hotspot routing

rilliam · Tue Oct 18, 2016 1:56 am

This config is working exactly how I want however any http/https requests timeout ONLY on the hotspot network W6SG.

If I turn off the hostpot server, it works. Ping to the outside always works, just not http.. What am I doing wrong?

# oct/17/2016 15:50:26 by RouterOS 6.36.2
# software id = FVQV-GHU4
#
/interface bridge
add admin-mac=4C:5E:0C:F9:B9:21 auto-mac=no comment=defconf name=MARS-Bridge
add name=W6SG-Bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge name=MARS-wifi \
    ssid=MARS wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set MARS-Bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=tkip mode=dynamic-keys unicast-ciphers=tkip \
    wpa-pre-shared-key=dougdoug wpa2-pre-shared-key=otla27otla27
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed name=OPEN supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4E:5E:0C:F9:B9:24 \
    master-interface=MARS-wifi multicast-buffering=disabled name=W6SG-wifi \
    security-profile=OPEN ssid=W6SG wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] login-by=cookie,http-pap
/ip pool
add name=192-pool ranges=192.168.88.10-192.168.88.254
add name=172-pool ranges=172.16.10.10-172.16.10.254
/ip dhcp-server
add address-pool=192-pool disabled=no interface=MARS-Bridge name=MARS-DHCP
add address-pool=172-pool disabled=no interface=W6SG-Bridge name=W6SG-DHCP
/ip hotspot
add address-pool=172-pool disabled=no idle-timeout=none interface=W6SG-Bridge \
    name=server1
/ip hotspot user profile
set [ find default=yes ] address-pool=172-pool
/interface bridge port
add bridge=MARS-Bridge interface=ether2-master
add bridge=MARS-Bridge interface=MARS-wifi
add bridge=W6SG-Bridge interface=W6SG-wifi
/ip address
add address=192.168.88.1/24 comment="MARS Network" interface=MARS-Bridge \
    network=192.168.88.0
add address=172.16.10.1/24 comment="W6SG Public Network" interface=\
    W6SG-Bridge network=172.16.10.0
add address=192.168.1.20/24 comment="modem maint net" interface=ether1 \
    network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server lease
add address=192.168.88.236 client-id=1:0:26:ab:d0:84:3d comment=\
    "Epson Workforce 435" mac-address=00:26:AB:D0:84:3D server=MARS-DHCP
/ip dhcp-server network
add address=172.16.10.0/24 comment=172 dns-server=\
    8.8.4.4,4.2.2.1,8.8.8.8,4.2.2.2 gateway=172.16.10.1
add address=192.168.88.0/24 comment=defconf dns-server=\
    8.8.4.4,4.2.2.1,8.8.8.8,4.2.2.2 gateway=192.168.88.1
/ip dns
set servers=8.8.4.4,4.2.2.2,8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward disabled=yes dst-address=192.168.88.0/24 \
    src-address=172.16.10.0/24
add action=drop chain=forward disabled=yes dst-address=172.16.10.0/24 \
    src-address=192.168.88.0/24
add action=drop chain=forward in-interface=MARS-Bridge out-interface=\
    W6SG-Bridge
add action=drop chain=forward in-interface=W6SG-Bridge out-interface=\
    MARS-Bridge
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    172.16.10.0/24
/ip hotspot user
add name=w6sg-user password=1password
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/system scheduler
add interval=1d name=W6SG-close on-event="/interface wireless disable wlan2" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=sep/08/2016 start-time=22:00:00
add interval=1d name=W6SG-open on-event="/interface wireless enable wlan2" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=sep/08/2016 start-time=10:00:00
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=MARS-Bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=MARS-Bridge

2frogs · Tue Oct 18, 2016 5:31 am

The hotspot redirects dns to the routers dns server. Without allowing for remote connections it will not work.

/ip dns
set allow-remote-requests=yes servers=8.8.4.4,4.2.2.2,8.8.8.8,4.2.2.1

All so to use static dns entries like the one you have for your router, you would need to set the router as the first dns server in your dhcp settings.

/ip dhcp-server network
add address=172.16.10.0/24 comment=172 dns-server=172.16.10.1 gateway=172.16.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1,8.8.4.4,4.2.2.1,8.8.8.8,4.2.2.2 gateway=192.168.88.1

rilliam · Tue Oct 18, 2016 10:43 pm

That is good to know, but it still doesn't work. The problem wasn't with resolution. The problem is that when I hit a page from the hotspot network, it will just sit there saying "waiting for xxx....".

The MARS wifi works fine though.

rilliam · Thu Oct 20, 2016 3:10 am

Can someone please help me with this?

rilliam · Thu Oct 20, 2016 4:17 am

I tried turning on transparent proxy in the hotspot user profile and this seems to allow http traffic through however https traffic still fails to load.

# oct/19/2016 18:12:24 by RouterOS 6.36.2
# software id = FVQV-GHU4
#
/interface bridge
add admin-mac=4C:5E:0C:F9:B9:21 auto-mac=no comment=defconf name=MARS-Bridge
add name=W6SG-Bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge name=MARS-wifi \
    ssid=MARS wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set MARS-Bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=tkip mode=dynamic-keys unicast-ciphers=tkip \
    wpa-pre-shared-key=dougdoug wpa2-pre-shared-key=otla27otla27
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed name=OPEN supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4E:5E:0C:F9:B9:24 \
    master-interface=MARS-wifi multicast-buffering=disabled name=W6SG-wifi \
    security-profile=OPEN ssid=W6SG wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] login-by=cookie,http-pap
add hotspot-address=172.16.10.1 name=hsprof1
/ip pool
add name=192-pool ranges=192.168.88.10-192.168.88.254
add name=172-pool ranges=172.16.10.10-172.16.10.254
/ip dhcp-server
add address-pool=192-pool disabled=no interface=MARS-Bridge name=MARS-DHCP
add address-pool=172-pool disabled=no interface=W6SG-Bridge name=W6SG-DHCP
/ip hotspot
add address-pool=172-pool interface=W6SG-Bridge name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=172-pool shared-users=30 \
    transparent-proxy=yes
/interface bridge port
add bridge=MARS-Bridge interface=ether2-master
add bridge=MARS-Bridge interface=MARS-wifi
add bridge=W6SG-Bridge interface=W6SG-wifi
/ip address
add address=192.168.88.1/24 comment="MARS Network" interface=MARS-Bridge \
    network=192.168.88.0
add address=172.16.10.1/24 comment="W6SG Public Network" interface=\
    W6SG-Bridge network=172.16.10.0
add address=192.168.1.20/24 comment="modem maint net" interface=ether1 \
    network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server lease
add address=192.168.88.236 client-id=1:0:26:ab:d0:84:3d comment=\
    "Epson Workforce 435" mac-address=00:26:AB:D0:84:3D server=MARS-DHCP
/ip dhcp-server network
add address=172.16.10.0/24 comment=172 dns-server=172.16.10.1 gateway=\
    172.16.10.1
add address=192.168.88.0/24 comment=defconf dns-server=\
    8.8.4.4,4.2.2.1,8.8.8.8,4.2.2.2 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,4.2.2.2,8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="ALLOW WAN SSH" dst-port=22 \
    in-interface=ether1 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward disabled=yes dst-address=192.168.88.0/24 \
    src-address=172.16.10.0/24
add action=drop chain=forward disabled=yes dst-address=172.16.10.0/24 \
    src-address=192.168.88.0/24
add action=drop chain=forward in-interface=MARS-Bridge out-interface=\
    W6SG-Bridge
add action=drop chain=forward in-interface=W6SG-Bridge out-interface=\
    MARS-Bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=yes out-interface=ether1 \
    src-address=172.16.10.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.10.0/24
/ip hotspot user
add name=w6sg-user password=1password
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=no
/system clock
set time-zone-name=America/Los_Angeles
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/system scheduler
add interval=1d name=W6SG-close on-event="/interface wireless disable wlan2" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=sep/08/2016 start-time=22:00:00
add interval=1d name=W6SG-open on-event="/interface wireless enable wlan2" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=sep/08/2016 start-time=10:00:00
add interval=10m name=NoIP-update policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    oct/20/2016 start-time=00:52:55
/system script
add name=No-IP owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#######\
    #######Script Settings##################\r\
    \n\r\
    \n:local NOIPUser \"rilliam\"\r\
    \n:local NOIPPass \"1password\"\r\
    \n:local WANInter \"ether1\"\r\
    \n\r\
    \n###############################################\r\
    \n\r\
    \n:local NOIPDomain \"w6sg.ddns.net\"\r\
    \n\r\
    \n:local IpCurrent [:resolve myip.opendns.com server=208.67.222.222];\r\
    \n:put \$IpCurrent\r\
    \n\r\
    \n:if ([:resolve \$NOIPDomain] != \$IpCurrent) do={\r\
    \n      /tool fetch mode=http user=\$NOIPUser password=\$NOIPPass url=\"ht\
    tp://dynupdate.no-ip.com/nic/update\\3Fhostname=\$NOIPDomain&myip=\$Ipcurr\
    ent\" keep-result=no\r\
    \n      :log info \"NO-IP Update: \$NOIPDomain - \$IpCurrent\"\r\
    \n}\r\
    \n"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=MARS-Bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=MARS-Bridge

rilliam · Sun Oct 30, 2016 4:13 pm

anybody out there?

hotspot routing

hotspot routing

Re: hotspot routing

Re: hotspot routing

Re: hotspot routing

Re: hotspot routing

Re: hotspot routing