Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

261

262

263

264

265

266

267

268

269

270

added to the ARP table. DHCP server will add entries only for clients which have obtained

DHCP leases:

/interface prism set prism1 arp=reply-only

4. Add two IP addresses to the prism1 interface:

/ip address add address=192.168.0.1/24 interface=prism1 \

comment="hotspot temporary network"

/ip address add address=10.5.50.1/24 interface=prism1 \

comment="hotspot real network"

5. add 2 IP address pools:

/ip pool add name=hs-pool-temp ranges=192.168.0.2-192.168.0.254

/ip pool add name=hs-pool-real ranges=10.5.50.2-10.5.50.254

6. add masquerading rule for temporary IP pool, which is not routed:

/ip firewall src-nat add src-address=192.168.0.0/24 action=masquerade \

comment="masquerade hotspot temporary network"

Make sure you have routing for authenticated address space. Try to ping 10.5.50.1 from your

Internet gateway 10.5.6.1, for example. See the Basic Setup Guide on how to set up routing.

7. Add dhcp server (for temporary IP addresses):

/ip dhcp-server add name="hs-dhcp-server" interface=prism1 lease-time=14s \

address-pool=hs-pool-temp add-arp=yes disabled=no

/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 \

dns-server=159.148.60.2,159.148.108.1 domain="example.com"

8. Add hotspot server setup (for real IP addresses):

/ip hotspot server add name=hs-server dhcp-server=hs-dhcp-server \

address-pool=hs-pool-real

/ip dhcp-server network add address=10.5.50.0/24 gateway=10.5.50.1 \

dns-server=159.148.60.2,159.148.108.1 domain="example.com"

9. Add local hotspot user:

/ip hotspot user add name=Ex password=Ex

10. Setup hotspot service to run on port 80 (www service has to be assigned another port, e.g.,

8081):

/ip service set www port=8081

/ip service set hotspot port=80

Note! Changing www service to other port than 80 requires that you specify the new port

when connecting to Wandy router using WinBox, e.g., use 10.5.50.1:8081 in this case.

11. Redirect all TCP requests from temporary IP addresses to hotspot service:

/ip firewall dst-nat add src-address=192.168.0.0/24 dst-port=443 protocol=tcp \

action=redirect to-dst-port=443\

comment="redirect unauthorized hotspot clients to hotspot service"

/ip firewall dst-nat add src-address=192.168.0.0/24 protocol=tcp \

action=redirect to-dst-port=80 \

comment="redirect unauthorized hotspot clients to hotspot service"

12. Allow DNS requests and ICMP ping from temporary addresses and reject everything else:

/ip firewall add name=hotspot-temp comment="limit unauthorized hotspot clients"

/ip firewall rule forward add src-address=192.168.0.0/24 action=jump \

jump-target=hotspot-temp comment="limit access for unauthorized hotspot clients"

/ip firewall rule input add src-address=192.168.0.0/24 dst-port=80 \

protocol=tcp action=accept comment="accept requests for hotspot servlet"

/ip firewall rule input add src-address=192.168.0.0/24 dst-port=443 \

protocol=tcp action=accept comment="accept request for hotspot servlet"

/ip firewall rule input add src-address=192.168.0.0/24 dst-port=67 \

protocol=udp action=accept comment="accept requests for local DHCP server"

/ip firewall rule input add src-address=192.168.0.0/24 action=jump \

jump-target=hotspot-temp comment="limit access for unauthorized hotspot clients"

/ip firewall rule hotspot-temp add protocol=icmp action=return \

comment="allow ping requests"

/ip firewall rule hotspot-temp add protocol=udp dst-port=53 action=return \

comment="allow dns requests"