hotspot.hot/login ,behand point to point link page not found

TomKriek · Tue Sep 17, 2013 12:18 pm

My hotspot is working just fine on my local premises. However, I want it to allow users about a kilometer away to also use it.

I use two Rocket M2 Titanium units to create this wireless link to the other premises. The rockets have two lan ports. I therefore run the hotspot access point from the one lan port on the range 192.168.3.x and the other lan port I want to use for IP cameras, using 192.168.0.x. The access point is a Bullet M2 Titanium, one at each premises. All hardware using static IP's.

On the local site, the Bullet M2 AP work 100% with the hotspot.

However, the Bullet M2 (AP) on the far side, behind the Rocket link, refuse to display the hotspot.hot/login page. I use my android phone to connect and get an IP from the RB532's DHCP server pool, but the hotspot see it as unauthorized, it seems like, and will not allow it to go to the login page. I added ARP to the DHCP server, but still no go. There is no difference with or without ARP.

When I try to connect to the hotspot, I can see the ip, allocated to the android, in the hotspot hosts tab, with an AH prefix, same as local devices login on. So I am definitely reaching the RB532 hotspot over the link.

On the remote site, when I type 192.168.3.1 (ether1, hotspot) into the browser, it redirects to hotspot.hot/login , but display page not found. Yet this is not happening on the local site, not going through the point to point link and using the exact same model access point. It redirects the same way and the login page is displayed.

SurferTim, I sure hope you are going to see this post and help me out! Some fancy rule? hehe

samir494 · Tue Sep 17, 2013 1:02 pm

can you share your network connectivity ?

TomKriek · Tue Sep 17, 2013 1:07 pm

I am not sure of what you mean. Can you elaborate on what you want?

TomKriek · Tue Sep 17, 2013 9:38 pm

The HotSpot system does not care how did a client get an address before he/she gets to the HotSpot login page.

Guys, please help. I am running out of things to try and check. I thought maybe the devices which the client connect through is altering the IP in a way that is unacceptable to the hotspot, but above quote says otherwise. So why would a perfectly legal IP be rejected, in that the login page is refused to be displayed?

SurferTim · Wed Sep 18, 2013 1:52 pm

The rockets have two lan ports. I therefore run the hotspot access point from the one lan port on the range 192.168.3.x and the other lan port I want to use for IP cameras, using 192.168.0.x. The access point is a Bullet M2 Titanium, one at each premises. All hardware using static IP's.

You need to describe how these are connected, including ip/subnet, routing, and nat assignments in the Bullets. Sounds like there is a routing problem on/to the remote network.

You can start by posting the ip/subnets for the hotspot and the remote network.

edit: Also check "/ip hotspot host". Do you see any of the remote location ip addresses in the "address" part of the list?

TomKriek · Wed Sep 18, 2013 8:28 pm

Sorry Tim. I will come back to you shortly. I am just going through the basics to me, like wiring etc. Spend the whole day making sure that does not get mixed. And now starting to study the setup on the M2 Rockets, point to point link. Discovered I have set up the management IP only and nothing on lan0 and lan1.

So it is actually a miracle that DHCP is getting an IP through to the cell phone?

TomKriek · Wed Sep 18, 2013 11:02 pm

No, it is not a miracle. I have set up the Rockets in Bridge mode.

• Bridge The device acts as a transparent bridge and
operates in Layer 2, like an unmanaged switch.
There is only one IP address for the device in Bridge
mode.

So my hotspot is on 192.168.3.1, local side. (RB532)
That plugs into an 8 port hub.
The Rocket local side is on 192.168.3.111
Plugs into the same 8 port hub

The Rocket on the remote side is on 192.168.3.110
That goes via lan to the Bullet, which is the AP and is on 192.168.3.201

The android connect to this AP and get a IP of 192.168.3.27 from the hotspot pool.

So there is no other network in contact and poisoning is not possible.

I have another Bullet AP on the local side, plugged into the same 8 port hub. When the android connect to this AP, it gets the same IP of 192.168.3.27 and the login page of the hotspot is displayed and I can login successfully.

The problem at the remote site is that the login page is not displayed and reported as not found, so I can not log-in.

Can we try and get this part going, before I go and change the Rockets to router mode in order to run two networks on them, the other for the IP cameras on the 192.168.0.0/24 network, which is a totally separate network with its own RB450G.

What I battle to understand, is why is everything working 100% local side, why am I getting a valid IP on the remote side, but the login page is unauthorized and will not display?

If you want info from the RB, please explain again how to obtain it! I can not remember how to... Activate telnet from winbox and then what is the commands?

Maybe you can send me a mail? You have my address.

TomKriek · Wed Sep 18, 2013 11:37 pm

edit: Also check "/ip hotspot host". Do you see any of the remote location ip addresses in the "address" part of the list?

Yes, I see all the devices and 3 clients that is logged in.

https://docs.google.com/file/d/0B7wyzSI ... sp=sharing

TomKriek · Wed Sep 18, 2013 11:45 pm

Could the problem be with my HTML directory structure? I did fiddle in their some time ago and maybe when I connect from remote, it creates a problem. Can't see why, if it work local, why not remote?

https://docs.google.com/file/d/0B7wyzSI ... sp=sharing

SurferTim · Thu Sep 19, 2013 1:24 pm

Do the remote clients get the login page by requesting the router ip (gateway)?
http://192.168.3.1

If so, try a remote server by ip rather than domain, like Google. Do you get the login page then?
http://173.194.115.20

Do the remote hosts in "/ip hotspot host" have the correct mac address, or the mac of the Bullet?

TomKriek · Thu Sep 19, 2013 1:52 pm

Do the remote clients get the login page by requesting the router ip (gateway)?
http://192.168.3.1[/qoute]

Yes, in effect that is what happens . However, how I do it is to tell the client to connect. It is an open AP. Once connected, he must open his browser. The moment the browser try to access the internet, he is confronted with the login page opening. If you ignore the login page and manually go to 192.168.3.1, you are confronted again by the login page. You can manually go to anywhere, the same happens, except if you go to http://www.allmartins.co.za, which is the web page in walled garden.

If so, try a remote server by ip rather than domain, like Google. Do you get the login page then?
http://173.194.115.20
You are again confronted by the login page.

All this is what is happening at the local site and not at the remote site. There, you can connect and get an IP, nothing else. You can go to the various devices however, like http://192.168.3.210 etc and their login pages appear. You however can not access anything on the outside internet.

Do the remote hosts in "/ip hotspot host" have the correct mac address, or the mac of the Bullet?

Could you view the picture I gave of the hosts tab I showed? To me it looks correct.
https://docs.google.com/file/d/0B7wyzSI ... sp=sharing

I will go look each one up manually now via its ip and compare to that list, to make sure. I know my android mac by know and knows that is correct, but will go look up the 2 Bullets and the 2 Rockets.

Back in a jiffy...

SurferTim · Thu Sep 19, 2013 3:02 pm

That host list may have helped. Did you notice it is translating all the remote localnet ips to another localnet ip? It is almost like the remote clients are getting their ips from another dhcp server. There isn't another dhcp server somewhere on that remote localnet, is there?

Have you tried disabling the hotspot nat just as a test? Remember the current setting so you can change it back if it doesn't work for you.

/ip hotspot
set 0 address-pool=none

If 0 is not the line number of the hotspot, change that.

edit: Are any of the logged in clients in the host list your remote clients?

TomKriek · Thu Sep 19, 2013 3:25 pm

That host list may have helped. Did you notice it is translating all the remote localnet ips to another localnet ip? It is almost like the remote clients are getting their ips from another dhcp server. There isn't another dhcp server somewhere on that remote localnet, is there?

Have you tried disabling the hotspot nat just as a test? Remember the current setting so you can change it back if it doesn't work for you.
Code: Select all
/ip hotspot
set 0 address-pool=none
If 0 is not the line number of the hotspot, change that.

Yes, I did notice, but thought it is ok, as only the clients login on with DHCP is not being changed, and all the fixed ip's is being changed. I also suspect a second DHCP server somewhere and changed the pool of the known DHCP server to dish out in the range 192.168.3.80-192.168.3.90 and all the ip's given out by DHCP changed accordingly and the fixed IP' stayed the same, but was changed to the same pool in hosts. So I deducted from that, that it is only the one DHCP server.

I will however try and do your method as well.

In the meantime I compared those mac addresses and they are all correct on the device itself, ie corresponding with hosts.

SurferTim · Thu Sep 19, 2013 3:28 pm

Are there any remote clients connected to the Bullet? I don't see any in the host list. Do the remote clients get an ip by dhcp? If so, check the lease list. Their leases should show up there, even if they are not connected at the time.

/ip dhcp-server lease
print detail

TomKriek · Thu Sep 19, 2013 3:30 pm

I am just worried I understand the word 'remote' different to what you mean. To me the local devices is the devices at this premises where the hotspot also is. The remote devices is the devices a kilometer away. I have indicated on that hosts list which is local and which is remote devices, according to above explanation. They all get translated IP's, regardless whether they are local or remote. Therefore my guess is that they get changed because they are fixed on the device's lan.

TomKriek · Thu Sep 19, 2013 3:38 pm

Are there any remote clients connected to the Bullet? I don't see any in the host list. Do the remote clients get an ip by dhcp? If so, check the lease list. Their leases should show up there, even if they are not connected at the time.
Code: Select all
/ip dhcp-server lease
print detail

[admin@RB532] ip dhcp-server lease> print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 0 D address=192.168.3.30 mac-address=00:13:49:AB:55:14 client-id="1:0:13:49:ab:55:14" server=dhcp1 status=bound expires-after=52m50s 
     active-address=192.168.3.30 active-mac-address=00:13:49:AB:55:14 active-client-id="1:0:13:49:ab:55:14" active-server=dhcp1 host-name="elize" 

 1 D address=192.168.3.39 mac-address=D4:9A:20:9B:16:2F client-id="1:d4:9a:20:9b:16:2f" server=dhcp1 status=bound expires-after=11m15s 
     active-address=192.168.3.39 active-mac-address=D4:9A:20:9B:16:2F active-client-id="1:d4:9a:20:9b:16:2f" active-server=dhcp1 
     host-name="iPod-Touch" 
[admin@RB532] ip dhcp-server lease>

I do not see my android in the list. I tried to log on at the remote site about an hour ago. I will go do it again and immediately come check for the result and what IP I got there.

SurferTim · Thu Sep 19, 2013 3:45 pm

How long is your lease time on the hotspot interface? Looks pretty short by the lease list.

Are your remote clients behind the Bullet bridge getting an ip?

TomKriek · Thu Sep 19, 2013 5:06 pm

I see my last post did not go through. Here it is again.

OK, just back and printed the detail immediately.

[admin@RB532] > /ip dhcp-server lease
[admin@RB532] ip dhcp-server lease> print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 0 D address=192.168.3.30 mac-address=00:13:49:AB:55:14 client-id="1:0:13:49:ab:55:14" server=dhcp1 status=bound expires-after=31m3s 
     active-address=192.168.3.30 active-mac-address=00:13:49:AB:55:14 active-client-id="1:0:13:49:ab:55:14" active-server=dhcp1 host-name="elize" 

 1 D address=192.168.3.39 mac-address=D4:9A:20:9B:16:2F client-id="1:d4:9a:20:9b:16:2f" server=dhcp1 status=bound expires-after=39m9s 
     active-address=192.168.3.39 active-mac-address=D4:9A:20:9B:16:2F active-client-id="1:d4:9a:20:9b:16:2f" active-server=dhcp1 
     host-name="iPod-Touch" 

 2 D address=192.168.3.40 mac-address=7C:C3:A1:DE:7D:3E client-id="1:7c:c3:a1:de:7d:3e" server=dhcp1 status=bound expires-after=48m19s 
     active-address=192.168.3.40 active-mac-address=7C:C3:A1:DE:7D:3E active-client-id="1:7c:c3:a1:de:7d:3e" active-server=dhcp1 
     host-name="Jurgs-iPad" 

 3 D address=192.168.3.29 mac-address=50:CC:F8:20:CA:83 client-id="1:50:cc:f8:20:ca:83" server=dhcp1 status=bound expires-after=50m6s 
     [b][u]active-address=192.168.3.29 active-mac-address=50:CC:F8:20:CA:83 active-client-id="1:50:cc:f8:20:ca:83" active-server=dhcp1 
     host-name="android-1f775e838aa768ba"[/u][/b] 
[admin@RB532] ip dhcp-server lease>

3 D is my Android. So I am definately getting the 3.29 ip from DHCP. Still no internet on it though.

TomKriek · Thu Sep 19, 2013 5:14 pm

0, 1 and 2 D is before the bridge, gets an IP and the login page and internet.

3 D is behind the bridge and does get an IP, 192.168.3.29, but not the login page or internet.

Yes. the list is not long as we do not have a lot of clients currently.

Remember, the bridge is on the Rockets and the Bullets is the AP's.

TomKriek · Thu Sep 19, 2013 5:25 pm

So the Android's lease run out and is not on the list anymore.

[admin@RB532] ip dhcp-server lease> print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 0 D address=192.168.3.30 mac-address=00:13:49:AB:55:14 client-id="1:0:13:49:ab:55:14" server=dhcp1 status=bound expires-after=34m45s 
     active-address=192.168.3.30 active-mac-address=00:13:49:AB:55:14 active-client-id="1:0:13:49:ab:55:14" active-server=dhcp1 host-name="elize" 

 1 D address=192.168.3.39 mac-address=D4:9A:20:9B:16:2F client-id="1:d4:9a:20:9b:16:2f" server=dhcp1 status=bound expires-after=59m43s 
     active-address=192.168.3.39 active-mac-address=D4:9A:20:9B:16:2F active-client-id="1:d4:9a:20:9b:16:2f" active-server=dhcp1 
     host-name="iPod-Touch" 

 2 D address=192.168.3.36 mac-address=88:32:9B:52:41:71 client-id="1:88:32:9b:52:41:71" server=dhcp1 status=bound expires-after=36m19s 
     active-address=192.168.3.36 active-mac-address=88:32:9B:52:41:71 active-client-id="1:88:32:9b:52:41:71" active-server=dhcp1 
     host-name="android-4b8272f913b92c0c" 
[admin@RB532] ip dhcp-server lease>

So I am going to log in with it again, this time at the local site and see if there is any differences in the lease.

TomKriek · Thu Sep 19, 2013 5:29 pm

I got 3.38 as an ip this time, got login page as expected, because I am at the local site this time.
Here is the detail.

[admin@RB532] ip dhcp-server lease> print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 0 D address=192.168.3.30 mac-address=00:13:49:AB:55:14 client-id="1:0:13:49:ab:55:14" server=dhcp1 status=bound expires-after=59m49s 
     active-address=192.168.3.30 active-mac-address=00:13:49:AB:55:14 active-client-id="1:0:13:49:ab:55:14" active-server=dhcp1 host-name="elize" 

 1 D address=192.168.3.39 mac-address=D4:9A:20:9B:16:2F client-id="1:d4:9a:20:9b:16:2f" server=dhcp1 status=bound expires-after=59m 
     active-address=192.168.3.39 active-mac-address=D4:9A:20:9B:16:2F active-client-id="1:d4:9a:20:9b:16:2f" active-server=dhcp1 
     host-name="iPod-Touch" 

 2 D address=192.168.3.36 mac-address=88:32:9B:52:41:71 client-id="1:88:32:9b:52:41:71" server=dhcp1 status=bound expires-after=31m23s 
     active-address=192.168.3.36 active-mac-address=88:32:9B:52:41:71 active-client-id="1:88:32:9b:52:41:71" active-server=dhcp1 
     host-name="android-4b8272f913b92c0c" 

 3 D address=192.168.3.38 mac-address=50:CC:F8:20:CA:83 client-id="1:50:cc:f8:20:ca:83" server=dhcp1 status=bound expires-after=58m51s 
     active-address=192.168.3.38 active-mac-address=50:CC:F8:20:CA:83 active-client-id="1:50:cc:f8:20:ca:83" active-server=dhcp1 
     host-name="android-1f775e838aa768ba" 
[admin@RB532] ip dhcp-server lease>

OK, the only difference between the two attempts is the ip and lease time expiration, both to be expected so. So I think we can safely rule out the DHCP server as the cause.

TomKriek · Thu Sep 19, 2013 5:35 pm

What else can I print the detail of to examine for differences between the local site attempt and the remote site attempt?

TomKriek · Thu Sep 19, 2013 5:56 pm

What can be derived from this?

[admin@RB532] ip dhcp-server lease> /ip hotspot host
[admin@RB532] ip hotspot host> print detail
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 0 HA mac-address=00:13:49:AB:55:14 address=192.168.3.30 to-address=192.168.3.30 server=hotspot1 uptime=20h54m idle-timeout=5m keepalive-timeout=2m 
      found-by="TCP :1101 -> 37.252.246.4:5938" 

 1 D  mac-address=00:02:6F:9A:AF:90 address=192.168.3.225 to-address=192.168.3.37 server=hotspot1 uptime=19h53m22s idle-timeout=5m 
      found-by="UDP :32770 -> 192.168.3.35:47092" 

 2 H  mac-address=50:CC:F8:20:CA:83 address=192.168.3.38 to-address=192.168.3.38 server=hotspot1 uptime=14m5s idle-timeout=5m 
      found-by="UDP :3265 -> 196.43.50.190:53" 

 3 D  mac-address=00:27:22:7A:D5:6F address=192.168.3.201 to-address=192.168.3.27 server=hotspot1 uptime=5m1s idle-timeout=5m 
      found-by="ICMP echo to 192.168.3.1" 

 4 HA mac-address=D4:9A:20:9B:16:2F address=192.168.3.39 to-address=192.168.3.39 server=hotspot1 uptime=1m7s idle-timeout=5m keepalive-timeout=2m 
      found-by="TCP :49364 -> 17.149.36.76:5223" 

 5 D  mac-address=DC:9F:DB:2E:2B:35 address=196.43.50.190 to-address=192.168.3.20 server=hotspot1 uptime=19s idle-timeout=5m 
      found-by="UDP :53 -> 192.168.3.111:54623" 

 6 D  mac-address=DC:9F:DB:2E:2B:35 address=196.43.42.190 to-address=192.168.3.21 server=hotspot1 uptime=9s idle-timeout=5m 
      found-by="UDP :53 -> 192.168.3.111:35277"

0 HA is a PC (lan login at local site)

1 D is a second AP at the local site.

2 H is my Android (local site login, not HA, as I did not put in user name and password on the login page)

3 D is the Bullet AP at the remote site.

4 HA is the I Pod Touch client. (local site login)

I do not know what the 5 D and 6 D is? IP's unknown. Edit: ( DNS )

The local Bullet AP was not used for a while and is not in the list.

The 2 x Rockets, creating the bridge, also not on the list. Not active for a while.

TomKriek · Thu Sep 19, 2013 6:14 pm

I have done an IP scan on the 192.168.3.1-192.168.3.255 range to get most ip's on the host list.

Here is the result.

[admin@RB532] ip hotspot host> print detail
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 0 HA mac-address=00:13:49:AB:55:14 address=192.168.3.30 to-address=192.168.3.30 server=hotspot1 uptime=21h16m17s idle-timeout=5m keepalive-timeout=2m 
      found-by="TCP :1101 -> 37.252.246.4:5938" 

 1 D  mac-address=00:02:6F:9A:AF:90 address=192.168.3.225 to-address=192.168.3.37 server=hotspot1 uptime=20h15m39s idle-timeout=5m 
      found-by="UDP :32770 -> 192.168.3.35:47092" 

 2 HA mac-address=50:CC:F8:20:CA:83 address=192.168.3.38 to-address=192.168.3.38 server=hotspot1 uptime=36m22s idle-timeout=5m keepalive-timeout=2m 
      found-by="UDP :3265 -> 196.43.50.190:53" 

 3 D  mac-address=00:27:22:7A:D5:6F address=192.168.3.201 to-address=192.168.3.27 server=hotspot1 uptime=6m55s idle-timeout=5m 
      found-by="ICMP echo to 192.168.3.1" 

 4 D  mac-address=DC:9F:DB:7E:A1:3A address=192.168.3.111 to-address=192.168.3.36 server=hotspot1 uptime=1m57s idle-timeout=5m 
      found-by="ARP reply to 192.168.3.1" 

 5 D  mac-address=00:02:6F:60:BC:CE address=192.168.3.224 to-address=192.168.3.34 server=hotspot1 uptime=1m50s idle-timeout=5m 
      found-by="ARP reply to 192.168.3.1" 

 6 D  mac-address=DC:9F:DB:08:B0:FD address=192.168.3.229 to-address=192.168.3.33 server=hotspot1 uptime=1m49s idle-timeout=5m 
      found-by="ARP reply to 192.168.3.1" 

 7 D  mac-address=DC:9F:DB:2E:2B:35 address=192.168.3.110 to-address=192.168.3.21 server=hotspot1 uptime=25s idle-timeout=5m 
      found-by="ARP reply to 192.168.3.1" 

 8 D  mac-address=DC:9F:DB:2E:2B:35 address=196.43.50.190 to-address=192.168.3.40 server=hotspot1 uptime=5s idle-timeout=5m 
      found-by="UDP :53 -> 192.168.3.111:55918" 
[admin@RB532] ip hotspot host>

0 HA = PC

1 D = 2nd AP local site (Called AP2)

2 HA = Android login local site

3 D = Bullet AP at remote site

4 D = Rocket bridge, local site

5 D = Another AP at local site (called AP1)

6 D = Bullet AP at local site (called WiFi AP) (So we have 3 AP's at local site. AP1, AP2 and Wifi)

7 D = Rocket bridge at remote site

8 D = Unknown IP Edit: (Haha, this is my DNS)

TomKriek · Thu Sep 19, 2013 6:24 pm

Are your remote clients behind the Bullet bridge getting an ip?

I see I did not answer this fully.

The brige is not Bullet, but Rocket and yes, the clients behind the Rocket bridge is getting an IP, as demonstrated earlier with the Android that gets an IP, but not the login page to be authorized with.

TomKriek · Thu Sep 19, 2013 7:41 pm

I just changed the DHCP pool, as it seems like 20 ip's is going to run out very soon.

Old pool:
192.168.3.20-192.168.3.40

New pool:
192.168.3.10-192.168.3.100

TomKriek · Fri Sep 20, 2013 11:14 am

Morning Tim

I am in my 5th day of battling with this thing!

I am starting to think that it has nothing to do with the I.P. Is this statement in the manual true?
"The HotSpot system does not care how did a client get an address before he/she gets to the HotSpot login page."

If so, I think I must rather investigate my HTML structure. How does the calling of the loggin page happen and how do I inspect the order of things happening. I suspect that when a client connect at the remote site, that the hotspot is looking for the loggin page in a different location on the directory than when the client log in from the local site. It does not make sense to me, but I want to investigate to make sure.

Then I need you to look at my firewall rules. Please instruct me how to print what you need.

Thanks

Tom

samir494 · Fri Sep 20, 2013 12:01 pm

can you have team viewer on your pc(laptop)

let me know i will check your prolem & try to solved

SurferTim · Fri Sep 20, 2013 12:23 pm

"The HotSpot system does not care how did a client get an address before he/she gets to the HotSpot login page."

That is true in a way. If the hotspot has the 1:1 nat enabled (default), the hotspot uses ARP poisoning to intercept the ips and nat that ip to a localnet ip. If the 1:1 nat is disabled, this doesn't work unless the ip is within the localnet ip range.

TomKriek · Fri Sep 20, 2013 12:52 pm

Samir, at the risk of upsetting you, I have to decline at this stage. Thanks for the offer, but I have a relationship build up with Tim over time and trust him. Not to say that you are not trust worthy, I am sure you can understand my concern. If you have suggestions however, I will try them out.

So, Tim, where to next? I would not hesitate to let you use team viewer or VNC on my network, I would even donate to you for your time? I do have lots of things to ask you to implement... hehe

samir494 · Fri Sep 20, 2013 2:33 pm

sure , let me know if you need more from me

SurferTim · Fri Sep 20, 2013 2:36 pm

I'm not sure. First you must get your dhcp issues worked out. All devices must get an ip from some dhcp server on one or the other network, preferably the hotspot router. Until then, you are wasting your time.

I usually recommend disabling the hotspot and trying to surf the net from all localnet networks. If it doesn't work then, it won't work with the hotspot.

TomKriek · Fri Sep 20, 2013 3:17 pm

I'm not sure. First you must get your dhcp issues worked out. All devices must get an ip from some dhcp server on one or the other network, preferably the hotspot router. Until then, you are wasting your time.

I usually recommend disabling the hotspot and trying to surf the net from all localnet networks. If it doesn't work then, it won't work with the hotspot.

Ok, done that, disabled the hotspot and whala, got internet all over, including remote site.

Next? haha

TomKriek · Fri Sep 20, 2013 3:24 pm

I just disabled the hotspot server. I want to delete it now and build it from scratch. But how do I save my users list? I do not feel like typing all that over again.

SurferTim · Fri Sep 20, 2013 3:41 pm

I don't think removing a hotspot removes the hotspot user list. You may want to export it just as a backup.

/ip hotspot user
export file=hsusers.txt

The hsusers.txt file will be created in /file.

TomKriek · Fri Sep 20, 2013 3:47 pm

I don't think removing a hotspot removes the hotspot user list. You may want to export it just as a backup.
Code: Select all
/ip hotspot user
export file=hsusers.txt
The hsusers.txt file will be created in /file.

OK, exported it as script file and backed up the total setup. Now going to delete the server and start over

TomKriek · Fri Sep 20, 2013 3:54 pm

You were right Tim, all the users is still there. Import certificate I chose none. It kept all the old settings, so I hope it makes a difference.

SurferTim · Fri Sep 20, 2013 4:17 pm

I use default except "certificate" and "masquerade network". I use "none" and "no".

TomKriek · Fri Sep 20, 2013 5:43 pm

I still have the same problem. I even deleted the hotspot HTML directory and let the RB create it over. When I disable the hotspot, I have internet everywhere, local site and remote site. When I enable hotspot, I get login and internet at the local site, but not at the remote site.

We have ruled out DHCP server, Html directory. What is left? Should I go set all static ip's to auto from the DHCP server?

SurferTim · Fri Sep 20, 2013 8:18 pm

Have you tried disabling the hotspot 1:1 nat?

/ip hotspot
set 0 address-pool=none

TomKriek · Fri Sep 20, 2013 10:06 pm

Have you tried disabling the hotspot 1:1 nat?
Code: Select all
/ip hotspot
set 0 address-pool=none

No, I have not. Will do it now and test later tonight when I am going to the remote site again. Thanks. I really hope it works.

What does that code do? Which address pool is that?

TomKriek · Fri Sep 20, 2013 10:32 pm

[admin@RB532] ip hotspot> set 0 address-pool=none
[admin@RB532] ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS 
 #   NAME                                                                                                   INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
 0   hotspot1                                                                                               ether1                 hsprof2 5m          
[admin@RB532] ip hotspot>

Correct?

TomKriek · Fri Sep 20, 2013 10:47 pm

OK. Nothing broken at local site. Will go to remote site in about an hour. Waiting to take guests that will arrive any time from now (9:46PM) till (10.45pm)

SurferTim · Fri Sep 20, 2013 11:45 pm

The hotspot uses arp poisoning to perform the 1:1 nat. Maybe that is messing up things for the bridge. It shouldn't affect anything if your clients have ips in the range of the hotspot interface or get their ip from your hotspot router dhcp server.

TomKriek · Fri Sep 20, 2013 11:55 pm

The hotspot uses arp poisoning to perform the 1:1 nat. Maybe that is messing up things for the bridge. It shouldn't affect anything if your clients have ips in the range of the hotspot interface or get their ip from your hotspot router dhcp server.

OK, I will take your word for it, as it is going over my head. Maybe an article or manual I can read about it? Anycase, it is not serious, I am just wondering about what the complications is going to be when I add the 192.168.0.0/24 network to the Rocket bridge. I hope to keep them separate with lan0 (primary) and lan1 (secondary).

That will be stage two, when I get the hotspot sorted out.

SurferTim · Sat Sep 21, 2013 12:12 am

By setting the hotspot address pool to none, you are disabling the hotspot nat. Here is the part you are disabling. From the manual http://wiki.mikrotik.com/wiki/Manual:Ho ... troduction

Moreover, HotSpot server may automatically and transparently change any IP address (yes, meaning really any IP address) of a client to a valid unused address from the selected IP pool. If a user is able to get his/her Internet connection working at their place, he/she will be able to get his/her connection working in the HotSpot network. This feature gives a possibility to provide a network access (for example, Internet access) to mobile clients that are not willing (or are disallowed, not qualified enough or otherwise unable) to change their networking settings. The users will not notice the translation (i.e., there will not be any changes in the users' config), but the router itself will see completely different (from what is actually set on each client) source IP addresses on packets sent from the clients (even the firewall mangle table will 'see' the translated addresses). This technique is called one-to-one NAT, but is also known as "Universal Client" as that is how it was called in the RouterOS version 2.8.

One-to-one NAT accepts any incoming address from a connected network interface and performs a network address translation so that data may be routed through standard IP networks. Clients may use any preconfigured addresses. If the one-to-one NAT feature is set to translate a client's address to a public IP address, then the client may even run a server or any other service that requires a public IP address. This NAT is changing source address of each packet just after it is received by the router (it is like source NAT that is performed early in the packet path, so that even firewall mangle table, which normally 'sees' received packets unaltered, can only 'see' the translated address).

The hotspot uses arp poisoning to intercept otherwise localnet or out-of-range ips, and translate them to a localnet ip. This nat is done between the client and the interface. The router knows nothing of the actual ip of the client, only the ip it has been translated to.

If you looked in "/ip hotspot host" before disabling the nat, you can see the translations. The "address" column is the actual ip of the client. The "to-address" ip is the localnet ip that mac address is being translated to. Once you disable the nat, the ips should be the same.

TomKriek · Sat Sep 21, 2013 12:21 am

OK, I read it before and made no sense to me. I understand it better now, thanks. I am still confused by the 'pool' talked about. It is 'clearly?' not the pool I set in DHCP. So where does this 'pool' come from and how big is it? Is it related to the DHCP pool?

If you looked in "/ip hotspot host" before disabling the nat, you can see the translations.

Yes, I remember, we have done that yesterday and all the dynamic IP's was changed to an IP in the DHCP pool.

TomKriek · Sat Sep 21, 2013 12:29 am

I think I am starting to get it. It is the same pool. By disabling 1:1 nat, you are just telling the hotspot not to use IP's from that pool to convert other IP's into that range, in fact DO NOT change any IP!

hehe

SurferTim · Sat Sep 21, 2013 12:32 am

That is correct. It is normally clients that have a static ip assigned at home or work that have problems if you disable the hotspot nat.

TomKriek · Sat Sep 21, 2013 1:32 am

The remote site still do not have internet and can not find the login page.

[admin@RB532] ip hotspot host> print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 #    MAC-ADDRESS       ADDRESS         TO-ADDRESS      SERVER   IDLE-TIMEOUT
 0 H  00:13:49:AB:55:14 192.168.3.98    192.168.3.98    hotspot1 5m          
 1 D  00:02:6F:9A:AF:90 192.168.3.225   192.168.3.225   hotspot1 5m          
 2 H  50:CC:F8:20:CA:83 192.168.3.38    192.168.3.38    hotspot1 5m          
 3 D  DC:9F:DB:2E:2B:35 192.168.3.111   192.168.3.111   hotspot1 5m          
 4 H  D4:9A:20:9B:16:2F 192.168.3.93    192.168.3.93    hotspot1 5m          
[admin@RB532] ip hotspot host>

Nat 1:1 is off and no IP is changed, as can be seen from hosts above.

[admin@RB532] ip dhcp-server lease> print
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 #   ADDRESS         MAC-ADDRESS       HOST-NAME                                        SERVER RATE-LIMIT                                       STATUS 
 0 D 192.168.3.93    D4:9A:20:9B:16:2F iPod-Touch                                       dhcp1                                                   bound  
 1 D 192.168.3.98    00:13:49:AB:55:14 elize                                            dhcp1                                                   bound  
 2 D 192.168.3.38    50:CC:F8:20:CA:83 android-1f775e838aa768ba                         dhcp1                                                   bound  
[admin@RB532] ip dhcp-server lease>

The android at the remote site did get its IP from DHCP Server as above.

What else can I look at? Think I am going to bed now. It is 32min past midnight!

SurferTim · Sat Sep 21, 2013 12:27 pm

[admin@RB532] ip hotspot host> print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT
0 H 00:13:49:AB:55:14 192.168.3.98 192.168.3.98 hotspot1 5m
1 D 00:02:6F:9A:AF:90 192.168.3.225 192.168.3.225 hotspot1 5m
2 H 50:CC:F8:20:CA:83 192.168.3.38 192.168.3.38 hotspot1 5m
3 D DC:9F:DB:2E:2B:35 192.168.3.111 192.168.3.111 hotspot1 5m
4 H D4:9A:20:9B:16:2F 192.168.3.93 192.168.3.93 hotspot1 5m
[admin@RB532] ip hotspot host>

Where did the two devices in bold get their ips? The other three are in your dhcp server lease list.
edit: The 192.168.3.111 is the Rocket on the hotspot end, but what about the other ip?

My hotspot routers have no devices between the hotspot and the clients, and this is why. I would have used two routers/hotspots for your setup.

TomKriek · Sat Sep 21, 2013 2:38 pm

Here is all the devices with static IP's on the hotspot network.

192.168.3.0/24 HotSpot on RB532
192.168.3.1:8291 Mikrotik Ether 1
192.168.11.2 Mikrotik Ether 2 Modem

192.168.3.10 - 192.168.3.100
Hotspot DHCP Pool

192.168.3.110
Rocket Dish Link at remote site

192.168.3.111
Rocket Dish Link at local site

192.168.3.201 Bullet AP remote site

192.168.3.224 AP1 local site
192.168.3.225 AP2 local site
192.168.3.229 Bullet AP local site

192.168.11.1 RB450G Ether 2
192.168.11.2 RB532 Ether 2
192.168.11.25 ADSL Modem

The two IP's you query is static IP's for AP2 local site and Rocket Dish Link at local site. Before we disabled the Nat 1:1, those IP's was changed to an IP in the pool. Now it is left unchanged.

When I disable Hotspot1 Server, everything works 100% and all clients (cell phone) get login page and internet after login.

When I enable, I do not have internet on client (cell phone) connecting to the Bullet AP at the remote site (the only AP at the remote site), with error at remote site of 'page not found', being the login page. All clients (cell phone) connecting at local site still get the login page and have internet after login.

TomKriek · Sat Sep 21, 2013 2:53 pm

I would have used two routers/hotspots for your setup.

I used to have two point to point links from local to remote site. One was used for the cameras on the 192.168.0.0/24 network and the other for the Hotspot on 192.168.3.0/24 network. Both worked 100%. I had no problem with the hotspot at the remote site either. Then lightning took out my hardware at the remote site. My son and I then opted for the one point to point hardware, as it had two lan ports. One lan port being gigabit and the other 10/100. Our reasoning was that the gigabit lan port will give us more bandwidth for the cameras. I have now set up the point to point link with just the one network for the Hotspot, which worked 100% on the old point to point. So, it can be done like that. The problem must be with the setup of the point to point link with the Rockets.

I now started to change setup on them and locked myself out of the one Rocket at the remote site. I must now wait to get a Laptop to go there and fix the problem, as there is no PC at the remote site.

I want you in the meantime to look at the setup of the Rocket point to point link for me. I will give details in the next post.

Thanks for your patience.

TomKriek · Sat Sep 21, 2013 3:08 pm

From the Rocket' manual.

Basic Wireless Settings
In this section, configure the basic wireless settings, such as wireless mode, wireless network name (SSID), country code, 802.11 mode, output power, and data rates.
Wireless Mode Specify the Wireless Mode of the device. The mode depends on the network topology requirements. airOS supports the following modes:

• Station If you have a client device to connect to an AP, configure the client device as Station mode. The client device acts as the subscriber station while it is connecting to the AP. The SSID of the AP is used, and all the traffic to and from the network devices connected to the Ethernet interface is forwarded.
Note: If WDS (Transparent Bridge Mode) is disabled, the radio uses arpnat, which results in non-transparent bridging. To have a fully
transparent bridge, select Station and then enable WDS (Transparent Bridge Mode).

• Access Point If you have a single device to act as an AP, configure it as Access Point mode. The device functions as an AP that connects multiple client devices. If you have multiple APs repeating signals where Ethernet connections are not readily available, then use
AP‑Repeater mode.
Note: For Access Point (WDS) mode, select Access Point and then enable WDS (Transparent Bridge Mode).

• AP‑Repeater If you have multiple APs, configure them as AP‑Repeater mode to create a wireless network infrastructure, WDS. If the Auto option is enabled, all APs using the same wireless mode (AP‑Repeater) and SSID automatically establish the WDS connections. (Client
devices can still connect to APs in AP‑Repeater mode.)
Note: For AP‑Repeater mode, the WPA™/WPA2™ security methods will not work; instead, use none or the WEP security method (this may
compromise the security of your network).

You still have the option of using RADIUS MAC authentication and MAC ACL.

I need to make sure which mode(s) to use.

Prior my lockout, I used 'Access Point' (Remote site) and 'Station' on the other. I then decided to make both 'Station'. Big mistake. Lost communication with the remote site Rocket.

TomKriek · Sat Sep 21, 2013 5:51 pm

ok, I can access the remote Rocket again. Changed the mode back to Access Point mode.

I just noticed this. When a client is authorized, it's IP gets changed. See 0 below in ip hotspot host detail.

[admin@RB532] ip hotspot> host
[admin@RB532] ip hotspot host> print detail
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 0  A mac-address=00:13:49:AB:55:14 address=192.168.3.98 to-address=192.168.3.43 server=hotspot1 uptime=18h42m7s 
      keepalive-timeout=2m found-by="TCP :1453 -> 94.23.150.191:8080" 

 1 D  mac-address=00:02:6F:9A:AF:90 address=192.168.3.225 to-address=192.168.3.225 server=hotspot1 uptime=18h33m40s 
      idle-timeout=5m found-by="ARP reply to 192.168.3.1" 

 2 H  mac-address=50:CC:F8:20:CA:83 address=192.168.3.38 to-address=192.168.3.38 server=hotspot1 uptime=13m37s idle-timeout=5m 
      found-by="UDP :18367 -> 196.43.50.190:53" 

 3 D  mac-address=DC:9F:DB:2E:2B:35 address=192.168.3.110 to-address=192.168.3.110 server=hotspot1 uptime=6m3s idle-timeout=5m 
      found-by="UDP :33670 -> 178.18.118.13:123" 

 4 H  mac-address=D4:9A:20:9B:16:2F address=192.168.3.93 to-address=192.168.3.93 server=hotspot1 uptime=1m29s idle-timeout=5m 
      found-by="UDP :55667 -> 196.43.50.190:53"

TomKriek · Sat Sep 21, 2013 5:58 pm

 0  A mac-address=00:13:49:AB:55:14 address=192.168.3.98 to-address=192.168.3.43 server=hotspot1 uptime=18h42m7s 
      keepalive-timeout=2m found-by="TCP :1453 -> 94.23.150.191:8080"

DHCP gave an IP of 192.168.3.98, prior to authorization. Then, when authorized, hotspot changed the IP to 192.168.3.43.

Why?

bhamhotspots · Mon Sep 23, 2013 6:27 am

I have similar setups out there. Can you do a teamviewer session while on that network? I could get on a remote session and work with you to resolve remotely.