Routing Problems

cylent · Wed Mar 12, 2008 8:10 am

Hi all.

1st issue:
First, please see the attached image (below) to get an idea of my setup.

My issue is this; PC's connected via WIFI cant open sites like mail.yahoo.com or any encrypted SSL site with yahoo. Yahoo messenger will not open on random PC's no matter what i do.

I have two Hotspot servers running each with their own dhcp server and setup.

heres some info:
Firewall

[paul@Shahrazad] /ip address> prin
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                             
 0   192.168.0.1/24     192.168.0.0     192.168.0.255   LAN                                                                                   
 1   192.168.5.102/24   192.168.5.0     192.168.5.255   WAN                                                                                   
 2   192.168.1.1/24     192.168.1.0     192.168.1.255   wlan1                                                                                 
 3 X 192.168.5.105/24   192.168.5.0     192.168.5.255   Monitor

[paul@Shahrazad] /ip firewall> filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 X chain=forward action=accept in-interface=WAN out-interface=(unknown) 

 1 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 2 X ;;; no more than 5 connections per client. avoid d/l accelerators
     chain=forward action=drop tcp-flags=syn protocol=tcp connection-limit=6,24 

 3 X chain=forward action=accept src-address=192.168.0.0/24 dst-address=82.211.190.33 in-interface=(unknown) out-interface=(unknown) 
     dst-port=9001-9002 protocol=tcp 

 4 X chain=forward action=accept src-address=192.168.0.0/24 dst-address=82.211.190.33 icmp-options=0:0-255 dst-port=9001-9002 protocol=udp 

 5   chain=dhcp action=accept src-address=0.0.0.0 dst-address=255.255.255.255 

 6   chain=dhcp action=accept src-address=0.0.0.0 dst-address-type=local 

 7   chain=dhcp action=accept dst-address-type=local src-address-list=local-addr 

 8   ;;; DNS
     chain=local-services action=accept connection-mark=dns 

 9   ;;; GRE for PPTP
     chain=public-services action=accept connection-mark=gre 

10 X ;;; Drop Other Public Services
     chain=public-services action=drop 

11 X chain=input action=accept src-port=5050 protocol=tcp 
[paul@Shahrazad] /ip firewall>

[paul@Shahrazad] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   ;;; masquerade hotspot network
     chain=srcnat action=masquerade src-address=192.168.1.0/24 

 2 X chain=dstnat action=accept src-address=192.168.0.253 dst-address=82.211.190.33 port=9000 protocol=tcp 

 3 X chain=dstnat action=redirect to-ports=8080 dst-port=5050 protocol=tcp 

 4   ;;; masquerade hotspot network
     chain=srcnat action=masquerade src-address=192.168.0.0/24 

 5 X chain=dstnat action=redirect to-ports=9001 dst-port=9001 protocol=udp 

 6 X chain=dstnat action=redirect to-ports=80 dst-port=5050 protocol=tcp 
[paul@Shahrazad] /ip firewall nat>

Hotspot

[paul@Shahrazad] /ip hotspot> print 
Flags: X - disabled, I - invalid, S - HTTPS 
 #   NAME                                                                                          INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
 0   hotspot1                                                                                      LAN       LAN          default 5m          
 1   hs-wlan1                                                                                      wlan1     WLAN         hsprof2 5m          
[paul@Shahrazad] /ip hotspot>

[paul@Shahrazad] /ip hotspot profile> print 
Flags: * - default 
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 
     login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no 

 1   name="LAN" hotspot-address=192.168.0.1 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 
     login-by=cookie,http-chap,trial http-cookie-lifetime=1d split-user-domain=no trial-uptime=5m/1d trial-user-profile=60k use-radius=no 

 2   name="hsprof2" hotspot-address=192.168.1.1 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 
     login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no 
[paul@Shahrazad] /ip hotspot profile>

DHCP

[paul@Shahrazad] /ip dhcp-server> print
Flags: X - disabled, I - invalid 
 #   NAME                                                                            INTERFACE RELAY           ADDRESS-POOL LEASE-TIME ADD-ARP
 0   lan                                                                             LAN                       LAN          1h         yes    
 1   dhcp1                                                                           wlan1                     WLAN         1h         yes    
[paul@Shahrazad] /ip dhcp-server>

[paul@Shahrazad] /ip dhcp-server network> print 
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN                                                                  
 0 ;;; hotspot network
   192.168.0.0/24     192.168.0.1    
 1 ;;; hotspot network
   192.168.1.0/24     192.168.1.1

2nd issue:
how do i stop Wireless Clients from issuing their own IP (192.168.5.x) and getting through directly to the Smoothwall box?
Only the RouterOS box should get through.

savage · Wed Mar 12, 2008 9:33 am

Can't use SSL - almost certainly means double natting...

You must NAT only in one location, one time. So add routes to the smoothwall bos so that it knows to route data for your wireless clients to the MT, disbale the natting on the MT, and do all your natting on the smoothwall box - one time only.

It should sort out your issues

cylent · Wed Mar 12, 2008 9:54 am

Can't use SSL - almost certainly means double natting...

You must NAT only in one location, one time. So add routes to the smoothwall bos so that it knows to route data for your wireless clients to the MT, disbale the natting on the MT, and do all your natting on the smoothwall box - one time only.

It should sort out your issues

if i disable nating doesnt that mean disabling Hotspot on WIFI.
I dont want to lose hotspot on wifi. I need it for the purpose of Speed Limits per user.

also, the system as is some PC's have 0 problems opening yahoo messenger and yahoo mail.
Its just those random ones.

cylent · Thu Mar 13, 2008 12:16 am

anybody?

i have lots of customers with this problem and i am getting sick of not knowing the reason.

savage · Thu Mar 13, 2008 9:51 am

Dont know about the NAT/Hotspot issue, I haven't used hotspot that much...

One solution would be to force clients to use a proxy for HTTP/HTTPS, but this needs to be manually configured client side (especially for SSL).

Surely, you must be able to run a hotspot without NAT though... NAT/noNAT should have no affect on the hotspot

cylent · Thu Mar 13, 2008 10:07 am

I am confused as to how you would go about disabling "NAT" without altering hotspot?

Routing Problems

Routing Problems

Re: Routing Problems

Re: Routing Problems

Re: Routing Problems

Re: Routing Problems

Re: Routing Problems

Who is online