MikroTik

Hello!


Sorry for disturbing again, but this is the third day and i just cant solve a problem. We have a 2.8.26 Hotspot+NAT Masquarade Router with DHCP.

Please help!

We want to upgrade it to 2.9 with new hardware.

On the old router. We have the following scenario:

side:local
10.0.0.0/16 - all users
10.0.1.0/24 - users with dhcp
10.0.6.0/24 - users with dhcp
10.0.0.1 - hotspot gateway
side:public
everyone pass out on interface public with ip address 193.202.xx.xx

So i made the following steps on the new (2.9.27) router:

added 10.0.0.1 ip for interface local
added 193.202.xx.xx for interface public
added 193.202.xx.xx for gateway

and added DHCP server on interface local with pool 10.0.1.0/24,10.0.6.0/24

After i try to add the interface Hotspot, but i think i must misunderstood something.

So, simply i set:

hotspot interface: local
address of network: 10.0.0.1/16
masquarade:yes
address pool of network: ???
-----
here do i have to add "none" -becose i want no 1:1 NAT, or
i have to add the pool of 10.0.0.1/16, or the pool of DHCP???
in the manual i read that if i dont want 1:1 i must set pool: NONE

so it stands for : ip hotspot setup, or hotspot user profile?
-----
certificate:none
ip address of smtp: 0.0.0.0
dns servers: xx.xx.xx.xx,yy.yy.yy.yy /they work correctly/

i have the following problem:

i try to reach a site, hotspot authenthication comes in, i log in successfully.
i can reach sites,i go out with public ip, but:

on the IP FIREWALL, it seems that none of my traffic passes trough the masquarade rule, and i can see no rules at IP MANGLE added by hotspot.

Where is the problem? In the IP HOTSPOT SETUP, or somewhere in the IP HOTSPOT USER PROFILES (incoming filter,outging filter, packet marks: i didnt filled them, address pool: none, http proxy: none)

Sorry for beeing so long, best regards: Gabor




[/b]

The hotspot in 2.9 is quite different than 2.8. Don't expect everything (firewall rules mainly) to look the same

First, start over (reset your router). Then, make sure your hotspot interface is enabled, and assign an IP address to it and make sure the WAN interface is configured properly. Don't configure anything else.

Now, run the hotspot setup. By default, it will know what address range (address pool) to use based on the IP you assigned to the interface, the IP pool size, and everything else it needs to create a DHCP server and Hotspot. Basically, everything will already be filled in for you and the only thing you'll probably need to change is the certificate question. Note that there are no longer mangle rules, and all of the hotspot related firewall rules are dynamic - they will disappear if you disable the hotspot.

Hope this helps

Hello!

So, when Hotspot is running, i should see dynamic rules in the Mangle table? I see nothing.

I am sure, that firewall rules should be quite different, but i think that i should see something passes over the masquarade rule. And nothing does....

Thanks for help:Gabor

Hello!

I set no address pool on interface hotspot, but i see on the Host table, that
1:1 NAT is happening....

Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT
0 DA 00:0A:E6:CA:D2:E1 10.0.0.2 10.0.0.2 hotspot1
1 HA 00:40:D0:87:EC:FD 10.0.1.32 10.0.1.32 hotspot1


why is this?

First of all it is recommended to upgrade, some improvements have been implemented since 2.9.27

Hm,
host address is equal to to-address, I do not see any 1:1 NAT there.

Paste the information here, that you get after 'ip firewall nat print all stats'.

Hello!

[admin@MikroTik] > ip firewall nat print all stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 D dstnat jump 807784 7240
1 D hotspot jump 807784 7240
2 D hotspot redirect 5776 95
3 D hotspot redirect 0 0
4 D hotspot redirect 320 7
5 D hotspot redirect 0 0
6 D hotspot jump 1248 26
7 D hotspot jump 61443 1259
8 D hs-unauth redirect 288 6
9 D hs-unauth redirect 0 0
10 D hs-unauth redirect 0 0
11 D hs-unauth redirect 0 0
12 D hs-unauth jump 0 0
13 D hs-auth redirect 0 0
14 D hs-auth jump 0 0
15 ;;; masquerade hotspot network
srcnat masquerade 899015 8779


Now since i set no address pool and restart server, masquarade is working.

But when i want to put the old customers to the new server,
i see, they get new ip from dhcp, they can log in, but there is some kind of problem, because processor is at 100% (3GB Intel, 250 subscribers), and i see large difference between packet numbers arriving/leaving on local and public interfaces. the stat you see is just 3 pcs in my office for testing.

Maybe i can make another test with the subscribers and send you some stats if you can help.

Thanks for everything: Gabor

p.s. :

old router is PIII 500 Mhz, 2.8 RouterOS and it deals with the subscribers without problem

From winbox click on LOGS
Is there excessive log activity?
If so what kind of activity?

I had a senario where A router at a client site, continuously requested DCHP address, and never accepted the lease, and just continued to request. This activity hung up my DHCP server which prevented my other clients from accessing the hotspot.

** oops... my apologies, as I should have read up further in the post.
Just ignore this post.

...Note that there are no longer mangle rules, and all of the hotspot related firewall rules are dynamic - they will disappear if you disable the hotspot.

please i just wanna know can i run web-proxy when i'm using hotspot ?? can they run together ? couse i couldnt redirect http to the web-proxy..
web-proxy is the default MT web-proxy..

HotSpot provides embedded proxy, when it is enabled.