MikroTik

routeros2.9
when i enable hotspot i can not use multi gateway
and firewall mangle

when i disable hotspot multi gateway and firewall mangle it OK

I think I can see this...
It is probably due to the numrous rules required to secure the hotspot system messing with the "bonding".

You could allways "front end" the hotspot. (yes I know another device...)
but it may be the easyest solution.
you could concentrate your gateways on one "box", then connect the hotspot server to it..

IE: ISP1 -------> |-------|
ISP2 -------> | RTR1 |--------> |-----------|
ISP3 -------> |-------| | Hotspot |-> Clients
|-----------|

Probably not the cheapest, most eligant solution...
Just an idea for a quick fix.

I wouldnt call this a bug would you ? I think it's just a configuration issue.

That is my thinking.

I don't know how easy it will be to overcome..

I have not tried this config....

I could only come up with a "brute force method"..

As I understand kapook007 says that he cannot get hotspot to work with two isp gateways...

Well, I use mangle and multiple ISP gateways with hotspot all the time..... Works great.

Perhaps you want to post your configs, and we help you out?

Its definitely not a bug though....

Rgds
Alex

Hi alex_rhys-hurn,

We are facing the same problem, and we exactly followed the following wiki instructions:
http://wiki.mikrotik.com/wiki/Improved_ ... e_Gateways

I'm not sure if we have to add any other firewall rule to make it works with the hotspot !

Any idea !

please post your configuration so we can help you.

Must be a config problem as Mine is still working great after two years!

Hi alex_rhys-hurn,

Below is the used configs:

[admin@Alhajjan] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; Local Network
10.11.12.1/16 10.11.0.0 10.11.255.255 Private
1 ;;; ISP1, server gateway
192.168.17.18/29 192.168.17.16 192.168.17.23 ISP1
2 ;;; ISP2, direct connection
241.221.42.91/29 241.221.42.88 241.221.42.95 ISP2
[admin@Alhajjan] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=forward in-interface=ISP1 content=application/octet-stream action=mark-connection
new-connection-mark=down-2 passthrough=yes

1 X chain=forward in-interface=ISP1 connection-mark=down-2 content=application/octet-stream action=mark-packet
new-packet-mark=down-3 passthrough=yes

2 ;;; Load Balance 1/4 (NTH 1,1,0)
chain=prerouting in-interface=Private connection-state=new nth=1,1,0 action=mark-connection
new-connection-mark=odd passthrough=yes

3 ;;; Load Balance 2/4 (odd)
chain=prerouting in-interface=Private connection-mark=odd action=mark-routing new-routing-mark=odd
passthrough=no

4 ;;; Load Balance 3/4 (NTH 1,1,1)
chain=prerouting in-interface=Private connection-state=new nth=1,1,1 action=mark-connection
new-connection-mark=even passthrough=yes

5 ;;; Load Balance 4/4 (even)
chain=prerouting in-interface=Private connection-mark=even action=mark-routing new-routing-mark=even
passthrough=no
[admin@Alhajjan] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; masquerade hotspot network (latley used also for Load Balance with failover)
chain=srcnat src-address=10.11.0.0/16 action=masquerade

1 ;;; Web Proxy port redirection from 80 to 80
chain=hs-auth protocol=tcp dst-port=80 action=redirect to-ports=80

2 X ;;; Load Balance 1/2 (odd)
chain=srcnat connection-mark=odd action=src-nat to-addresses=241.221.42.91 to-ports=0-65535

3 X ;;; Load Balance 2/2 (even)
chain=srcnat connection-mark=even action=src-nat to-addresses=192.168.17.18 to-ports=0-65535
[admin@Alhajjan] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.11.0.0/16 10.11.12.1 Private
1 ADC 241.221.42.88/29 241.221.42.91 ISP2
2 ADC 192.168.17.16/29 192.168.17.18 ISP1
3 A S 0.0.0.0/0 r 192.168.17.17 ISP1
4 A S 0.0.0.0/0 r 241.221.42.89 ISP2
5 A S 0.0.0.0/0 r 192.168.17.17 ISP1
6 S 0.0.0.0/0 r 241.221.42.89 2 ISP2
[admin@Alhajjan] >