MikroTik

Community discussions
https://forum.mikrotik.com/

Hotspot Specifics

https://forum.mikrotik.com/viewtopic.php?t=67338

Page 1 of 1

Hotspot Specifics

Posted: Thu Nov 15, 2012 9:59 am
by zimbofury
hello

I have a scenario at a university where 4 profiles for various users on the lan are needed. I have students, staff, admin and server room.
using hotspot, is there anyway that you can specify, if you log in via a certain profile (eg students), that they will get an ip in a certain range? i want this so that i can add limitations to those ranges via IP firewall. or are there any other suggestions?

many thanks.

Re: Hotspot Specifics

Posted: Thu Nov 15, 2012 3:12 pm
by ditonet
http://wiki.mikrotik.com/wiki/Manual:IP ... er_Profile
Read about 'address-list' property.
Create four hotspot user profiles and set it's 'address-list' property according to your needs (students, staff, admin and server room).
With these settings you'll be able to make limitation based on firewall's address lists, not assigned IP addresses.

HTH,

Re: Hotspot Specifics

Posted: Fri Nov 16, 2012 11:49 am
by zimbofury
Hi!

Thanks for the response. I did research and was sure it was something to do with that. However i haven't played with address lists too much. I have been tinkering and haven't been able to succeed; below is my config
Code: Select all
[admin@MikroTik] /tool user-manager profile limitation> print detail
 0 name="Customers" owner=admin download-limit=0B upload-limit=0B transfer-limit=0B uptime-limit=0s rate-limit-rx=716800B rate-limit-tx=716800B rate-limit-min-rx=716800B 
   rate-limit-min-tx=716800B group-name="Customers" ip-pool="" address-list="Customers"


[admin@MikroTik] > ip hot user profile pri
Flags: * - default 
 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 
     transparent-proxy=no 

 1   name="Customers" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 
     address-list="Customers" transparent-proxy=yes open-status-page=always advertise=no

 /ip firewall address-list> pri
Flags: X - disabled, D - dynamic 
 #   LIST                                                           ADDRESS                        
 0   Customers                                                      0.0.0.0 

/ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=drop src-address-list=Customers connection-mark=facebook

[admin@MikroTik] /ip firewall mangle> pri
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=mark-connection new-connection-mark=facebook passthrough=no dst-address=173.252.96.0/19 

 1   chain=prerouting action=mark-connection new-connection-mark=facebook passthrough=no dst-address=66.220.144.0/20 

 2   chain=prerouting action=mark-connection new-connection-mark=facebook passthrough=no dst-address=69.171.224.0/19
Thanks :)

Re: Hotspot Specifics

Posted: Mon Nov 19, 2012 11:05 am
by zimbofury
i have managed to get the address lists working without radius.
Code: Select all
[admin@MikroTik] /ip hotspot user profile> print
Flags: * - default 
 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=no 

 1   name="addlist" address-pool=default-dhcp idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 address-list="Customers1" transparent-proxy=yes 
     open-status-page=always advertise=no
upon enabling radius and configuring profiles>limitations, users wont be added to address list.

Re: Hotspot Specifics

Posted: Mon Nov 19, 2012 11:55 am
by ditonet
http://wiki.mikrotik.com/wiki/Manual:RA ... ess-Accept
Read about following 'Access-Accept' attributes:
Framed-Pool
Filter-Id
Mikrotik-Mark-Id

On RADIUS server define user groups (students, staff, admin and server room) with different 'Mikrotik-Mark-Id'.
This gives you ability to mark traffic from/to user belonging to specific group or add user IP address to firewall address list.

HTH,

Re: Hotspot Specifics

Posted: Wed Nov 21, 2012 10:30 am
by zimbofury
Hi Ditto!

thanks again for the response.

I managed to get the initial idea with radius working. it seems to be something to do with using the same name (eg students) on all the profiles relevant settings/names. (address lists, user profiles and user manager limitations)

however i am still interested on learning about the radius/client. especially since i cant find the sub menu ;). or is it a separate package?

Thanks again.

Re: Hotspot Specifics

Posted: Wed Nov 21, 2012 11:25 am
by ditonet
RouterOS has RADIUS client built-in, you can access it via Winbox menu.
Winbox_menu.JPG
Wiki article mentioned in my previous post has all necessary information about RouterOS RADIUS client configuration and attributes.
As I wrote earlier, create RADIUS user groups with with different 'Mikrotik-Mark-Id' attributes and add hotspot users to specific groups.
Create firewall mangle rules with chain names same as 'Mikrotik-Mark-Id' attributes and use them to mark traffic or add hotspot users to firewall address lists.

HTH,
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/