Community discussions

MikroTik App
 
Matzada
just joined
Topic Author
Posts: 3
Joined: Fri Apr 22, 2022 6:05 pm

Hotspot and IPSEC forwarding

Thu Sep 22, 2022 1:15 pm

Hi guys,

I'am getting a problem with combination of the hotspot functionality, and IPSEC.

The target goal of this conf is to centralize hotspot traffic by routing it to my core network and escape in a single point.

To do so, i want to manage the hotspot auth with the hotspot functionality on each router, and then engulf all hotspot traffic in an IPSEC tunnel diected to my core network.

The following conf is (at least to me) suppose to do so.

(Public IP have been swapped, but consistency is preserved : 1.1.1.1 = my ipsec server, 2.2.2.2 = my hotspot/radius/log server, 3.3.3.3 = my customs DNS)
# sep/22/2022 11:52:56 by RouterOS 7.5
# software id = 5IM7-56TG
#
# model = RB750Gr3
# serial number = 
/interface bridge
add comment=LAN name=BR-HOTSPOT
add comment=RESCUE name=BR-RESCUE
add comment=WAN name=BR-WAN
/interface list
add name=IFLIST-MANAGEMENT
/ip hotspot profile
add html-directory=flash/hotspot login-by=http-pap name=\
    HOTSPOT-SERVER-PROFILE nas-port-type=ethernet radius-mac-format=\
    XX-XX-XX-XX-XX-XX use-radius=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=30m shared-users=unlimited
/ip ipsec profile
add dh-group=modp2048 hash-algorithm=sha256 name=p3-data
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=p3-data profile=p3-data
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=1h name=\
    p3-data pfs-group=modp2048
/ip pool
add name=POOL-DHCP-HOTSPOT ranges=10.255.0.10-10.255.0.250
/ip dhcp-server
add address-pool=POOL-DHCP-HOTSPOT interface=BR-HOTSPOT lease-time=1h name=\
    DHCP-HOTSPOT
/ip hotspot
add address-pool=POOL-DHCP-HOTSPOT disabled=no idle-timeout=none interface=\
    BR-HOTSPOT name=A1-B2-C3-D4-E5-F6 profile=HOTSPOT-SERVER-PROFILE
/port
set 0 name=serial0
/queue simple
add max-limit=15M/15M name=LAN-15M target=BR-HOTSPOT
/system logging action
add bsd-syslog=yes name=SYSLOGHM remote=2.2.2.2 syslog-facility=local0 \
    target=remote
/interface bridge port
add bridge=BR-RESCUE comment=RESCUE interface=ether2
add bridge=BR-WAN interface=ether1
add bridge=BR-HOTSPOT interface=ether3
add bridge=BR-HOTSPOT interface=ether4
add bridge=BR-HOTSPOT interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=IFLIST-MANAGEMENT
/interface list member
add interface=BR-RESCUE list=IFLIST-MANAGEMENT
/ip address
add address=10.255.0.1/24 interface=BR-HOTSPOT network=10.255.0.0
/ip dhcp-client
add interface=BR-WAN use-peer-dns=no
/ip dhcp-server network
add address=10.255.0.0/24 dns-server=10.255.0.1 gateway=10.255.0.1
/ip dns
set allow-remote-requests=yes servers=3.3.3.3
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=forward disabled=yes src-address=10.255.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=BR-HOTSPOT
add action=drop chain=forward dst-address=10.0.0.0/8 in-interface=BR-HOTSPOT
add action=drop chain=forward dst-address=172.16.0.0/12 in-interface=BR-HOTSPOT
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=input dst-port=8291 in-interface-list=\
    !IFLIST-MANAGEMENT protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=srcnat src-address=10.255.0.0/24
add action=log chain=pre-hotspot
add action=masquerade chain=srcnat comment=MASQUERADE disabled=yes \
    out-interface=BR-WAN
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=*.mycompany.co
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=2.2.2.2 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
/ip ipsec identity
add my-id=user-fqdn:MYROUTER@ike2-p3-mycompany.co peer=p3-data
/ip ipsec policy
add action=none dst-address=10.255.0.0/24 src-address=10.255.0.0/24
add dst-address=0.0.0.0/0 peer=p3-data proposal=p3-data src-address=\
    10.255.0.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set www disabled=yes
/radius
add address=2.2.2.2 service=hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=MIKROTIK
/system logging
add action=SYSLOGHM prefix=MYROUTER topics=firewall
/system ntp client
set enabled=yes
/system ntp client servers
add address=fr.pool.ntp.org
/tool mac-server
set allowed-interface-list=IFLIST-MANAGEMENT
/tool mac-server mac-winbox
set allowed-interface-list=IFLIST-MANAGEMENT
/tool mac-server ping
set enabled=no

Except, it doesn't do what i want it to (of course it doesn't, where's the fun if it work at first try heh?)

- the ipsec alone work perfectly fine, all traffic from the related eth port is routed through IPSEC as intended
- the hotspot alone is also perfectly fine, i get my web portal and can log through (it's an external portal BTW, hence the external radius source in the configuration)

But when activating both at the same time, traffic collapse, impossible for any client of the hotspot to get any connectivity what so ever.

And i got no idea how to fix that...

What i've already tried and seen :

- when initiating a connection from a client, i can see the related state created in the "connections" tab, for a ping for exemple :
5   C icmp      10.255.0.248          8.8.8.8                             9s         672bps     0bps                630             0      52 920           0
except the IPSEC doesn't seem to "grab" on the packet, and it seems to get dropped somewhere, but i can't figure where.
- i've tied adding a filter rule after the hotspot one to accept targeted traffic => The rule see packets going through, but it seems they are still droped later on
- adding an ipsec policy to a single to test if traffic goes through outside of IPSEC and modifying the associate NAT rule so i go through masquerade=> yes it does work (but since the point is getting the traffic inside ipsec, not very usefull :p)

I guess all of this revolve around the NAT rule created to let IPSEC traffic through and interference from the auto nat rules of the hotspot :
/ip firewall nat
add action=accept chain=srcnat src-address=10.255.0.0/24

But i can't figure how to modify this to make it work.


Thanks in advance !
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hotspot and IPSEC forwarding

Sat Sep 24, 2022 9:30 am

Your /ip firewall connection print shows that the payload connection of the test ping has not been src-nated and that it fits into the policy's traffic selector. So I would check whether an ESP packet (probably encapsulated into UDP) is generated for each echo request in that connection (while pinging, run /ip ipsec installed-sa print interval=1s in naother window and watch the counters) and whether it is actually sent anywhere (/tool sniffer quick port=4500 or /tool sniffer quick ip-protocol=ipsec-esp depending on whether there is any NAT between the IPsec peers or not). When you activate the hotspot, some firewall rules are added dynamically, so maybe these block sending or reception of the ESP?

Who is online

Users browsing this forum: alan3664, Amazon [Bot], deadmaus911, donmunyak, Greyhard, sybadi and 92 guests