Page 1 of 1

Help understanding how Hotspot work and how to control it

Posted: Wed Sep 27, 2017 4:20 am
by shivansps
Hi, this is what i want to do.

Image

So in preparation to that, i set up a VirtualAP with the secondary SSID, a IP pool, a secondary DHCP server to run on that interface (10.5.50.0 network, 10.5.50.2-10.5.50.254 pool, gateway and dns = 10.5.50.1, the image is wrong).

I added in IP->address the 2nd gateway (192.168.0.2 and marked down as "secondary"), then in Firewall->NAT the srcnat for 10.5.50.0 network, using the "secondary" , and finally in mangle ive added a mark routing, everything from the IN Interface wlan2, uses the secondary gateway. And in filter roules ive blocked all traffic from 10.5.50.0/24 to 192.168.0.0/24.

It works... if i connect to SSD1 i get internet from default gateway, with access to the whole network, and if i connect to SSD2 i get the 10.5.50.x IP, internet from gateway 2 and no access to the 192.168.0.X network, aside from access to the router itselft.
That is exactly what i want.

Now, i need to run a hotspot on wlan 2, and here is the part i dont understand, i run a hotspot to use the wlan2 configuration that is already working, the dhcp server, ip pool, route rules, etc... when i do that I can log in in the hotspot on wlan 2, BUT... the hotspot users are using Gateway 1 again, it looks like it is overriding my mangle rule. And again have full access to 192.168.0.X network, so is overriding my filter rule as well.

I also have problems to access web sites, somehow it seems like i can only access web sites added to the wallet garden? the wallet garden as i understand it allows hotspot users to access a website WHIOUT login, not after. It also seems like is using a proxy and responding to "access list" in "Web Proxy", but the web proxy is not enabled...
I have no idea of what is going on and how to control this. NAT and filter rules are dynamic and i cant do a thing to them.

What i want to do is allow hotspot users access to 2 or 3 websites whiout having to log in the hotspot, and after login have unrestricted WEB access only. whiout access to internal LAN or the router configuration. And internet must be using my secondary gateway the whole time, for both pre-login and post-login.

Thanks in advance.