Community discussions

MUM Europe 2020
 
hotspotsolutions
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Thu Dec 16, 2004 1:48 pm

How to: Allow Computer Unrestricted Access In Hospot Setup

Mon Dec 20, 2004 1:41 pm

Hi,

I have setup the router as per the dhcp-pool for the hotspot setup, all works a treat, but I have 1 computer that needs unrestricted access to the network.

Currently this pc must login to access any network resources, but because it has a static IP addrss I cannot get it to login.

What I want to do is create a firewall rule to allow this IP address unrestricted access to the network.

I am sure its simple but any help is appreciated.

thankyou
 
edzix
Member
Member
Posts: 335
Joined: Thu Jul 01, 2004 3:01 pm
Location: Latvia

Mon Dec 20, 2004 5:38 pm

under '/ip firewall mangle' add such a rule:
/ip firewall mangle add src-mac-address=<MAC here> disabled=no
and move it above the HotSpot service rule with 'move' command.

You can use also cookies to accomplish this. See:
http://www.mikrotik.com/docs/ros/2.8/ip ... ent#7.41.9

Edgars[/code]
 
ilero
newbie
Posts: 49
Joined: Fri Jun 04, 2004 3:51 pm

Fri Jan 07, 2005 7:51 am

edzix,

I use the Hotspot enabled method for my users. I also would like to have the ability to select certain customers that can bypass the hotspot login page without using other authentication methods like PPPoE. Just to clarify, I would use the action accept for the above rule? And, I do not have to worry about mark-flow or any other rules? Thanks
 
in4ni
Member Candidate
Member Candidate
Posts: 188
Joined: Thu Dec 09, 2004 4:22 am
Location: Jax, Fl USA

Sat Jan 08, 2005 11:41 pm

Hey Hotspotsolutions did you get that mangle rule to work?

I have tried several mangle rules to do an automatic pass-thru to no avail

It has been my experience that most of the documentation examples dont work. I have yet to figure out how to do a simple one-to-one full nat so a hotspot client with a static ip address can accecpt incoming connections from the internet. When i find the person that can make that happen for me he will be rewarded!

Just my 2Cents
 
jarosoup
Long time Member
Long time Member
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Sun Jan 09, 2005 1:38 am

Adding just a mangle rule does not work. Instead of a mangle rule, you need to add a destination-nat rule (src-address = the internal static ip, dst-address=0/0, action=accept) and a forward rule (src-address = the internal ip, dst-address = 0/0, action=accept). Make sure both rules are at the top of their list. As for assigning a static, you can also set this client to dhcp, then add their MAC in the dhcp leases table...then that client will always get that static ip.
 
goldclick
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Sep 17, 2004 10:48 pm
Location: Nigeria
Contact:

Re: How to: Allow Computer Unrestricted Access In Hospot Se

Sun Jan 09, 2005 9:52 pm

What I do is create a mangle rule with 'hs-auth' flow for the static IP I want unrestricted. This works great for me:

>ip firewall mangle add src-address=192.168.x.x/32 action=passthrough mark-flow=hs-auth

This assumes the ip you want to bypass the login page is 192.168.x.x

Sonny.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Mon Jan 10, 2005 5:03 am

I have yet to figure out how to do a simple one-to-one full nat so a hotspot client with a static ip address can accecpt incoming connections from the internet. When i find the person that can make that happen for me he will be rewarded!
This is done through src-nat and dst-nat. You also have to add the public IP address to the Public interface.

dst-nat rules should look similar to this...
1   ;;; Dan
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.18 

 2   ;;; Sales Office
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.12 

 3   ;;; Roger
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.34
src-nat rules should look like this...
;;; Dan
     src-address=10.0.0.18/32 action=nat to-src-address=66.60.xxx.xxx 

 1   ;;; Sales Office
     src-address=10.0.0.12/32 action=nat to-src-address=66.60.xxx.xxx 

 2   ;;; Roger
     src-address=10.0.0.34/32 action=nat to-src-address=66.60.xxx.xxx
Remember to assign the additional IP addresses to the WAN interface on your MT router. That should be it, unless I've forgotten anything...
 
in4ni
Member Candidate
Member Candidate
Posts: 188
Joined: Thu Dec 09, 2004 4:22 am
Location: Jax, Fl USA

Tue Jan 11, 2005 2:32 am

Wildbill, i think you have the DST and SRC rules correct but i think my problem is with the mangle rules for the hotspot authenication.
 
jaytcsd
Member Candidate
Member Candidate
Posts: 289
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Tue Jan 11, 2005 12:29 pm

I have a wifi nic in my laptop hard coded for 10.5.50.244/24, gateway 10.5.50.1, with my ISP's dns numbers. It can access the internet (no login screen) and I can control it using vnc from a public IP address nat-ed to the private address. The 10.5.50.0 network is my hotspot, my AP is 10.5.50.100, hooks into a switch with the other port going to the MT router's nic at 10.5.50.1.

If I change the nic in the laptop to dhcp I get the hotspot login page before I get internet access.

Is this what you are tying to do?


>>this has to be first
ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Nat Rule to tunnel traffic to laptop
dst-address=xxx.yyy.100.48/32 flow=hs-auth action=nat
to-dst-address=10.5.50.244


>>standard hotspot rule
1 ;;; redirect unauthorized hotspot clients to hotspot service
in-interface=hotspot protocol=tcp flow=!hs-auth action=redirect
to-dst-port=80

ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; packets for laptop
dst-address=xxx.yyy.100.48/32 action=accept mark-flow=hs-auth

1 ;;; return data from laptop
src-address=10.5.50.244/32 action=accept mark-flow=hs-auth

ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
1 src-address=10.5.50.0/24 action=masquerade

Hope this helps.

Who is online

Users browsing this forum: evince, Google [Bot], keithstarrate, skylark and 163 guests