Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

261

262

263

264

265

266

267

268

269

270

/ip firewall rule hotspot-temp add action=reject \

comment="reject access for unauthorized hotspot clients"

13. Add hotspot chain:

/ip firewall add name=hotspot comment="account authorized hotspot clients"

14. Pass all through-going traffic to the hotspot chain:

/ip firewall rule forward add action=jump jump-target=hotspot \

comment="account traffic for authorized hotspot clients"

Note that in order to use SSL authentication, you should install an SSL certificate. This topic is not

covered by this manual section. Please see the respective manual section on how to install

certificates in Wandy RouterOS

HotSpot Step-by-Step User Guide for enabled-address Method

Description

Let us consider following example HotSpot setup:

There are clients at prism1 interface, which are able to use Internet already. You want all these

clients to authenticate before they are able to use Internet.

For hotspot client accounting, hotspot will add dynamic firewall rules in firewall hotspot chain.

This chain has to be created manually. And all network packets (to/from hotspot clients) have to

pass this chain.

Example

1. Setup hotspot service to run on port 80 (www service has to be assigned another port, e.g.,

8081):

/ip service set www port=8081

/ip service set hotspot port=80

Note! Changing www service to other port than 80 requires that you specify the new port

when connecting to Wandy router using WinBox, e.g., use 10.5.50.1:8081 in this case.

2. Setup hotspot profile to mark authenticated users with flow name "hs-auth":

/ip hotspot profile set default mark-flow="hs-auth" login-method=enabled-address

3. Add local hotspot user:

/ip hotspot user add name=Ex password=Ex

4. Redirect all TCP requests from unauthorized clients to the hotspot service:

/ip firewall dst-nat add in-interface="prism1" flow="!hs-auth" protocol=tcp \

dst-port=443 action=redirect to-dst-port=443 \

comment="redirect unauthorized hotspot clients to hotspot service"

/ip firewall dst-nat add in-interface="prism1" flow="!hs-auth" protocol=tcp \

action=redirect to-dst-port=80 \

comment="redirect unauthorized clients to hotspot service"

5. Allow DNS requests and ICMP ping from temporary addresses and reject everything else:

/ip firewall add name=hotspot-temp comment="limit unauthorized hotspot clients"

/ip firewall rule forward add in-interface=prism1 action=jump \

jump-target=hotspot-temp comment="limit access for unauthorized hotspot clients"

/ip firewall rule input add in-interface=prism1 dst-port=80 protocol=tcp \

action=accept comment="accept requests for hotspot servlet"

/ip firewall rule input add in-interface=prism1 dst-port=443 protocol=tcp \

action=accept comment="accept request for hotspot servlet"

/ip firewall rule input add in-interface=prism1 dst-port=67 protocol=udp \

protocol=udp action=accept comment="accept requests for local DHCP server"

/ip firewall rule input add in-interface=prism1 action=jump \

jump-target=hotspot-temp comment="limit access for unauthorized hotspot clients"