Community discussions

MikroTik App
  4. RouterOS
  5. General

Newbie to Mikrotik, question on best method to policy route

Post Reply
 
donv
just joined
Topic Author
Posts: 9
Joined: Tue May 08, 2007 1:32 am
Location: Iowa - USA
Contact:
Contact donv

Newbie to Mikrotik, question on best method to policy route

Tue May 08, 2007 2:20 am

We are trying to configure Mikrotik to allow us to create two user groups, Group-A with no content (porn) filtering, and Group-B with content filtering. We are trying to configure Hotspot so that when people sign up for Internet access, they can select if they want filtered (like if they have kids) or unfiltered Internet access.

I am open to any reasonable (simple) method to achieve this, but here are my thoughts thus far:

As near as I can determine, it looks simplest to do this using policy based routing, whereby we would somehow dynamically assign users from Group-A in one /24 and assign Group-B IP addresses from a different /24, then policy route Group-B's traffic (based on their IP address) thru another device (content filtering appliance/transparent HTTP proxy) which will not allow undesirable Internet content.

In this scenario, we are not using the HTTP proxy in the Mikrotik.

To accomplish this we wanted to create two DHCP scopes, one for each user group, then configure policy based routing in the Mikrotik to allow us to route traffic, however since the users are authenticating via radius, I dont yet understand how to assign a user's IP address dynamically if they have not yet authenticated (paid) via the captive portal/hotspot.

If anyone could steer me in the right direction on how to accomplish this, or what to read to figure out how to do this, I would really appreciate the help. Thank you in advance. :)

P.S. Here is a diagram that I put together real quick to show what we are trying to do.

Image
Top
 
bushy
Member Candidate
Member Candidate
Posts: 135
Joined: Thu Oct 20, 2005 11:56 pm
Location: Ireland

Tue May 08, 2007 4:07 am

You could intercept DNS from the filtered group and send it to Scrubit DNS or similar, save you running a filtering appliance

Anyway what you need to do to is mark the traffic from your filtered group so you can route it later.
Code: Select all
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=filtered disabled=no

/ip route add gateway=192.168.12.6 routing-mark=filtered disabled=no
Top
 
donv
just joined
Topic Author
Posts: 9
Joined: Tue May 08, 2007 1:32 am
Location: Iowa - USA
Contact:
Contact donv

not sure i understand how this works.

Tue May 08, 2007 4:59 am

Bushy. thank you for your reply. I am not confident that DNS based content filtering is effective, and therefore we would prefer to implement a filtering appliance.

I am also missing some glaring huge parts of how this work, specifically:

1. I am not certain how the code you submitted would match the 192.168.11.0/24 traffic?

2. How to assign an ip address to users in different radius groups from different IP scopes depending on the group the person is a member of.

3. I think I may be able to figure out how to policy route the marked traffic from your example but an example of this would be really appreciated.

4. just a theoretical question, how does the user get an ip address from the mikrotik before they authenticate to the Hotspot?

sorry for the level of the questions, but we are new to Mikrotik.

thanks in advance..

don
Top
Post Reply
  4. RouterOS
  5. General