Answer the question
In order to leave comments, you need to log in
G
G
gee2021-06-29 22:56:23
gee, 2021-06-29 22:56:23
How to set up HotSpot in Mikrotik with authorization on an external server without Radius?
Hello. On a clean RB1100AHx4, I deploy HotSpot with authorization on a server in the organization's network. Of course, the hotspot client network is isolated from the organization's network in a vlan. The web-admin of the router moved from port 80 to 8081.
IP wan (ether1-wan) 10.10.9.100
IP hotspot (vlan15) 10.100.200.1
Server
IP with php authorization script 10.10.10.21 I did it on mana and out of the box everything works with a bang. However, when I replace in login.html the form line to send a POST to my server in LAN
<form name="redirect" action="http://10.10.10.21/login.php" method="post">, then nothing works, and it is logical, because my server with ip 10.10.10.21 should return POST data to 10.100.200.1/login , but there is no access to the address 10.100.200.1 from the server network.
I understand that it is necessary to prescribe the rule
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=10.10.9.100 dst-port=80 to-addresses=10.100.200.1 protocol=tcp in the rules
Tried - does not work, and even packets do not get into the log from this rule (
Can anyone give advice or come across a similar solution?
Config:
spoiler
# jun/29/2021 23:25:31 by RouterOS 6.48.3
# software id =
#
# model = RB1100x4
# serial number =
/caps-man channel
add band=2ghz-b/g/n name=xStream1-2G
/interface bridge
add name=HotSpot-BR
/interface ethernet
set [ find default-name=ether1 ] comment=wan name=ether1-wan
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
/interface vlan
add interface=HotSpot-BR loop-protect=on name=vlan15 vlan-id=15
/caps-man datapath
add bridge=HotSpot-BR client-to-client-forwarding=no local-forwarding=no \
name=xRU
/caps-man security
add name=xRU-FREE
/caps-man configuration
add channel=xStream1-2G country=russia datapath=xRU datapath.vlan-id=15 \
datapath.vlan-mode=use-tag distance=indoors hide-ssid=no installation=\
indoor mode=ap name=xRU-1-2G rx-chains=0,1,2 security=xRU-FREE \
ssid=WIFI-free-2.4GHz tx-chains=0,1,2
/caps-man interface
add channel=xStream1-2G configuration=xRU-1-2G configuration.mode=ap \
datapath=xRU disabled=no l2mtu=1600 mac-address=2C:C8:1B:3B:1D:82 \
master-interface=none name=cap1 radio-mac=2C:C8:1B:3B:1D:82 radio-name=\
2CC81B3B1D82 security=xRU-FREE
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 13 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=10.100.200.1 login-by=http-pap name=hsprof1
/ip pool
add name=pool-hotspot ranges=10.100.200.10-10.100.203.254
/ip dhcp-server
add add-arp=yes address-pool=pool-hotspot bootp-support=none disabled=no \
interface=vlan15 lease-time=5h59m59s name=dhcp-hotspot
/ip hotspot
add address-pool=pool-hotspot addresses-per-mac=1 disabled=no interface=\
vlan15 name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=pool-hotspot shared-users=unlimited
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=xRU-1-2G \
name-format=prefix-identity name-prefix=2g radio-mac=2C:C8:1B:3B:1D:80
/interface bridge port
add bridge=HotSpot-BR interface=ether2
add bridge=HotSpot-BR interface=ether3
add bridge=HotSpot-BR interface=ether4
add bridge=HotSpot-BR interface=ether5
/interface list member
add interface=ether1-wan list=WAN
add interface=HotSpot-BR list=LAN
/ip address
add address=10.10.9.100/20 interface=ether1-wan network=10.10.0.0
add address=10.100.200.1/22 comment="hotspot network" interface=vlan15 \
network=10.100.200.0
/ip dhcp-server network
add address=10.100.200.0/22 dns-server=10.100.200.1 domain=hotspot \
gateway=10.100.200.1 netmask=22
/ip dns
set allow-remote-requests=yes servers=10.100.200.1,10.10.10.1,8.8.8.8
/ip dns static
add address=10.100.200.1 name=login.hotspot
/ip firewall filter
add action=accept chain=hs-input dst-port=64872 protocol=udp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=forward comment="/ip firewall filter add action=accept\
\_chain=forward connection-nat-state=dstnat" connection-nat-state=dstnat \
log=yes
add action=accept chain=input comment=manual dst-address=10.10.9.100 \
dst-port=80 protocol=tcp
add action=accept chain=input comment="web admin" dst-address=10.10.9.100 \
dst-port=8081 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="test 2206 - 2" connection-type="" \
hotspot="" in-interface=ether1-wan log=yes protocol=tcp src-address=\
10.10.0.0/20 to-addresses=10.100.200.1 to-ports=80
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=yes out-interface=ether1-wan \
src-address=10.100.200.0/22
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.100.200.0/22
add action=redirect chain=dstnat comment="Podmena DNS usera na svoi" \
dst-port=53 protocol=udp to-ports=53
/ip hotspot user
add name=hs1user password=hs1user server=hotspot1
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=10.10.10.21 server=hotspot1
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=10.10.10.21 !dst-address-list \
!dst-port protocol=tcp server=hotspot1 src-address=10.10.0.0/20 \
!src-address-list
/ip route
add distance=1 gateway=10.10.10.1
/ip service
set www port=8081
set api address=0.0.0.0/0 disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=HotSpotWiFi
/system ntp client
set enabled=yes primary-ntp=10.10.10.1 secondary-ntp=10.10.10.3
# jun/29/2021 23:25:31 by RouterOS 6.48.3
# software id =
#
# model = RB1100x4
# serial number =
/caps-man channel
add band=2ghz-b/g/n name=xStream1-2G
/interface bridge
add name=HotSpot-BR
/interface ethernet
set [ find default-name=ether1 ] comment=wan name=ether1-wan
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
/interface vlan
add interface=HotSpot-BR loop-protect=on name=vlan15 vlan-id=15
/caps-man datapath
add bridge=HotSpot-BR client-to-client-forwarding=no local-forwarding=no \
name=xRU
/caps-man security
add name=xRU-FREE
/caps-man configuration
add channel=xStream1-2G country=russia datapath=xRU datapath.vlan-id=15 \
datapath.vlan-mode=use-tag distance=indoors hide-ssid=no installation=\
indoor mode=ap name=xRU-1-2G rx-chains=0,1,2 security=xRU-FREE \
ssid=WIFI-free-2.4GHz tx-chains=0,1,2
/caps-man interface
add channel=xStream1-2G configuration=xRU-1-2G configuration.mode=ap \
datapath=xRU disabled=no l2mtu=1600 mac-address=2C:C8:1B:3B:1D:82 \
master-interface=none name=cap1 radio-mac=2C:C8:1B:3B:1D:82 radio-name=\
2CC81B3B1D82 security=xRU-FREE
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 13 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=10.100.200.1 login-by=http-pap name=hsprof1
/ip pool
add name=pool-hotspot ranges=10.100.200.10-10.100.203.254
/ip dhcp-server
add add-arp=yes address-pool=pool-hotspot bootp-support=none disabled=no \
interface=vlan15 lease-time=5h59m59s name=dhcp-hotspot
/ip hotspot
add address-pool=pool-hotspot addresses-per-mac=1 disabled=no interface=\
vlan15 name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=pool-hotspot shared-users=unlimited
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=xRU-1-2G \
name-format=prefix-identity name-prefix=2g radio-mac=2C:C8:1B:3B:1D:80
/interface bridge port
add bridge=HotSpot-BR interface=ether2
add bridge=HotSpot-BR interface=ether3
add bridge=HotSpot-BR interface=ether4
add bridge=HotSpot-BR interface=ether5
/interface list member
add interface=ether1-wan list=WAN
add interface=HotSpot-BR list=LAN
/ip address
add address=10.10.9.100/20 interface=ether1-wan network=10.10.0.0
add address=10.100.200.1/22 comment="hotspot network" interface=vlan15 \
network=10.100.200.0
/ip dhcp-server network
add address=10.100.200.0/22 dns-server=10.100.200.1 domain=hotspot \
gateway=10.100.200.1 netmask=22
/ip dns
set allow-remote-requests=yes servers=10.100.200.1,10.10.10.1,8.8.8.8
/ip dns static
add address=10.100.200.1 name=login.hotspot
/ip firewall filter
add action=accept chain=hs-input dst-port=64872 protocol=udp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=forward comment="/ip firewall filter add action=accept\
\_chain=forward connection-nat-state=dstnat" connection-nat-state=dstnat \
log=yes
add action=accept chain=input comment=manual dst-address=10.10.9.100 \
dst-port=80 protocol=tcp
add action=accept chain=input comment="web admin" dst-address=10.10.9.100 \
dst-port=8081 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="test 2206 - 2" connection-type="" \
hotspot="" in-interface=ether1-wan log=yes protocol=tcp src-address=\
10.10.0.0/20 to-addresses=10.100.200.1 to-ports=80
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=yes out-interface=ether1-wan \
src-address=10.100.200.0/22
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.100.200.0/22
add action=redirect chain=dstnat comment="Podmena DNS usera na svoi" \
dst-port=53 protocol=udp to-ports=53
/ip hotspot user
add name=hs1user password=hs1user server=hotspot1
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=10.10.10.21 server=hotspot1
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=10.10.10.21 !dst-address-list \
!dst-port protocol=tcp server=hotspot1 src-address=10.10.0.0/20 \
!src-address-list
/ip route
add distance=1 gateway=10.10.10.1
/ip service
set www port=8081
set api address=0.0.0.0/0 disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=HotSpotWiFi
/system ntp client
set enabled=yes primary-ntp=10.10.10.1 secondary-ntp=10.10.10.3
Similar questions
N
R
D
G
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question