Hi all!

I have a wuick question about Hotspot.

One of our client requested limitation their workers just for some websites and remote desktops what they really need for work.
We've realized that via hotspot, so those who have granted acces they can surf the internet.

The problem is, that we can't allow ports 80 and 443.
So I am desperatelly looking for a solution for almost 2 days. Adding skype.com and skype.net to Walled Garden Iop List is not helping.
Opened ports 20000 to 40000, which I've learned it is used by skype for make a connection.\

But form the PC it's not connecting even to the skype server!

Please help!

Tahnk you!

That is pretty much impossible. Skype is a wholly proprietary protocol and virtual impossible to detect in RouterOS, particularly given the limits of the walled garden IP section. Additionally, for the actual voice channel it connects directly between endpoints, in a way that cannot be detected by connection-state=related (because no helper can look inside the control channel that sets up the user to user connection).

So what you want pretty much cannot be done.

Thank you for the very quick reply !

I'm very disapointed about it .

Can I get around the Hotspot using on the same MT a Web Proxy server ?
And define this proxy server to all the clients ?

Sure. The wiki has details: http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy

In your case a whitelist approach (permit the sites people should have access to, then have a blanket deny statement at the bottom) would work well.

Thanks!

Already occured to me as well that I can get skype working via Proxy.
It worked!

The problem with the proxy web page blocking is that the manager of our client wanted to give only a few people an access code, so they can acces the internet any time at work.

Thank you for the help !

Best regards
Gábor
Prague

Set them up with static DHCP leases or static IPs, add all of them to an address list and do the transparent redirect to the proxy based on not being on that address list. That way those guys will not get proxied and have full web access.