Hi Guys,
Ive been on this for a couple of days. Im getting closer.

I want to cover my small town with free wifi. they still need to sign up through radius server, though its all free.

this is an image of how I have set it up in my house ready for install. Everything is working except I wont be able to manage the 2 wds devices remotely because they are on the same subnet as the hotspot user will be. (dhcp scope 10.5.50.10-10.5.50.254)



I thought I could port forward 2222 ssh to AP2 and forward 2223 to AP3.
the forwarding rules work if I disable the hotspot on AP1 and stop working when the hotspot is enabled. I figured out by turning on the hotspot feature it adds a bunch of dynamic firewall rules, and NAT rules. (I get the same results with http traffic on port 8080.)

I am unsure of which rules to put in the firewall to allow the traffic through. It also seams that when I do add a firewall rull to the firewall list, move it to the top of the list, when I reboot it is moved below the dynamic rules so If I did add a rule there it wont work anyway.

This is doing my head in. Ive been working on it for a week and troubleshooting this issue for 2 days. I am pretty noob at linux but understand the basics.

thanks

We have a similar arrangement, and I keep meaning to add this as a wiki since many people ask about this.

We used SSH at first and multiple port forwarding rules, but this was not convenient. We prefer to use WinBox to manage our nodes rather
than the console.

Our simple solution is to use PPTP, a VPN tunnel protocol built into windows XP and Vista. It's VERY easy.
With this solution, you can use WinBox to open windows into all of your nodes all at once.

You don't need to forward any ports on the MT router, but, on the node with the hotspot, you WILL need to do the following for EACH of your other routers:
IP->hotspot->IP Bindings-> add
Enter the AP2 and then AP3 address in both the "Address" and "To Address" field and set Type=bypass.

The above step will allow the internal IP address of your downstream routers to communicate through the hotspot to WinBox.

For more details, see my explanation here: http://forum.mikrotik.com/viewtopic.php?f=2&t=18217


Regarding your static firewall rules moving to the bottom, below the hotspot's dynamic rules, after a reboot:
I view this as a BUG. The software should save the ordering as well as the content. As a work-around, you can either
remember to always go back and move your rules after a reboot or create a script that runs shortly after startup. You need to delay
the script for about 15 seconds to give the hotspot a chance to start up first. If you don't, the hotspot will add its rules after your
script runs, which won't help.

Unfortunately, scripts to move firewall rules are not easy. You'll have to read the docs and this forum for some advice. Mine recently
stopped working after an update to the lastest OS version, so I need to do some work there.

I hope all this helps. Please post any questions, and of course post success if it works!

Im out for a couple of days, will let you know if it works when I try it.
Looks great though. thanks for your help.

That worked great. thanks dsobin.

The only Issue I could see with it, is if you manage multiple networks you would need each hotspot network on a different subnet.
eg:
10.5.50.0/24
10.5.51.0/24
10.5.52.0/24

yes, Im pretty lazy.

thanks again mate.