This is the setup
RB/411U
eth1
- no static ip address assigned to this interface
- dhcp client enabled
- connected to WAN
- I get a public ip address on this interface and I am able to access it via winbox with ip
address
wlan1
- dhcp server enabled
- static ip address assigned to port 10.10.100.1
- masquerade is enabled on wlan1. Still can't access internet.
The problem is that when I have this scenario setup behind a netgear router, everything works fine. I have hotspot enabled and I get the login screen and am able to browse the internet. Once I put this setup behind a public router and it gets a public ip address, the wireless clients connect to the wlan1 interface and receive a private ip address of 10.10.100.xxx. But when they open up a browser, the login page does not appear and page eventually timesout. I statically assigned a ip address to the host file on the pc and the hotspot page appears when I try to access the internet and I can login, but I can't access internet. It seems like a DNS issue but I can't figure it out. Any help is greatly appreciated.
Here is the masq
1 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.10.100.0/24
-
-
walkbyfaith
Frequent Visitor
- Posts: 80
- Joined:
Re: Routing Problem on RB/411U
Well, I found a problem with a Firewall Rule.
It was this one.
I have this rule first
0 ;;; Allow wireless internal ip addresses out
chain=input action=accept src-address-list=Internal List
The internal IP address is for the wireless network which is 10.10.100.0/24
This is enabled, and when I have the drop rule below enabled, I can't get to the hotspot login page or the internet. I can ping the eth1 ip address and the wlan1 ip address with success. But still cannot get on the login page or online. When I disable the drop rule below, all is well. So now it's working, but can someone tell me why this is happening. I would be very thankful.
9 ;;; drop all other invalid connection
chain=input action=drop
It was this one.
I have this rule first
0 ;;; Allow wireless internal ip addresses out
chain=input action=accept src-address-list=Internal List
The internal IP address is for the wireless network which is 10.10.100.0/24
This is enabled, and when I have the drop rule below enabled, I can't get to the hotspot login page or the internet. I can ping the eth1 ip address and the wlan1 ip address with success. But still cannot get on the login page or online. When I disable the drop rule below, all is well. So now it's working, but can someone tell me why this is happening. I would be very thankful.
9 ;;; drop all other invalid connection
chain=input action=drop
Re: Routing Problem on RB/411U
The input chain isn't for traffic through the router, it is for traffic to the router. You may be confused there since the rule comment says "allow wireless internal ip addresses out".
How that exactly interacts with your setup is hard to say based on the partial information you are giving. Please post the output of "/ip address print detail", "/ip route print detail", "/ip hotspot export", and "/ip firewall export" as well as "/ip firewall filter print all detail" and "/ip firewall nat print all detail". Wrap output in
http://wiki.mikrotik.com/wiki/Manual:IP ... ter#ChainsThere are three predefined chains, which cannot be deleted:
input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
How that exactly interacts with your setup is hard to say based on the partial information you are giving. Please post the output of "/ip address print detail", "/ip route print detail", "/ip hotspot export", and "/ip firewall export" as well as "/ip firewall filter print all detail" and "/ip firewall nat print all detail". Wrap output in
Code: Select all
tags to keep it readable.-
-
walkbyfaith
Frequent Visitor
- Posts: 80
- Joined:
Re: Routing Problem on RB/411U
Thanks fewi for the help and the link, the link and explanation did help out. Again thanks for the reply. Below I have posted the info you requested.
/ip> address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=10.10.100.1/24 network=10.10.100.0 broadcast=10.10.100.255
interface=wlan1 actual-interface=wlan1
1 D address=64.9.41.111/22 network=64.9.40.0 broadcast=64.9.43.255
interface=ether1 actual-interface=ether1
route print detail
0 ADS dst-address=0.0.0.0/0 gateway=64.9.40.1
gateway-status=64.9.40.1 reachable ether1 distance=0 scope=30
target-scope=10
1 ADC dst-address=10.10.100.0/24 pref-src=10.10.100.1 gateway=wlan1
gateway-status=wlan1 unreachable distance=0 scope=200
2 ADC dst-address=64.9.40.0/22 pref-src=64.9.41.111 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=1d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name=HUNetHotSpot hotspot-address=10.10.100.1 html-directory=hotspot \
http-cookie-lifetime=20h http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=hsprof2 nas-port-type=wireless-802.11 radius-accounting=yes \
radius-default-domain="" radius-interim-update=received \
radius-location-id="" radius-location-name="" radius-mac-format=\
XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=yes
/ip hotspot
add address-pool=dhcp_pool1 addresses-per-mac=1 disabled=no idle-timeout=5m \
interface=wlan1 keepalive-timeout=none name=hotspot1 profile=hsprof2
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default \
shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
/ip firewall address-list
add address=192.168.88.0/24 comment="" disabled=no list="Internal List"
add address=10.10.100.0/24 comment="" disabled=no list="wireless client"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=\
"Allow internal ip addresses access to router" disabled=no \
src-address-list="Internal List"
add action=accept chain=input comment=\
"Allow wireless internal ip addresses access to router" disabled=no \
src-address-list="wireless client"
add action=accept chain=input comment="Connection State: New" \
connection-state=new disabled=no
add action=accept chain=input comment="Connection State : Established" \
connection-state=established connection-type="" disabled=no
add action=accept chain=input comment="Connection State: Related" \
connection-state=related disabled=no
add action=accept chain=input comment=\
"Allow remote admin setup to access router" disabled=no src-address=\
64.9.40.199
add action=accept chain=input comment=\
"Allow kutztown boro access from external ip address" disabled=no \
src-address=66.109.248.42
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=jump chain=forward comment="jump to the virus chain" disabled=no \
jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \
dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
dst-port=445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=\
1363 protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=\
2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=\
8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=drop chain=input comment="drop all other invalid connection" \
disabled=yes
add action=drop chain=input comment=\
"Don't allow wireless clients access to routerboard os via winbox" \
disabled=yes dst-address=192.168.88.2 dst-port=8291 protocol=tcp \
src-address=10.10.100.0/24 src-port=8291
add action=log chain=input comment="Log all drops" connection-state=new \
disabled=no log-prefix=""
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no out-interface=ether1 src-address=10.10.100.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip> address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=10.10.100.1/24 network=10.10.100.0 broadcast=10.10.100.255
interface=wlan1 actual-interface=wlan1
1 D address=64.9.41.111/22 network=64.9.40.0 broadcast=64.9.43.255
interface=ether1 actual-interface=ether1
route print detail
0 ADS dst-address=0.0.0.0/0 gateway=64.9.40.1
gateway-status=64.9.40.1 reachable ether1 distance=0 scope=30
target-scope=10
1 ADC dst-address=10.10.100.0/24 pref-src=10.10.100.1 gateway=wlan1
gateway-status=wlan1 unreachable distance=0 scope=200
2 ADC dst-address=64.9.40.0/22 pref-src=64.9.41.111 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=1d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name=HUNetHotSpot hotspot-address=10.10.100.1 html-directory=hotspot \
http-cookie-lifetime=20h http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=hsprof2 nas-port-type=wireless-802.11 radius-accounting=yes \
radius-default-domain="" radius-interim-update=received \
radius-location-id="" radius-location-name="" radius-mac-format=\
XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=yes
/ip hotspot
add address-pool=dhcp_pool1 addresses-per-mac=1 disabled=no idle-timeout=5m \
interface=wlan1 keepalive-timeout=none name=hotspot1 profile=hsprof2
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default \
shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
/ip firewall address-list
add address=192.168.88.0/24 comment="" disabled=no list="Internal List"
add address=10.10.100.0/24 comment="" disabled=no list="wireless client"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=\
"Allow internal ip addresses access to router" disabled=no \
src-address-list="Internal List"
add action=accept chain=input comment=\
"Allow wireless internal ip addresses access to router" disabled=no \
src-address-list="wireless client"
add action=accept chain=input comment="Connection State: New" \
connection-state=new disabled=no
add action=accept chain=input comment="Connection State : Established" \
connection-state=established connection-type="" disabled=no
add action=accept chain=input comment="Connection State: Related" \
connection-state=related disabled=no
add action=accept chain=input comment=\
"Allow remote admin setup to access router" disabled=no src-address=\
64.9.40.199
add action=accept chain=input comment=\
"Allow kutztown boro access from external ip address" disabled=no \
src-address=66.109.248.42
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=jump chain=forward comment="jump to the virus chain" disabled=no \
jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \
dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
dst-port=445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=\
1363 protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=\
2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=\
8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=drop chain=input comment="drop all other invalid connection" \
disabled=yes
add action=drop chain=input comment=\
"Don't allow wireless clients access to routerboard os via winbox" \
disabled=yes dst-address=192.168.88.2 dst-port=8291 protocol=tcp \
src-address=10.10.100.0/24 src-port=8291
add action=log chain=input comment="Log all drops" connection-state=new \
disabled=no log-prefix=""
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no out-interface=ether1 src-address=10.10.100.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no