Hello, I am trying to monitor a bunch of PC's that guests use (think of a cyber cafe with a bunch of computers). I can ping these pc's when users are not using them, but then when users authenticate to Hotspot, the Hotspot server assigns the machines a different IP address and I can no longer ping their real ip address from the Mikrotik (therefore Netwatch from the Mikrotik fails).

I need to figure out how I can monitor these machines when they are in use and users are authenticated to the server.

Also, does anyone know of any document which explains the packet flow when hotspot is enabled? I would really like to better understand the firewall chains:
hs-unauth
hs-unauth-to
hs-input
pre-hs-input

I think all I need is a firewall rule allowing ICMP in the correct chain, but without an understanding of these chains i am having difficulty implementing a solution.

Any help would be greatly appreciated.

Thanks in advance!

-d

I fixed this but dont understand how this works. I added:

/ip firewall filter add chain=pre-hs-input protocol=icmp action=accept comment="allow ICMP for unauthorized users" disabled=no

what i dont understand is:

1. without the rule listed above i can ping the machines on the hotspot network unless users are authenticated to the hotspot from those machines.
2. when I add the rule above, i can ping the original ip address of the machines weather users are authenticated or not.

I would like to modify this rule to allow only the hotspot to ping these users (and specifically not allow machines to ping the world until their users are authenticated.

Any ideas on how to do this?

Thanks in advance.

-d

You need two rules. Modify your rule slightly to include either source address and destination address. The rules should look like this:

/ip firewall filter add chain=pre-hs-input dst-address=x.x.x.x protocol=icmp action=accept comment="allow ICMP for Hotspot Server" disabled=no
/ip firewall filter add chain=pre-hs-input src-address=x.x.x.x protocol=icmp action=accept comment="allow ICMP for Hotspot Server" disabled=no

Where x.x.x.x is your hotspot server's local IP address. This rules will allow your hotspot server ping all users without authentication while preventing the users from pinging the world without authentication.

Awesome, this works!

I guess the part of this that i dont understand is why this traffic (icmp originated by the Mtik) isnt in the OUTBOUND filter chain?

if anyone has a better description of packet flow and the chains i listed previously it would be very helpful to me.

thank you very much for helping me out, i appreciate it.

don