I have hotspot applied to three thernet interfaces.
I have hosts that do not need to have the MT box to work at all - traffic does not go through the MT box in any way shap or form. These hosts have static IP addresses and are located on the same physical network as the MT hostpot interfaces although they do not (should not) even know each other exists. MT is NOT the router for these hosts - a different router is.
ONLY if MT gives out a DHCP address to a host should it work (in any way) with MT and the hotspot functionality. Other than that MT should ignore all other traffic on the network (ie: the machines with static ip addresses in a different range than any interface on MT). There are no hosts that should be set to bypass - either they are a hotspot user because they got a DHCP address or they don't have anything to do with hotspot or the MT box in any way -- they just ahppen to be on the same physical network segment as the MT hotspot interface.
What I have been trying to say - is that no matter what rules I setup - no matter what IP range I use that has nothing to do with MT, if hotspot is active and can physically hear traffic from any device (including unrelated ones it should not mess with) it takes over on the network and tries to add them as a dynamic host if it only hears ARPs / broadcast etc.
You had a problem a while back where hotspot was fixed not to add dynamic hosts just from these broadcasts and that is exactly what it is doing NOW STILL. In 2.9.19 in the change log it states "changed hotspot not to detect new hosts from broadcast requests". IT IS DOING THAT RIGHT NOW WITH VERSION 2.9.27
See what I am trying to say? No matter what I do it is adding dynamic hosts because of the broadcasts it hears even though you say in the change log it was fixed. I challenge that it is broken again.
Thanks,
Scott
Here is some detailed info showing how hosts added
I emailed tech support:
I used the command you provided to see how the hosts were being found and added to hotspot. Note that the hosts below were added within several seconds of each other - I had to turn off the port in the switch before it caused network-wide problems for me. Here is the results:
Terminal vt102 detected, using multiline input mode
[admin@MikroTik] > ip hotspot host print detail
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
0 D mac-address=00:01:DE:18:6A:F3 address=208.65.50.27
to-address=192.168.50.254 server=Hotspot-Central uptime=1m32s
idle-timeout=5m found-by="ICMP echo to 208.65.50.1"
1 D mac-address=00:0A:5E:01:D0:CB address=10.8.29.146
to-address=192.168.50.253 server=Hotspot-Central uptime=1m21s
idle-timeout=5m found-by="UDP :31952 -> 10.8.29.57:5264"
2 D mac-address=00:0E:0C:A8:58:3B address=66.193.63.6
to-address=192.168.50.252 server=Hotspot-Central uptime=1m18s
idle-timeout=5m found-by="UDP :5060 -> 208.65.50.176:5060"
3 D mac-address=00:01:DE:14:9B:7D address=208.65.50.63
to-address=192.168.50.251 server=Hotspot-Central uptime=1m11s
idle-timeout=5m found-by="ICMP echo to 208.65.50.1"
4 D mac-address=00:01:DE:18:6C:23 address=208.65.50.30
to-address=192.168.50.250 server=Hotspot-Central uptime=1m11s
idle-timeout=5m found-by="ICMP echo to 208.65.50.1"
[admin@MikroTik] >
I have also provided the supout.rif file again while they were added so you could see any other information you may require.
You can see from above that any packet that is seen on the network is causing the host to be added. Is there a way to stop this behaviour?
On another note, I have added some firewall rules to try and stop packets before they get to the hotspot using the pre-hs-input chain and adding rules to only allow traffic from dhcp clients and the dhcp packets themselves that aloow the client to get an IP from MT. They never match any traffic. How can I create a rule that goes before the hotspot code in the firewall to block packets from being processed by firewall?
Thank you very much, I would appreciate any information you could provide to help find a solution to what I am trying to do.
Scott Carullo
Brevard Wireless
I used the command you provided to see how the hosts were being found and added to hotspot. Note that the hosts below were added within several seconds of each other - I had to turn off the port in the switch before it caused network-wide problems for me. Here is the results:
Terminal vt102 detected, using multiline input mode
[admin@MikroTik] > ip hotspot host print detail
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
0 D mac-address=00:01:DE:18:6A:F3 address=208.65.50.27
to-address=192.168.50.254 server=Hotspot-Central uptime=1m32s
idle-timeout=5m found-by="ICMP echo to 208.65.50.1"
1 D mac-address=00:0A:5E:01:D0:CB address=10.8.29.146
to-address=192.168.50.253 server=Hotspot-Central uptime=1m21s
idle-timeout=5m found-by="UDP :31952 -> 10.8.29.57:5264"
2 D mac-address=00:0E:0C:A8:58:3B address=66.193.63.6
to-address=192.168.50.252 server=Hotspot-Central uptime=1m18s
idle-timeout=5m found-by="UDP :5060 -> 208.65.50.176:5060"
3 D mac-address=00:01:DE:14:9B:7D address=208.65.50.63
to-address=192.168.50.251 server=Hotspot-Central uptime=1m11s
idle-timeout=5m found-by="ICMP echo to 208.65.50.1"
4 D mac-address=00:01:DE:18:6C:23 address=208.65.50.30
to-address=192.168.50.250 server=Hotspot-Central uptime=1m11s
idle-timeout=5m found-by="ICMP echo to 208.65.50.1"
[admin@MikroTik] >
I have also provided the supout.rif file again while they were added so you could see any other information you may require.
You can see from above that any packet that is seen on the network is causing the host to be added. Is there a way to stop this behaviour?
On another note, I have added some firewall rules to try and stop packets before they get to the hotspot using the pre-hs-input chain and adding rules to only allow traffic from dhcp clients and the dhcp packets themselves that aloow the client to get an IP from MT. They never match any traffic. How can I create a rule that goes before the hotspot code in the firewall to block packets from being processed by firewall?
Thank you very much, I would appreciate any information you could provide to help find a solution to what I am trying to do.
Scott Carullo
Brevard Wireless
Problem solved
Remocing scope in hotspot server setup turns off universal client and the problem went away - it just removes the ability to have the universal client features but in my scenario I understand this is how it needs to be to work. Thanks Serg for the support, Appreciate all your help.
The universal client could be documented a bit better, It does not mention it in the newer docs I have seen since being built into hotspot. I could have missed it though...
Scott
The universal client could be documented a bit better, It does not mention it in the newer docs I have seen since being built into hotspot. I could have missed it though...
Scott
-
-
akinyemifemi
just joined
- Posts: 11
- Joined:
- Location: Nigeria
Who is online
Users browsing this forum: No registered users and 45 guests