I'am getting a problem with combination of the hotspot functionality, and IPSEC.
The target goal of this conf is to centralize hotspot traffic by routing it to my core network and escape in a single point.
To do so, i want to manage the hotspot auth with the hotspot functionality on each router, and then engulf all hotspot traffic in an IPSEC tunnel diected to my core network.
The following conf is (at least to me) suppose to do so.
(Public IP have been swapped, but consistency is preserved : 1.1.1.1 = my ipsec server, 2.2.2.2 = my hotspot/radius/log server, 3.3.3.3 = my customs DNS)
Code: Select all
# sep/22/2022 11:52:56 by RouterOS 7.5
# software id = 5IM7-56TG
#
# model = RB750Gr3
# serial number =
/interface bridge
add comment=LAN name=BR-HOTSPOT
add comment=RESCUE name=BR-RESCUE
add comment=WAN name=BR-WAN
/interface list
add name=IFLIST-MANAGEMENT
/ip hotspot profile
add html-directory=flash/hotspot login-by=http-pap name=\
HOTSPOT-SERVER-PROFILE nas-port-type=ethernet radius-mac-format=\
XX-XX-XX-XX-XX-XX use-radius=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=30m shared-users=unlimited
/ip ipsec profile
add dh-group=modp2048 hash-algorithm=sha256 name=p3-data
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=p3-data profile=p3-data
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=1h name=\
p3-data pfs-group=modp2048
/ip pool
add name=POOL-DHCP-HOTSPOT ranges=10.255.0.10-10.255.0.250
/ip dhcp-server
add address-pool=POOL-DHCP-HOTSPOT interface=BR-HOTSPOT lease-time=1h name=\
DHCP-HOTSPOT
/ip hotspot
add address-pool=POOL-DHCP-HOTSPOT disabled=no idle-timeout=none interface=\
BR-HOTSPOT name=A1-B2-C3-D4-E5-F6 profile=HOTSPOT-SERVER-PROFILE
/port
set 0 name=serial0
/queue simple
add max-limit=15M/15M name=LAN-15M target=BR-HOTSPOT
/system logging action
add bsd-syslog=yes name=SYSLOGHM remote=2.2.2.2 syslog-facility=local0 \
target=remote
/interface bridge port
add bridge=BR-RESCUE comment=RESCUE interface=ether2
add bridge=BR-WAN interface=ether1
add bridge=BR-HOTSPOT interface=ether3
add bridge=BR-HOTSPOT interface=ether4
add bridge=BR-HOTSPOT interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=IFLIST-MANAGEMENT
/interface list member
add interface=BR-RESCUE list=IFLIST-MANAGEMENT
/ip address
add address=10.255.0.1/24 interface=BR-HOTSPOT network=10.255.0.0
/ip dhcp-client
add interface=BR-WAN use-peer-dns=no
/ip dhcp-server network
add address=10.255.0.0/24 dns-server=10.255.0.1 gateway=10.255.0.1
/ip dns
set allow-remote-requests=yes servers=3.3.3.3
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=forward disabled=yes src-address=10.255.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=BR-HOTSPOT
add action=drop chain=forward dst-address=10.0.0.0/8 in-interface=BR-HOTSPOT
add action=drop chain=forward dst-address=172.16.0.0/12 in-interface=BR-HOTSPOT
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input dst-port=8291 in-interface-list=\
!IFLIST-MANAGEMENT protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=srcnat src-address=10.255.0.0/24
add action=log chain=pre-hotspot
add action=masquerade chain=srcnat comment=MASQUERADE disabled=yes \
out-interface=BR-WAN
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=*.mycompany.co
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=2.2.2.2 !dst-address-list \
!dst-port !protocol !src-address !src-address-list
/ip ipsec identity
add my-id=user-fqdn:MYROUTER@ike2-p3-mycompany.co peer=p3-data
/ip ipsec policy
add action=none dst-address=10.255.0.0/24 src-address=10.255.0.0/24
add dst-address=0.0.0.0/0 peer=p3-data proposal=p3-data src-address=\
10.255.0.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set www disabled=yes
/radius
add address=2.2.2.2 service=hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=MIKROTIK
/system logging
add action=SYSLOGHM prefix=MYROUTER topics=firewall
/system ntp client
set enabled=yes
/system ntp client servers
add address=fr.pool.ntp.org
/tool mac-server
set allowed-interface-list=IFLIST-MANAGEMENT
/tool mac-server mac-winbox
set allowed-interface-list=IFLIST-MANAGEMENT
/tool mac-server ping
set enabled=no
Except, it doesn't do what i want it to (of course it doesn't, where's the fun if it work at first try heh?)
- the ipsec alone work perfectly fine, all traffic from the related eth port is routed through IPSEC as intended
- the hotspot alone is also perfectly fine, i get my web portal and can log through (it's an external portal BTW, hence the external radius source in the configuration)
But when activating both at the same time, traffic collapse, impossible for any client of the hotspot to get any connectivity what so ever.
And i got no idea how to fix that...
What i've already tried and seen :
- when initiating a connection from a client, i can see the related state created in the "connections" tab, for a ping for exemple :
Code: Select all
5 C icmp 10.255.0.248 8.8.8.8 9s 672bps 0bps 630 0 52 920 0
- i've tied adding a filter rule after the hotspot one to accept targeted traffic => The rule see packets going through, but it seems they are still droped later on
- adding an ipsec policy to a single to test if traffic goes through outside of IPSEC and modifying the associate NAT rule so i go through masquerade=> yes it does work (but since the point is getting the traffic inside ipsec, not very usefull :p)
I guess all of this revolve around the NAT rule created to let IPSEC traffic through and interference from the auto nat rules of the hotspot :
Code: Select all
/ip firewall nat
add action=accept chain=srcnat src-address=10.255.0.0/24
But i can't figure how to modify this to make it work.
Thanks in advance !