

I can access the address hotspot.xx.com or xx.xx.xx.133, it automatically shows the login page of spotipo., Both from the LAN and when I connect with a DHCP IP, this thanks to the hairpin rules nat

But when I activate the hotspot server from the mikrotik, the page can not be accessed, neither indicating the domain nor the IP (xx.xx.xx.133). (page blank if indicate local ip for https, error 400 indicate public ip for http and https).

Both, both the domain and the IP are added to the walled garden.
The radius server indicates the public ip.
A static DNS entry indicates "hotspot.xx.com" -> xx.xx.xx.133

In the user profile, "transparent proxy" is removed, web proxy disabled.
services www and www-ssl disabled.

I copy the firewall rules.
/ip firewall layer7-protocol
add name=Youtube regexp="^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.c\
    om|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|google\
    video.com|youtu.be).*\$"
/ip firewall address-list
add address=192.168.7.100 comment="pc test" list=Web
add address=10.100.0.2-10.100.255.254 list=Turistas
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=forward comment=turistas-youtube layer7-protocol=\
    Youtube src-address-list=Turistas
add action=accept chain=forward comment="acceso lan - hotspot" dst-address=\
    10.100.0.0/16 src-address=192.168.0.0/21
add action=accept chain=forward comment="acceso hotspot - lan" dst-address=\
    192.168.0.0/21 src-address=10.100.0.0/16
add action=accept chain=forward comment="acceso spotipo" disabled=yes \
    dst-address=xx.xx.xx.133 dst-port=0-65535 in-interface=ether5 protocol=\
    tcp src-address-list=Turistas
add action=accept chain=input comment="acceso spotipo" disabled=yes \
    dst-address=xx.xx.xx.133 dst-port=0-65535 in-interface=ether2 protocol=\
    udp
add action=drop chain=forward disabled=yes in-interface=ether2
add action=accept chain=forward disabled=yes src-address=192.168.0.0/21
/ip firewall mangle
add action=mark-connection chain=prerouting comment="youtube connection" \
    connection-mark=no-mark content=youtube dst-port=53 new-connection-mark=\
    youtube_connection passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=youtube_packet \
    connection-mark=youtube_connection new-packet-mark=youtube_packet \
    passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=\
    "enmascara toda la salida a internet" out-interface=ether2
add action=masquerade chain=srcnat comment="enmascara la red hotspot" \
    src-address=10.100.0.0/16
add action=dst-nat chain=dstnat comment=\
    "entrada - spotipo server - tcp - simple nat" dst-address=xx.xx.xx.133 \
    dst-port=0-65535 in-interface=ether2 protocol=tcp to-addresses=\
    192.168.0.11 to-ports=0-65535
add action=dst-nat chain=dstnat comment=\
    "entrada - spotipo server - udp - simple nat" dst-address=xx.xx.xx.133 \
    dst-port=0-65535 in-interface=ether2 protocol=udp to-addresses=\
    192.168.0.11 to-ports=0-65535
add action=dst-nat chain=dstnat comment=\
    "entrada - spotipo server - hairpin nat - tcp - lan" dst-address=\
    xx.xx.xx.133 dst-address-type=local dst-port=0-65535 in-interface=\
    ether3 protocol=tcp to-addresses=192.168.0.11 to-ports=0-65535
add action=dst-nat chain=dstnat comment=\
    "entrada - spotipo server - hairpin nat - tcp - hotspot" dst-address=\
    xx.xx.xx.133 dst-address-type=local dst-port=0-65535 in-interface=\
    ether5 protocol=tcp to-addresses=192.168.0.11 to-ports=0-65535
add action=dst-nat chain=dstnat comment=\
    "entrada - spotipo server - hairpin nat - udp - lan" dst-address=\
    xx.xx.xx.133 dst-address-type=local dst-port=0-65535 in-interface=\
    ether3 protocol=udp to-addresses=192.168.0.11 to-ports=0-65535
add action=dst-nat chain=dstnat comment=\
    "entrada - spotipo server - hairpin nat - udp - hotspot" dst-address=\
    xx.xx.xx.133 dst-address-type=local dst-port=0-65535 in-interface=\
    ether5 protocol=udp to-addresses=192.168.0.11 to-ports=0-65535
add action=src-nat chain=srcnat comment="salida - spotipo server" \
    src-address=192.168.0.11 to-addresses=181.15.193.133
add action=masquerade chain=srcnat comment="masquerade - tcp - lan" \
    dst-address=192.168.0.11 dst-port=0-65535 out-interface=ether3 protocol=\
    tcp src-address=192.168.0.0/21
add action=masquerade chain=srcnat comment="masquerada - udp - lan" \
    dst-address=192.168.0.11 dst-port=0-65535 out-interface=ether3 protocol=\
    udp src-address=192.168.0.0/21
add action=masquerade chain=srcnat comment="masquerade - tcp - hotspot" \
    dst-address=192.168.0.11 dst-port=0-65535 out-interface=ether5 protocol=\
    tcp src-address=10.100.0.0/16
add action=masquerade chain=srcnat comment="masquerade - udp - hotspot" \
    dst-address=192.168.0.11 dst-port=0-65535 out-interface=ether5 protocol=\
    udp src-address=10.100.0.0/16
   

Who is online

Users browsing this forum: No registered users and 26 guests