Hello everyone. I'm new to this forum.
I'm pretty new to routerboards and routerOS but I've read many articles, used RB433AH with CM9 and RouterOS 4.2 (many hours so I don't quite feel like a beginner but some questions may feel dump).

I have the following config right now:
2 RB433AH (level 5 R.OS-4.2)
2 CM9 in each one (one is in use in every board running hotspot)
2 wavearena 12db omni antennas (connected with the correct cables/pigtails)
2 PoE adapters (giving power supply to routerboards)

I am running these 2 in different locations using one CM9 and one antenna to each one in hotspot mode.
Same settings for 2 locations:
wlan1 has hotspot ip 192.168.0.1
wlan1 has dhcp server giving out 192.168.0.5-192.168.0.250
ether1 has static ip 192.168.1.2
ether1 is connected to a wired router/modem from dlink with local ip 192.168.1.1 and adsl line 2400/1024kbps with dhcp client (not static ip)
route with gateway to 192.168.1.1

Hotspot is in use with trial account (basic page with a simple I agree to terms which goes to trial account, 2hours limit,2 hours reset,firewall rule for stoping all p2p, web proxy for stopping adult content)

Question No1:
Since wlan1 is masquerade to ether1 when I connect from the hotspot interface I get an ip (ex. 192.168.0.249). I can type 192.168.1.2 or 192.168.1.1 in the browser and access routerboard and dlink modem/router. Because I don't want the hotspot users to access these 2 I added in webproxy the ips to be denied. Is there a different way to do that? Hotspot users still get access if they have winbox downloaded.(there is still a password-but what if they brute force?-Just a guess)

Question No2:
Level 5 means that hotspot can support up to 500 users. If I get (hopefully sometime) 245 users and dhcp server gives out all the available addresses 192.168.0.5-192.168.0.250 what happens with user no246?What local address will this user have?

Question No3:
I have a domain www.xxxxxxxx.gr (greets from Greece) which currently is hosted to an Internet company with cpanel. RouterOS has some graphs.How can I send these graphs to be displayed over this page?Further more how can I add a code to this page to show the active hotspot locations?(Tick for yes to every RB433AH)

Question No4:
How can I access the router remotely?
I'm thinking dundns.org to every modem/router, DMZ to ip 192.168.1.2 (ether1).

Question No5:
I want to buy 2 more RB433AH with 2 cm9 to everyone.
I want each one to connect with a directional antenna 5ghz (wlan1) to the locations of the adsl lines (wlan2 which is not in use now).
Should I add new hotspot service over the other card (wlan2) to this remote location or use the existing hotspot running in adsl line?I'm asking which is the best option:
adsl-wlan2-5ghz directional-5ghz directional-wlan1-hotspot to wlan2.
wlan1-wlan2-5ghz directional-5ghz directional-wlan1-wlan2 to ap mode.

And how to do this bold text?wlan1-wlan2 if I use the existing hotspot.

Many questions.I'm really sorry for all this trouble.If someone can help with pointing to wiki locations or telling me some answers it's really appreciated.

1.) It is easier and better to do your blocking in the /ip firewall filter You can get fancier with the rule, but this will basically do it.

2.) Basically your IP pool will have run out of addresses, until one is freed up it will not be able to hand out DHCP leases since they are all taken. You can increase the size of the subnet on the LAN and increase the size of the address pool. I tend to use a /23 for my LANs and hotspots in most cases to cover that. If you feel you need more you can always make it larger.

3.) What exactly are you looking for here? Monitoring of the boxes, being able to access the graphs it generates on a different page? You can go to /tools graphing and then specify for it to generate graphs and where they are accessible from. But if you want to have those graphs on a different web page, you are going to need to transport them to that web site somehow. You can proxy the information by having the web page coded to grab the graphs on demand.

4.) That is going to be up to you. There are some scripts on the Wiki for DDNS updates that you can use. Since it appears according to your post that you are getting a private IP from your provider, you are going to have to look at setting up the needed NAT rules on their device so you can access the MikroTik. I also don't know how well the DDNS scripts are going to work with the MikroTik getting a private IP address.

5.) I'm not really sure what your goals are for this one either. If you are looking to provide service to a small area or a building, it would be better to use the MikroTiks as just access points and have them link up with a central one to provide one location that will handle authentication. There you are looking at setting up a layer2 network. If you are looking to provide service for a wider area and plan on expanding it, then you will probably want a routed network more than a bridged one.

I also don't know how well the DDNS scripts are going to work with the MikroTik getting a private IP address.

Most DynDNS providers just have an interface where you call to a dynamic page on their server, submitting your username and password. You can submit your new IP address, but if you don't (the default) it will just adjust your record to the IP address the DynDNS provider's server sees the request as coming from - which could be the IP your immediate ISP NATs you to.

1.) It is easier and better to do your blocking in the /ip firewall filter

Code: Select all

/ip firewall filter
add action=drop chain=input comment="Block guests form talking to public IP of Router" disabled=no dst-address=192.168.1.0/24 src-address=192.168.0.0/24

You can get fancier with the rule, but this will basically do it.

Solved.I should put this rule under or above hotspot rule and masquerade rule?Or it doesn't matter where it is.

2.) Basically your IP pool will have run out of addresses, until one is freed up it will not be able to hand out DHCP leases since they are all taken. You can increase the size of the subnet on the LAN and increase the size of the address pool. I tend to use a /23 for my LANs and hotspots in most cases to cover that. If you feel you need more you can always make it larger.

Thanks.Solved.Apreciated an example for the subnet and for the pool.

3.) What exactly are you looking for here? Monitoring of the boxes, being able to access the graphs it generates on a different page? You can go to /tools graphing and then specify for it to generate graphs and where they are accessible from.

Yes.And Yes.I actually can specify a public ip or just the local ones?I'm on shared hosting.

But if you want to have those graphs on a different web page, you are going to need to transport them to that web site somehow. You can proxy the information by having the web page coded to grab the graphs on demand.

I am pretty sure I can't use php on the router.Can I call an external php script and use "post"?Have you seen something like that?Or is there anything on the wiki for that?

4.) That is going to be up to you. There are some scripts on the Wiki for DDNS updates that you can use. Since it appears according to your post that you are getting a private IP from your provider, you are going to have to look at setting up the needed NAT rules on their device so you can access the MikroTik. I also don't know how well the DDNS scripts are going to work with the MikroTik getting a private IP address.

I'm sorry for the trouble.Actually q3 and q4 are quite the same.Only the adsl modem has a public ip.The modem also has local 192.168.1.1 .The routerboard doen't have a public ip.I don't have to use a script in this case since it has only local 192.168.1.2 on ether1.
I actually was thinking of using the modem's ddns and NAT every port that I need to the routerboard.(ping,http etc)Will this work?Can I use this workaround to get the graphs in question 3 also, since it is accessible by port 80?I mean can I use html code in my site (shared hosting) like below:

5.) I'm not really sure what your goals are for this one either. If you are looking to provide service to a small area or a building, it would be better to use the MikroTiks as just access points and have them link up with a central one to provide one location that will handle authentication. There you are looking at setting up a layer2 network. If you are looking to provide service for a wider area and plan on expanding it, then you will probably want a routed network more than a bridged one.

Actually the area is pretty wide (1km radius).I use omni because there aren't any buildings in front.I just need to extend the hotspot service where the omni doesn't reach.Like a repeater.Should I use omni again with one interface active with the same SSID and same wifi freq?

Thanks for the big help and for tolerating what it whould seem pretty obvious to you.It was what I needed. Thanks for everything.

Most DynDNS providers just have an interface where you call to a dynamic page on their server, submitting your username and password. You can submit your new IP address, but if you don't (the default) it will just adjust your record to the IP address the DynDNS provider's server sees the request as coming from - which could be the IP your immediate ISP NATs you to.

Thanks.Explains a lot.

1.) It's in the filter part of the firewall and on the input chain there, so it doesn't really matter where you place it in this case. You can look at the packet flow diagram to see if that helps you understand what is going on. Input basically means traffic destined to the router itself.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram

2.) Yes you can specify addresses where the graphs will be accessible from, by default these are accessible from 0.0.0.0/0 so anyone can see them provided they know the IP address of your router. This can be handy though since you can specify certain addresses to only have access to certain graphs, so end users can see their usage possibly, but can't see other users usage. What I actually do is have the HTTP server turned on and in my filter rules, only accept port 80 from known IP addresses. We then have a server grab the image file off of the router with a HTTP request and displays it to end users as needed. As for how our web programmers do that, it's above me .

If you want more of a monitoring solution, look into SNMP. MikroTik has 'The Dude' that will work for you, and there are several other pay for and free SNMP monitors out there. They will be able to give you the same chart data, and better storage options than the ones built into the MikroTik. They all rely on the same basic concept, a server, local or remote, actively checking to see if a device is online.

3.) Weather you can do a 1-1 NAT to the MikroTik or not is going to be up to your providers router. If you can place the modem into bridged mode and place the public IP on your router, you would be better off, but if you can set up a 1-1 NAT that will work as well. It just adds in a bit more complication into the mix that doesn't need to be there. Also a lot of services don't like to be double NATed. A lot of the ISP routers also have very limited resources for handling things as a router.

5.) As for number 5, I'm not sure myself honestly. I specialize in hotspot installs generally with one building. I usually don't ever have to worry about wireless links, so someone else with more experience in setting them up would be better to answer the question. What I would personally do in that situation however is have two radios in each board. One to handle a 5 Ghz link with a directional, and one for 2.4 Ghz to act as the access point with whatever antenna is needed to provide coverage. I would then bridge the two wireless cards together, and let a central box handle the authentication for the end users. I've never set this up before so I don't know how well it would work.

Thanx feklar.
1.Thanx for your help.Allready using it.Consider it solved
2.q2 (ip pool question) is allready in the forum here so I apologize for asking again.Didn't notice it before posting allthough I made a search.Using it.Have to configure again some things since the ip changed.Consider it solved.
It is here http://forum.mikrotik.com/viewtopic.php?f=2&t=45142
3-4.Used original router from ISP (some things worked with ddns),d-link (none of them worked),trying zyxel modem/router now in bridged mode.Will tell you.
Trying to show publicly that 4 locations are online throught a webpage.Dude is great.Used it.No trouble.Will try the img string in my webpage for the graphs also.Anyone has done that?
5.Thanks for the help.Will try several things and come back.

Depending on your ISP, when you place the router in bridged mode, you might need to set up a PPPoE client or something like that to connect to their server and get your IP address. You should contact them and see what they require for that if a DHCP client isn't enough to get you a public IP with the modem in bridged mode.

Done dyndns.com to the ISP router/modem for adsl in non-bridged mode.
Done NAT to ports 161,80,1891 from modem/router to mt router.
Some firewall rules were blocking my nat so disabled them.I guess I am losing in protection of the router and gain accessibility.
Working (I can access the router remotely from xxxxxxx.dyddns.com:port)

Done PPPoE and dynamic dns from "changeip" to mt router and ISP router/modem is in bridged mode
Working (Same situation)

Used usermanager.Hotspot trial users don't use radius as posted in user manager section of this forum so can't see the trials.I thought because the mac is used as a username I should se the mac of every trial user.
Not found a working php script for status,uptime,hotspot trial users.snmp php script in wiki not working for me.Need some work on that.It is above my knowledge right now.
Found php scripting for ping.Working for pinging all the routers from my domain.

Not able to get the graphs stored in the router from my webpage with img string.At this point I know SNMP is the sollution to everything of this. Starting on learning everything for snmp php.

Anyone worked on php scripting in webpage (accessing 3-4 routers through their dyndns) providing just basic information about the hotspot (users now, users total, traffic, graphs) is all I need.Thanx in advance.

PS:This forum works great.Combined with the wiki is the ultimate solution.