How to Bypass Hotspot Usage Counters for Specific Subnets

ZioN · Wed Sep 07, 2011 4:24 pm

Hi

I'm currently running a hotspot on a bridge (EtherNet_WiFi_EoIP_Bridge in the code below) I created between my Ethernet and Wifi interfaces. On that bridge I'm running a hotspot. There is however a second interface on my MT that I use to connect to a wug (CTWUG_Link interface in the code below)(WUG - Wireless User Group). I've added walled-garden ip rules to allow traffic within the local (192.168.0.0/24) subnet and the wug (172.16.0.0/12) subnet. These rules seem to work perfectly as they should when a user is not authenticated by the hotspot. But traffic across any one of these (mentioned above) subnets, from authenticated users adds to that users' usage. As I understand, that is exactly what the walled-garden should do. Which is great. But I would like for internal (Ie: local and wug subnets) to be completely free. Thus only traffic crossing my internet interface (Vodacom_3G in the code below) should be accounted for and billed to each user. Thereby not counting any internal (local and wug related) data.

The setup is as follows:

[Jeandre@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                               TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ;;; WiFi Network Interface
       Marshal_Network_Wifi               wlan              1500  2290
 1  R  ;;; Connection Interface to CTWUG
       CTWUG_Link                         wlan              1500  2290
 2  R  ;;; Lan Network Interface
       EtherNet_1                         ether             1500  1526
 3  R  ;;; Bridge Interface - To bridge lan and wifi to one network and ip range
       Ethernet_Wifi_EoIP_Bridge          bridge            1500  1526
 4  R  ;;; WAN Network Interface - Internet - Vodacom 3G via mini-pci-e 
       VodaCom_3G                         ppp-out           1500
 5  X  ;;; VPN%0#PPTP Client to Connect to STB - VPN to Jeandre
       JeandreSTB                         pptp-out        
 6  R  ;;; EoIP Tunnel through PPTP to Jeandre STB
       EoIP-JeandreSTB                    eoip-tunnel       1340 65535



[Jeandre@MikroTik] > interface bridge print
Flags: X - disabled, R - running 
 0  R ;;; Bridge Interface - To bridge lan and wifi to one network and ip range
      name="Ethernet_Wifi_EoIP_Bridge" mtu=1500 l2mtu=1526 arp=enabled 
      mac-address=00:0C:42:49:04:6C protocol-mode=none priority=0x8000 
      auto-mac=yes admin-mac=00:0C:42:49:04:6C max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 



[Jeandre@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    EtherNet_1              Ethernet_Wifi_EoI...     0x80         10       none
 1    Marshal_Network_Wifi    Ethernet_Wifi_EoI...     0x80         10       none
 2    EoIP-JeandreSTB         Ethernet_Wifi_EoI...     0x80         10       none



[Jeandre@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; default configuration
     192.168.0.100/24   192.168.0.0     Ethernet_Wifi_EoIP_Bridge                
 1   ;;; CTWUG Config - Note Masquarade 192.168.0.0/24 Range over CTWUG_Link
     172.18.50.38/32    172.18.50.254   CTWUG_Link                               
 2 D x.x.x.x/32         x.x.x.x         VodaCom_3G     


                          
[Jeandre@MikroTik] > ip hotspot walled-garden ip print
Flags: X - disabled, I - invalid 
 #   SERVER         PROTOCOL   DST-HOST         DST-ADDRESS     DST-PORT   ACTION
 0   ;;; Access for users to access the internal network - Bypass usage counters
     Marshall-Ne...                             192.168.0.0/24             accept
 1   ;;; Access for users to access CTWUG - Bypass usage counters
     Marshall-Ne...                             172.16.0.0/12              accept



[Jeandre@MikroTik] > ip firewall filter print all
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth 

 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth 

 2 D chain=input action=jump jump-target=hs-input hotspot=from-client 

 3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875 

 4 I chain=hs-input action=jump jump-target=pre-hs-input 

 5 D chain=hs-input action=accept protocol=udp dst-port=64872 

 6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 

 7 D ;;; Access for users to access the internal network - Bypass usage counters
     chain=hs-unauth action=return dst-address=192.168.0.0/24 in-interface=Ethernet_Wifi_EoIP_Bridge 

 8 D ;;; Access for users to access CTWUG - Bypass usage counters
     chain=hs-unauth action=return dst-address=172.16.0.0/12 in-interface=Ethernet_Wifi_EoIP_Bridge 

 9 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth 

10 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp 

11 D ;;; Access for users to access the internal network - Bypass usage counters
     chain=hs-unauth-to action=return src-address=192.168.0.0/24 out-interface=Ethernet_Wifi_EoIP_Bridge 

12 D ;;; Access for users to access CTWUG - Bypass usage counters
     chain=hs-unauth-to action=return src-address=172.16.0.0/12 out-interface=Ethernet_Wifi_EoIP_Bridge 

13 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited 

14 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited 

15 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

16 X ;;; VPN-Up#vpn-ul@54345133%7059774
     chain=forward action=accept out-interface=JeandreSTB 

17 X ;;; VPN-Down#vpn-dl@49095379%9514034
     chain=forward action=accept in-interface=JeandreSTB 

18 X ;;; Jeandre-Upload
     chain=forward action=accept src-address-list=Jeandre out-interface=VodaCom_3G 

19 X ;;; Jeandre-Download
     chain=forward action=accept dst-address-list=Jeandre in-interface=VodaCom_3G 

20 X ;;; Calvin-Upload
     chain=forward action=accept src-address-list=Calvin out-interface=VodaCom_3G 

21 X ;;; Calvin-Download
     chain=forward action=accept dst-address-list=Calvin in-interface=VodaCom_3G 

22 X ;;; Elizabeth-Upload
     chain=forward action=accept src-address-list=Elizabeth out-interface=VodaCom_3G 

23 X ;;; Elizabeth-Download
     chain=forward action=accept dst-address-list=Elizabeth in-interface=VodaCom_3G 

24 X ;;; Anthony-Upload



[Jeandre@MikroTik] > ip firewall nat print all   
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client 

 1 I chain=hotspot action=jump jump-target=pre-hotspot 

 2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53 

 3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53 

 4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80 

 5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443 

 6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth 

 7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth 

 8 D ;;; Access for users to access the internal network - Bypass usage counters
     chain=hs-unauth action=return dst-address=192.168.0.0/24 in-interface=Ethernet_Wifi_EoIP_Bridge 

 9 D ;;; Access for users to access CTWUG - Bypass usage counters
     chain=hs-unauth action=return dst-address=172.16.0.0/12 in-interface=Ethernet_Wifi_EoIP_Bridge 

10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80 

11 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128 

12 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080 

13 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443 

14 I chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25 

15 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http 

16 I chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25 

17 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

18   ;;; DC++ Nat to forward all port 2222 traffic to Media-Center (192.168.0.150)
     chain=dstnat action=dst-nat to-addresses=192.168.0.150 to-ports=2222 protocol=tcp in-interface=CTWUG_Link dst-port=2222 

19   ;;; DC++ Nat to forward all port 2222 traffic to Media-Center (192.168.0.150)
     chain=dstnat action=dst-nat to-addresses=192.168.0.150 to-ports=2222 protocol=udp in-interface=CTWUG_Link dst-port=2222 

20   ;;; Masquerade for VodaCom_3G Network - Translate private ip range to public ip address
     chain=srcnat action=masquerade out-interface=VodaCom_3G 

21   ;;; Masquerade Private IP-Range to CTWUG
     chain=srcnat action=masquerade out-interface=CTWUG_Link

As you might realize, there are some port forwarding rules in the ip>firewall>nat CLI. These are just to allow packets incoming on port 2222 to be forwarded to 192.168.0.150. In fact, this is one of the reasons I would like for the hotspot to ignore all internal packets. As these packets (mentioned above from port 2222) are originating form the wug (172.16.0.0/12) subnet, but are counted as internet packets for the (192.168.0.150) user.

Any help will be greatly appreciated.

Thanks

fewi · Wed Sep 07, 2011 5:16 pm

The Hotspot accounts for all packets. It is impossible to exempt some traffic from being accounted for.

ZioN · Wed Sep 07, 2011 5:51 pm

Is there no way I can 'fool' the hotspot so to not account for local traffic. I've tried several rules in the firewall. Is there a rule that could be added in the firewall that would bypass all hotspot rules. I've tried:

ip firewall filter add chain="forward" dst-address="192.168.0.0/24" src-address="192.168.0.0/24" action="accept"

And placed this rule first in the firewall. It seems to count bytes in/out. But the incoming packet parses through the other (hotspot) rules aswell. Is there a method of stopping packets to parses over the hotspot rules. (ie: in passthrough=no).

Here's just shooting in the air... but couldn't one also place all local packets on an arbitrary port that isn't monitored by the hotspot, and then afterwards return it to the original port it came in on.

Any ideas would be greatly appreciated. As I need local traffic to be accounted for but also need the hotspot..

fewi · Wed Sep 07, 2011 5:58 pm

What you're trying to do is not possible.

The Hotspot intentionally processes traffic before anything else so that it can use the Universal NAT feature to connect even clients that shouldn't have connectivity on the network at all because the IP addressing wouldn't work. There are hooks to stop the Hotspot from further processing traffic to itself via the pre-hs-input chain, there's the walled garden functionality for IP level processing hooks, and there's pre-hotspot from NAT - but there's no hooks for traffic before the Hotspot itself, which immediately accounts for packets.

Again: what you're trying to do is not possible. There are no workarounds.

ZioN · Wed Sep 07, 2011 6:11 pm

Hi fewi

Thanks for the reply.

I guess my idea wont work then.

Here's what i want the the hotspot/network to do:
-- account for traffic from users to the internet
-- users are to autheticate at the hotspot via the users mac-address (ie: no login page and detials)
-- no need for the user manager - i have a script running which generates emails a set usage levels
-- allow users to access all local networks (192.168.0.0/24 and 172.16.0.0/12)

So basically I want to keep track of the users internet usage... But they shouldn't have to login at some webpage (i have mac-address login enabled on the hotspot to accomplish this). They should be able to transfer data internaly.

Is there then some other system I could implement to facilitate this? (maybee a pppoe system - but with that users still need to dial in)

Thanks so much for your help.

fewi · Wed Sep 07, 2011 6:16 pm

I guess you could drop the Hotspot completely and authenticate via ARP as outlined here: http://forum.mikrotik.com/viewtopic.php ... c+DHCP+ARP

Then use NetFlow (TrafficFlow) with an external connector to collect information on all traffic flowing through interfaces, and configure it to not account traffic between subnets you don't want to account for.

There's no plug and play solution for that, though - you'll have to set up your own NetFlow accounting installation. There are free and for pay packages out there for that purpose. The router only acts as an exporter of flows, the accounting happens on a completely separate external system.

ZioN · Thu Sep 08, 2011 12:50 am

Hi fewi.

Thanks for the reply. Ill look into that. Sounds like a valid idea.

In the meanwhile, I have a question about the firewall and packet counting.

If I implement a filter rule as follows:

[Jeandre@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=passthrough src-address-list=Media-Center dst-address-list=Local 

 1   chain=prerouting action=passthrough src-address-list=Local dst-address-list=Media-Center 

[Jeandre@MikroTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic 
 #   LIST                                                                                                                                                 ADDRESS                        
 1   Media-Center                                                                                                                                         192.168.0.150                       
 8   Local                                                                                                                                                192.168.0.0/24                 
 9   Local                                                                                                                                                172.16.0.0/16                  
[Jeandre@MikroTik] >

It does not seem to count all the data. I tested it by copying a 350MB file from one of my pc's on the network (192.168.0.157) to Media-Center (192.168.0.150). It did count the data but was fractional compared to the actual amount transferred (it counted an order of bytes vs 350MB). Is there some reason for this? Does it perhaps only count a portion of the data, or only the headers. Has it got to do with the connections? The hotspot usage for this example counted the data perfectly. I observed this in the hotspot>active list for this (media-center) user.

Is there some way I could implement a similar rule to count such (internal) data. For the purposes of calculating the actual internet usage of the node (in this example - media-center) by means of subtracting that from the total hotspot usage.

Thanks so much

ADD: yet when I add a firewall similar to the one in the code above, but instead of src/dst address i specify out interaface as EtherNet_Wifi_EoIP_Bride (my local bridge) it counts the data perfectly.. Is that correct?

icepicknz · Thu Mar 22, 2012 9:43 pm

Heya,

Did you ever get this to work? I use hotspot to manage an apartment block where people buy internet from us for 30 days and chose how much data they want. The issue comes when someone wants a phone service and I add a ATA device behind their router, if they aren't authenticated everything is fine, it hits the walled garden IP's and the user has free data to our SIP server, however as soon as they authenticate it charges for this data.

Users with a small data plan of say 1Gb are complaining that they havent done much web browsing and their usage gets used up pretty quickly, this is because of the REGISTER, UPDATE & RTP traffic coming from the SPA/ATA device used for phone calls.

Has anyone come up with a solution to ignore subnets or specific IP's from authenticated hotspot users?

many thanks
Barry

Devil · Fri Apr 27, 2012 12:27 pm

I believe fewi response is still valid. it rarely happens that there would be no workaround for a problem, but in this case, whatever you do, it happens after the packets already marked and counted by hotspot. look at the Packet Flow Diagram. it would be good to have such option however. and you could contact the support with your suggestion.

However, i think you should be able to create a firewall rule to disallow any traffic you want, from an authenticated hotspot user. so basically what happens is that for example if a user wants to use the phone service, he/she has to log out first or the service wouldn't work. and logging out, means the traffic won't be counted for the user.

sathishsa · Wed Aug 14, 2013 4:32 pm

Zion ,

Do u got any solution , as we are suffering with the same issue please post if you find one

Accounting the local resources are really waste ...

Fewi we believe you , you can do some workaround and got a solution

Please help.........

Thanks,
Varma

swissiws · Tue Sep 16, 2014 10:42 pm

is this still valid?

ROS 6.19 -

Devil · Wed Sep 17, 2014 6:46 am

is this still valid?
ROS 6.19 -

Unfortunately, after years of asking the support, they still doesn't seem to be interested in adding this important feature. even though they know very well that a lot of their users are asking for it.

swissiws · Wed Sep 17, 2014 11:59 am

Mikrotik go for it in ROS 6

did I ever mentioned that who developed Dude can stay in my house for free ! With sea view

Amazing /product/ for free!

solonxpl · Wed Apr 29, 2015 10:51 am

Please support find us any solution for this problem

blingblouw · Wed Apr 29, 2015 11:48 am

Hi Guys,

Just putting it out there that there is a hackish way of doing this

Create a metarouter (or kvm if you using x86) and have that be the gateway for the router, then on the vm add a route for all the traffic you don't want counted out 1 interface (thats not behind a hotspot) and the default gw should point to an interface behind the hotspot, that way traffic will be routed and counted correctly.

It's a pain and the management sucks but if you REALLY need it, theres a solution

EhsanGH · Sun Nov 19, 2017 3:38 pm

Hi everyone

I was surfing the web and by coincidence found this topic, I have solution for your problem by default hotspot in mikrotik reply to any arp request in broadcast domain, so even local traffic will go through mikrotik interface, to disable this behavior just set pool in hotspot to none and run a DHCP server on referred interface, and It's done! local traffic will not account in hotspot.
but be caution that your client must get IP from DHCP or manually set proper IP address in same broadcast domain as mikrotik interface.

joeb · Sat Dec 23, 2017 1:16 am

Hi EhsanGH

Do you have any more info on this solution? This is something we've been looking for for some time. I wrote to Mikrotik as well but they said it was not available. It would be good to get Mikrotik's thoughts on this solution.

saenito · Mon Nov 26, 2018 9:20 pm

I have experienced that with the firmware that supports fasttrack the big amount of MB are not accounted

so i guess is possible to add some fast track rules before your accept rules for your walled garden sites

the problem i see with this (to my case) is that it also skips bandwith limitation (just for traffic matching those rules i guess)

How to Bypass Hotspot Usage Counters for Specific Subnets

How to Bypass Hotspot Usage Counters for Specific Subnets

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

Re: How to Bypass Hotspot Usage Counters for Specific Subnets

Re: How to Bypass Hotspot Usage Counters for Specific Subnets

Re: How to Bypass Hotspot Usage Counters for Specific Subnets

Re: How to Bypass Hotspot Usage Counters for Specific Subnets

Re: How to Bypass Hotspot Usage Counters for Specific Subnets