Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

271

272

273

274

275

276

277

278

279

280

/ip firewall rule hotspot-temp add flow="hs-auth" action=return \

comment="return if connection is authorized"

/ip firewall rule hotspot-temp add protocol=icmp action=return \

comment="allow ping requests"

/ip firewall rule hotspot-temp add protocol=udp dst-port=53 action=return \

comment="allow dns requests"

/ip firewall rule hotspot-temp add action=reject \

comment="reject access for unauthorized clients"

6. Create a hotspot chain for authorized hotspot clients:

/ip firewall add name=hotspot comment="account authorized hotspot clients"

7. Pass all through-going traffic to the hotspot chain:

/ip firewall rule forward add action=jump jump-target=hotspot \

comment="account traffic for authorized hotspot clients"

Note that in order to use SSL authentication, you should install an SSL certificate. This topic is not

covered by this manual section. Please see the respective manual section on how to install

certificates in Wandy RouterOS

As we see from example, only hotspot interface is used - we don't care what IP addresses are there.

It is possible to add hotspot authentication for one more interface (prism2) by adding only 4

additional firewall rules:

• Setup dst-nat to redirect unauthorized clients to the hotspot service:

/ip firewall dst-nat add in-interface="prism2" flow="!hs-auth" protocol=tcp \

dst-potr=443 action=redirect to-dst-port=443 \

comment="redirect unauthorized prism2 clients to hotspot service"

/ip firewall dst-nat add in-interface="prism2" flow="!hs-auth" protocol=tcp \

action=redirect to-dst-port=80 \

comment="redirect unauthorized prism2 clients to hotspot service"

• Limit access for unauthorized prism2 interface clients:

/ip firewall rule forward add in-interface=prism2 action=jump \

jump-target=hotspot-temp comment="limit access for unauthorized prism2 clients"

/ip firewall rule input add in-interface=prism2 action=jump \

jump-target=hotspot-temp comment="limit access for unauthorized prism2 clients"

Optional Settings

• You may want to use same address space for both your LAN and HotSpot networks. Please

consult the IP Address and ARP Manual for proxy-arp feature.

• You may want to translate the destination addresses of all TCP port 25 connections (SMTP)

from HotSpot users to your local mail sever for mail relaying. Thus, users can retain their mail

client setup and use your mail server for outgoing mail without reconfiguring their mail clients.

If 10.5.6.100 is your mail server accepting connections from network 10.5.50.0/24, then the

required destination NAT rule would be:

/ip firewall dst-nat add src-address=10.5.50.0/24 dst-port=25 protocol=tcp \

to-dst-address=10.5.6.100 action=nat \

comment="Translate SMTP TCP 25 port to our mail server"

• One more option is to allow access certain pages without authentication (walled garden). For

example, if http://hotspot.example.com is your web server's name:

[admin@Wandy] ip hotspot walled-garden> add \

\... dst-host="^hotspot\\.example\\.com$"

[admin@Wandy] ip hotspot walled-garden> print

Flags: X - disabled

# DST-HOST DST-PORT PATH ACTION

0 ^hotspot\.example\.com$ allow

[admin@Wandy] ip hotspot walled-garden>

• For HotSpot clients to use transparent web-proxy on the same router, following configuration

can be used: