MikroTik

Hi Dear support team

i have serous problem with this terminology

i have mikrotik web proxy service but want to use authentication for my user i read all you document is web proxy and hot spot and firewall rule

is any way to use web proxy service and my users set proxy setting on their brewers in any time their want to use internet (hit any site) hotspot show in their interface and ask their about authentication and access time

is any firewall rule that guide HTTP/HTTPS traffic to hotspot service and hotspot service after authenticate user back service to web proxy

before this i find way to redirect all HTTP traffic service to web proxy but can not guide HTTPS traffic to web proxy because this mean "man in middle"

help me i need authentication with web proxy from radius server

very thanks

Enable the hotspot and enable the transparent proxy on a profile basis. This will force people to use the proxy. The downside to this though is that it will not work with HTTPS traffic, the transparent proxy only works with HTTP.

If you need the end users use a transparent proxy for HTTPS traffic as well, you'll have to look into a separate proxy solution. I'm not sure if that's possible as we don't use proxies.

Enable the hotspot and enable the transparent proxy on a profile basis. This will force people to use the proxy. The downside to this though is that it will not work with HTTPS traffic, the transparent proxy only works with HTTP.

If you need the end users use a transparent proxy for HTTPS traffic as well, you'll have to look into a separate proxy solution. I'm not sure if that's possible as we don't use proxies.

Hello, Feklar. So if I understand correctly what you are saying, if I want my authenticated hotspot users' http traffic to be subjected to transparent proxying, I should tick the "transparent proxy" box in their profile.

But then what? Does that mean that the rules in the walled garden will apply to them? Or should I setup a separate proxy in the /proxy menu?

If the rules in the walled garden would apply after ticking the box, then how do I apply different rules to my authorized and unauthorized clients, or even different rules to different users or user profiles?

Still digging the docs and forum to figure this out...

You would need to enable the proxy and set up the rules in there for authenticated guests from the proxy menue. The walled garden uses the same functions as the proxy, but it only applies to unauthenticated guests. Also don't forget to set up a firewall to protect the proxy from the internet, otherwise someone will find it and start abusing it.

You would need to enable the proxy and set up the rules in there for authenticated guests from the proxy menue. The walled garden uses the same functions as the proxy, but it only applies to unauthenticated guests. Also don't forget to set up a firewall to protect the proxy from the internet, otherwise someone will find it and start abusing it.

Thanks Feklar for clarifying this so promptly. This points me in the correct direction. I may have got confused by articles and posts explaining that the hotspot itself acts as a proxy even for authenticated users (mum.mikrotik.com/presentations/US10/FelixWindt.pdf and http://wiki.mikrotik.com/wiki/Manual:Cu ... ng_Hotspot), so I thought I should be able to setup proxy filtering rules within this hotspot proxy, including for authenticated users.

So in this other post of yours (http://forum.mikrotik.com/viewtopic.php ... 16#p238927), you mention that the redirection to the proxy can be achieved either with a NAT rule (or a rule in the pre-hotspot table), or by ticking on the "transparent proxy" box in the user profile. My question is: do you know exactly what firewall rule is added when this "transparent proxy" box is ticked on? What is getting at me is that we can only tick the box, but there is nowhere to specify which port the proxy in question is listening to?

Ticking the box I believe adds in an extra step in the hotspot process that tells it to forward the traffic onto the proxy internally, so you don't really see a firewall rule created for it. Support would need to clarify exactly how it works because that functionality is not exposed to us. But in essence the when the hotspot is enabled it does what fewi says.

With the NAT rule you gain a bit more control over the process since you are able to match packets against the firewall, so you can do things like exclude certain users from using the transparent proxy by adding them to an address list, or only having certain users get redirected to the transparent proxy.

Ticking the box I believe adds in an extra step in the hotspot process that tells it to forward the traffic onto the proxy internally, so you don't really see a firewall rule created for it. Support would need to clarify exactly how it works because that functionality is not exposed to us. But in essence the when the hotspot is enabled it does what fewi says.

With the NAT rule you gain a bit more control over the process since you are able to match packets against the firewall, so you can do things like exclude certain users from using the transparent proxy by adding them to an address list, or only having certain users get redirected to the transparent proxy.

Thanks again and I agree that this tick box indeed requires clarification from support. Are they likely to answer this here or should I try and write directly to them?

In the meantime, since I am a control freak, I will use a redirect rule as you suggest. It seems to me that the right place for it is in the pre-hotspot table.

E-mailing support is the better way to get an answer for a question like that. Sometimes they do reply to questions like that in a thread, but not always.

Yes, pre-hotspot is going to be the best chain for that. One other benefit of the NAT rule is, you are able to turn it off for everyone just by disabling the rule, where as with it being at the profile level, people would have to log out and back in for it to apply to them.

hello every one !
i have problem using Webproxy with hotspot.
when i enable dst-nat(for ports 80 and 443) rule in firewall to redirect traffic to webproxy port the internet goes down.
please help me.