I have clients using hotspot to get on the internet. I want client to authenticate on the webpage and then have open access to the internet. I have NAT turned off. (The hotspot ip-pool feature is turned off.) Clients get an IP from the DHCP server. All this works fine and clients can browse the internet but when using special applications that don't use HTTP traffic it does not work. To test if Hotspot is the issue I add my client IP block to IP-Binding section with the bypass rule for hotspot. After I do this, of course, no one has to authenticate and can surf the web and everything works as expected. As soon as I remove them from the Hotspot bypass things don't work correctly like access to OWA.
I am assuming the Dynamic NAT rules and/or Dynamic Firewall rules for hotspot are causing the issue. How can I resolve this issue.
Please help!
-
-
JesseMathis
newbie
- Posts: 46
- Joined:
There is a route to the client subnet on the Mikrotik pointing to the interface in which the AP (Navini Base Station) is connected. Below is a crude layout of the network. Route to client subnet is pointing to Clients interface which is a vlan configured on physical interface eth5.
---------------- Ethernet Link -------------
|Cisco Router| Eth0 <---------------------> Eth0 |Mikrotik |
---------------- -------------
Eth5 (Trunk)
MT Vlan 20 on Eth5 | MT Vlan 10 on Eth5
|
|
----------------------
|Cisco Switch 3650|
----------------------
| |
/ \
Vlan 20 Clients / \ Vlan 10 Servers
Clients = Hotspot interface / \
/ \
------------- --------------
|Navini BTS| |Cisco 2950|
------------- --------------
/ \
/ \
Wireless Clients (Public Addresses) Internal Servers (Private Addresses)
---------------- Ethernet Link -------------
|Cisco Router| Eth0 <---------------------> Eth0 |Mikrotik |
---------------- -------------
Eth5 (Trunk)
MT Vlan 20 on Eth5 | MT Vlan 10 on Eth5
|
|
----------------------
|Cisco Switch 3650|
----------------------
| |
/ \
Vlan 20 Clients / \ Vlan 10 Servers
Clients = Hotspot interface / \
/ \
------------- --------------
|Navini BTS| |Cisco 2950|
------------- --------------
/ \
/ \
Wireless Clients (Public Addresses) Internal Servers (Private Addresses)
-
-
JesseMathis
newbie
- Posts: 46
- Joined:
Err the crude pic did not show up correctly. Let me explain how everything is physically connected.
Cisco Router (internet) is connected via ethernet to Mikrotik Eth2. I have 2 Vlans configured on the Mikrotik. Vlan 10 is for Servers and Vlan 20 is for Clients. Both of the Vlans are set to physical interface eth5. Eth5 is physically connected to a Cisco 3650 switch as a trunk port. The Navini BTS connects to a port on this switch which is configured for Vlan 20. Another Cisco switch is connected to the 3650 via a trunk. This Switch is configured with Vlan 10 for servers. I think something funky is happening with hotspot. Adding a IP-Binding rule with bypass set allows everthing to work as it should but when clients are forced to logon to hotspot only some web traffic (80, 443, DNS) seems to work correctly. When I try to connect to an internal exchange server OWA does not work. I just get a timeout even though I can ping the server. If I add a bypass rule for the client in hotspot the OWA page come up without an issue but as soon as I remove the IP-Binding and force client to use hotspot to authenticate it breaks it.
Let me know if you want me to post any configs here.
Cisco Router (internet) is connected via ethernet to Mikrotik Eth2. I have 2 Vlans configured on the Mikrotik. Vlan 10 is for Servers and Vlan 20 is for Clients. Both of the Vlans are set to physical interface eth5. Eth5 is physically connected to a Cisco 3650 switch as a trunk port. The Navini BTS connects to a port on this switch which is configured for Vlan 20. Another Cisco switch is connected to the 3650 via a trunk. This Switch is configured with Vlan 10 for servers. I think something funky is happening with hotspot. Adding a IP-Binding rule with bypass set allows everthing to work as it should but when clients are forced to logon to hotspot only some web traffic (80, 443, DNS) seems to work correctly. When I try to connect to an internal exchange server OWA does not work. I just get a timeout even though I can ping the server. If I add a bypass rule for the client in hotspot the OWA page come up without an issue but as soon as I remove the IP-Binding and force client to use hotspot to authenticate it breaks it.
Let me know if you want me to post any configs here.
-
-
JesseMathis
newbie
- Posts: 46
- Joined:
