Community discussions

MikroTik App
  4. RouterOS
  5. General

HotSpot redirect DNS based on address-list

Post Reply
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

HotSpot redirect DNS based on address-list

Thu Jun 07, 2012 7:14 am

Hello,

I want to set up a hot spot that when people log in, by default they use OpenDns (because thats what the DHCP server hands out) but when "elevated" users login, their IP address is added to an address list (via "User profile") and the "elevated" users are instead redirected to a different DNS server.

So basically I have set up 2 user profiles "Normal" and "Elevated" they are identical except that the "Elevated" I have the Address List set to "NOT_Filtered_Addresses" and users who log in with this profile are indeed dynamically added to that list.

The problem is my firewall rules are not doing what I intend.
Code: Select all
xxx.xxx.xxx.xxx = public ip of DNS out WAN (dont want to post ip of my dns on forums)

5   ;;; DNS Redirect UDP-53 for NON filtered clients in access list
     chain=dstnat action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=53 protocol=udp src-address list=NOT_Filtered_Addreses dst-port=53 

6   ;;; DNS Redirect TCP-53 for NON filtered clients in access list
     chain=dstnat action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=53 protocol=tcp src-address-list=NOT_Filtered_Addreses dst-port=53
I have treid placing these rules at the top of NAT, before the "Place hot spot rules here" and even changed the chain to hotspot/hs-auth/hs-unauth and moved them all over. My lack of knowledge in "exactally" how the hotspot works in Mikrotik is where I am lacking. I am sure there is a simple solution to this that I am overlooking. Any help would be appreciated. And Thank You in advance!
Top
 
Devil
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Jul 21, 2011 9:13 am

Re: HotSpot redirect DNS based on address-list

Sat Jun 09, 2012 10:08 am

it doesn't matter that you set the dns option in your dhcp to use opendns, even if you set it to something invalid, it would still work. the reason for that is that hotspot, redirects all the dns requests to the routeros internal dns server (specially running at port 64872 for hotspot). so if your hotspot users are using opendns at this time, its not because you set it in dhcp per se, but because you set opendns ip addresses in your routeros dns server (/ip dns).

that being said, you are able to override this default behavior. this is how you do it:
Code: Select all
/ip firewall nat add chain=pre-hotspot protocol=udp dst-port=53 src-address-list=NOT_Filtered_Addreses action=dst-nat to-addresses=xxx.xxx.xxx.xxx
/ip firewall nat add chain=pre-hotspot protocol=tcp dst-port=53 src-address-list=NOT_Filtered_Addreses action=dst-nat to-addresses=xxx.xxx.xxx.xxx
/ip firewall nat add chain=pre-hotspot action=return
you don't need to put these rules at the top of the nat rules. by default there is no pre-hotspot chain defined. so you could place those rules anywhere and they would work. just remember that the return rule, should be the last rule in that chain.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: HotSpot redirect DNS based on address-list

Mon Jun 11, 2012 7:41 pm

This is not working, flushed dns on test machine. The rule is showing hits when i try to surf but am still getting open dns responses.
Top
 
Devil
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Jul 21, 2011 9:13 am

Re: HotSpot redirect DNS based on address-list

Mon Jun 11, 2012 8:21 pm

I just tested them. they are working. maybe your web proxy cache is caching the pages, tricking you into thinking the dns is still resolving through opendns. the best way to see whether you're using opendns or not, is to try using nslookup with a non-existent domain. a normal dns server( like 8.8.8.8 ), would response with NXDOMAIN response, but by default, opendns resolves this into their proxy server ip. you might also wanna make sure there is no other dstnat interfering with these rules. also make sure your script is working and the address list is the same as you put in those rules.
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: HotSpot redirect DNS based on address-list

Mon Jun 11, 2012 9:03 pm

Ok, I am testing this with a default Hotspot setup (10.5.50.1) NAT to a public ip also have tried disabling the 1to1 NAT in hotspot. I have made a user profile and added "NOT_Filtered_Addreses" to Address List for that profile. Changed user that I am testing with to use that profile. I have added no other rules to the firewall other than what is added dynamically and the 3 rules you showed above (3 rules are at the bottom). In /ip dns i have the DNS servers of open dns entered there. DHCP for hotspot is default other than I changed it to hand out open dns ip's. I am not using any proxy other than the proxy that hotspot uses to capture clients.
Code: Select all
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=208.67.220.220,208.67.222.222
Code: Select all
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=no out-interface=ether1
add action=dst-nat chain=pre-hotspot disabled=no dst-port=53 protocol=udp 
    src-address-list=NOT_Filtered_Addreses to-addresses=XXX.XXX.XXX.XXX \
    to-ports=53
add action=dst-nat chain=pre-hotspot disabled=no dst-port=53 protocol=tcp 
    src-address-list=NOT_Filtered_Addreses to-addresses=XXX.XXX.XXX.XXX \
    to-ports=53
add action=return chain=pre-hotspot disabled=no
Code: Select all
[admin@MikroTik] /ip firewall> address-list print
Flags: X - disabled, D - dynamic 
 #   LIST                                       ADDRESS                        
 0 D NOT_Filtered_Addreses                      10.5.50.254
Really appreciate all the help!
Top
 
rebel2234
newbie
Topic Author
Posts: 44
Joined: Sat May 20, 2006 6:23 am

Re: HotSpot redirect DNS based on address-list

Mon Jun 11, 2012 10:16 pm

OK got it, uncheck "transparent proxy" in user profile!

Thanks,

Karma added!
Top
 
Devil
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Jul 21, 2011 9:13 am

Re: HotSpot redirect DNS based on address-list

Tue Jun 12, 2012 9:32 am

Ah, yes. transparent proxy might actually end up messing with your settings, as the router handles the http requests. and since you've added opendns ip's in /ip dns , the router resolves the hosts through opendns. good catch :)
Top
 
alexnanow
just joined
Posts: 2
Joined: Fri Apr 06, 2012 5:18 pm

Re: HotSpot redirect DNS based on address-list

Mon Feb 25, 2013 10:40 pm

Hello everyone!

I'm using those commands to make a proper DNS redirect to my server, but I have two DNS servers on my network. I can't figure out how to duplicate those entries on my NAT table to use both DNS.

It doesn't work when I duplicate it. What can I do? I don't wanna to leave Mikrotik's DNS proxy working, because I wanna to view what client are making what query.

Thank You.
Top
Post Reply
  4. RouterOS
  5. General