|
楼主 |
发表于 2007-12-11 22:36:04
|
显示全部楼层
Mikrotik version 2.8beta10 used as a wireless Hotspot server/authenticator
A detailed setup guide by Joe Mehaffey(c)
rel 10/10/03-rev v
What we are trying to do:
The Mikrotik Router OS system is software designed to run on an "IBM type" Personal Computer. It has many capabilities including operating as a Wireless HotSpot controller, router, firewall, PPPoE controller, among many other capabilities. This router basically can be used to operate a small ISP. In our example, we are setting up a three port system which is designed to have one port going to the internet, a second to provide HotSpot services via an external access point and a third port to serve the user's local LAN. Separation and firewall protection is provided to prevent intrusion from the internet and from the HotSpot port into the user's local LAN. Be sure to verify the firewall protection for yourself. Advantages/Limitations of the Mikrotik Hotspot System as seen by the author can be viewed HERE.
The basic features that I need in this Home Hotspot installation are:
Provide isolation of computers on my home LAN from internet traffic and users on the WIRELESS HotSpot Access Point. This needed to be done without the use of encription on the wireless link so "anyone" could easily log in without first getting permission.
Allow my normal household internet traffic to/from the internet to use the same connection as traffic from my wireless HotSpot
Allow traffic on the Internet to access my mail server and any other servers on my Home LAN.
Provide "Casual" users of the Home HotSpot to "log in" and access their WebMail and normal Internet while limiting their bandwidth usage.
Allow "Trusted" users of the Home Hotspot to "log in" to access whatever ports and services may be allowed for them on an individual basis.
Allow "Me" to access anything I want to over the Wireless Hotspot connection to the local LAN or to the Internet.
Provide the capability to have a direct PPPoE connection to a DSL/Cable modem or alternatively a direct connection to a router LAN port.
I have concluded that the Mikrotik system provides all these features and many more. The basic configuration topology I wanted to develop is the three ethernet port shown below.
LAN access OR ether1 ether2 HotSpot RF Equipment |Remote
Internet <..> Cable/DSL modem <..> MikroTik Router <...>Wireless Access Point<~~> |Wireless
(ports 192.168.168.x) ether3 (Ports 10.5.50.x) |Computers
(in example below) | (in example below)
|
LOCAL
LAN
USERS
(ports 192.168.2.x)
(in example below)
The basic configuration:
The following definitions and configuration conditions apply to the Mikrotik Hotspot/Router OS installation described below.
1) The "public" (Internet) connection for the router (Router IP address = 192.168.168.28) is via an external (to the Mikrotik unit) hardware router with gateway IP address 192.168.168.1. This gateway is accessed via the "ether1" port on the Mikrotik unit.
2) The "Hotspot IP address pool" is used for contact with an external HotSpot client. The "universal client" allows for a user with "any" fixed IP address to make initial contact for user LOGIN. When the user then puts in "any" URL (e.g., http://www.yahoo.com) the DHCP server initially assigns an address from this pool (or uses the IP address already existing on a client) to clients and this connection is used to bring up the initial login screen. In the following example, this "hotspot IP address pool range" is 10.5.50.1 through 10.5.50.199. This service uses the ether2 hardware port on the Mikrotik unit. This IP pool is used by all hotspot clients for access.
3) The simple router configuration provides NO protection for OTHER devices which may be connected on the 192.168.168.X/24 (ether1) LAN from being accessed (perhaps maliciously) from the ether2 (hotspot) port. Suitable routing filters can be installed if this is a problem. See Mikrotik manual.
4) Before starting the entry of the following command sequence: a) connect the ether1 port to a LAN which has internet services available on a gateway address (192.168.168.1 in the example). b) connect a suitable Wireless Access Point (Dlink DWL-900AP+ or the 200mw Senao AP used by author) to the ether2 NIC port. Configure this AP with a suitable SSID, note it's MAC address for future reference, set the unit to Access Point Mode, set the AP unit to be a DHCP Client. c) Perform ALL the following commands from the Mikrotik Command Line Interface unless noted otherwise. I find the Winbox interface to be very useful for checking configurations and making changes after the system is initially setup. However, I had problems when I tried to input the initial setup in via the WinBox Interface. d) AS SOON AS the basic system works (and at intervals during initial setup if you wish), make a backup file of the operational system. "Simple" changes can screw up the programming and in many cases you will not immediately see how to recover. The availability of a backup file will prevent your having to type everything in again by hand. e) Before you begin, make any IP address modifications to a printout of the following sequence and then follow that modified instruction list precisely.
5) The ether3 port will be used for a LOCAL LAN port. Web-Proxy filters will be used to isolate the local LAN on 192.168.2.X/24 from the HotSpot ether2 port on 10.5.50.X/24 and from the internet on ether1. Note: If you are going to use a third ether3 port, be sure and install all three (or more as needed) NIC cards before you begin programming. The computer will not be confused, but the programmer might be if the LAN port numbers move around in the computer chassis as a result of installing a new NIC (LAN card) after programming has begun.
6) The computer for your router can be "most any" Pentium PC if you are just serving the three ethernet ports. The three NIC cards can be most any late model 10/100 card. The supported list is in the Mikrotik manual. 64megs of RAM are needed and at least a 100meg hard drive or a 64meg Flash Drive will work fine. A floppy will be necessary for initially loading the system if you use a hard drive. A CDROM drive is optional and really not required. No floppy or CDROM is necessary if the Mikrotik FLASH DRIVE (with Hotspot and system software)option for US$125 from http://www.fament.com is used as the system is supplied ready loaded with the latest Mikrotik software. Mikrotik provides several initial install modes. I used the "make up 9 floppies and boot them in in sequence to get the system loaded" option when loading a hard drive. See Mikrotik manual for more detailed install instructions.
Generally:
The ether1 interface is connected to 192.168.168.X/24 network (public network). Connection to the internet is provided through the gateway of the local LAN router at 192.168.168.1.
Then on ether2 interface we create a 10.5.50.1/24 network port with universal client, transparent proxy and other features. The SMTP server has to be setup as well as the dns server. We'll use the LAN gateway address 192.168.168.1 since our external "public" router connected to the internet provides DNS service and internet connectivity on this address. (Note: If your router allows it, you can use your ISP's DNS server IP address(es). If not, you may HAVE to use your local router's DNS services as the author did.)
Then on ether3 interface, we create a 192.168.2.1/24 network port for connection to your local (or household) LAN. Web-Proxy filters will then be used to isolate ether2 from ether3 and ether1 from access to either ether2 or ether3 for protection from hacking.
In the programming guide below: a) instructions and comments are in BLACK. b) What the computer prints on the monitor screen are in GREEN. c) What you type into the keyboard in response is in RED.
Step by Step Programming Procedure:
The following procedure assumes that you have already installed the BASIC MIKROTIK ROUTER OPERATING SYSTEM. If you need to do this basic install, proceed FIRST to http://www.gpsinformation.org/ho ... krotikfloppies.html to do the basic router software installation BEFORE continuing on the procedure on this page. DEMO LICENSE USERS NOTE CAREFULLY!> Demo Licensed Mikrotik software MUST be version 2.8beta5 or later and you must answer NO to the universal client and web-proxy questions in the Hotspot setup or your installation will fail.
At the beginning of this setup process, the 'system reset' command at the Mikrotik command line is used to initialize the Mikrotik router. The <enter> key is pressed after each RED command is entered. Proceed exactly as follows. Note: ALL spaces and punctuation marks are ESSENTIAL when inputing commands in RED below. If a command (such as /ip) has a slash in front, be sure to put it in. [Brackets] are NOT the same as (parenthesis). You must be VERY careful when inputing the commands. You can make a simple typographical error and the system may accept it and then your system may not work at all.
A few "getting around" commands for the Command Line Interface are: 1) commands are always followed by pressing ENTER. 2) / forward slash gets you back to the root directory. 3) hold shift then ? key gives you the command list for the command folder you are in. 4) .. takes you back one directory. 5) entering < /ip address> from "any command directory" takes you to the ip address directory. 6) the default system user ID is admin with a blank (just hit enter) password. 7) To save your work at any time, enter /system backup save name=<yourfilename> (without the <>) at the command prompt. 8) To go from one directory to another on the tree branch, just enter the name. For instance, if you are at >ip and want to go to the system directory, just enter <system>, then ENTER.
Programming the basic two port Hotspot system
The default user ID for the Mikrotik Router is <admin> and the password is blank (just press ENTER). As SOON as you do the system reset and login, you will change your password. When the router initially boots up, you will see:
Mikrotik 2.8beta10 (You might have a later version and that is OK. Note that Mikrotik version 2.7.3 thru 2.7.10 and 2.9beta1 thru 2.8beta4 cannot be used to generate a working Hotspot using the free DEMOnstration license key. They work fine with the paid license key. However 2.8beta5 and later produce a working Hotspot with the DEMO license key using the proceedure below.)
(You type in what is in RED and then press ENTER.)
1) Mikrotik Login: admin (BE SURE to use lower case letters. It does matter.)
2) Password: (The default password is <blank> so just press ENTER.)
You will see Mikrotik's text logo and then: After you are logged in to the router from the command terminal, you will get the [admin@MikroTik] prompt as below. Then enter what is in RED and press ENTER.
3) [admin@MikroTik] > system reset
4) Dangerous! Reset anyway? (y/N): y
The system reset command will clear out any old configuration data and reboot. After reboot, login again as before and start entering the commands as follows when you have logged in successfully.
5) [admin@MikroTik] > password (This will let you change your password to something besides <blank>.
6) old password: (Since your old password was <blank> just press ENTER.)
7) new password: mynewpassword (Select YOUR choice of password to enter here and write it down.)
8) retype new password: mynewpassword (Asks second time just to be sure.)
Then:
9) [admin@MikroTik] > interface
10) [admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU<!--[if !supportLineBreakNewLine]--><!--[endif]-->
0 X ether1 ether 1500<!--[if !supportLineBreakNewLine]--><!--[endif]-->
1 X ether2 ether 1500
<!--[if !supportLineBreakNewLine]--><!--[endif]-->2 X ether3 ether 1500
There are three NICs installed in the system and initially all three are disabled (X).
11) [admin@MikroTik] interface> set 0,1 disabled=no (This enables both of the ethernet ports ether1, ether2, and leaves ether3 off for now.)
<!--[endif]-->12) [admin@MikroTik] interface> /ip
(Note: The address 192.168.168.28 (below) represents the PUBLIC INTERNET side IP address of the Mikrotik Router. Change to your own suitable address as may be required.)
(All commands must be all in one continuous string (no carriage returns) when input and followed at the end by a carriage return. Be careful to look for parts of commands on second and even third lines in the listings below. The /24 after the IP address is equivalent to stating that the mask is 255.255.255.0)
Note: In this option (starting with step #13), we are going to use DHCP for automatic configuration of the ether1 NIC IP address, for the Gateway IP address, and for DNS Server resolution. If you would prefer to use FIXED IP addresses for these, use the alternative procedure HERE. To use the Mikrotik's DHCP CLIENT for IP resolution on ether1 NIC port, proceed as directed below. Make sure your ether1 NIC port is connected to a router with DHCP SERVICES and then proceed to step #13
13) [admin@MikroTik] interface> /ip dhcp-client
14) [admin@MikroTik] ip dhcp-client> set enabled=yes interface=ether1
Now to check the dhcp setup we just did:
15) [admin@MikroTik] ip dhcp-client> print
enabled: yes
interface: ether1
host-name: **
client-id: **
add-default-route: yes
use-peer-DNS: yes
To show the dhcp leases that should have been obtained assuming your ether1 port is connected to a router with DHCP Services:
16) [admin@MikroTik] ip dhcp-client> lease print
address: 128.1.1.120/24
expires: sept/25/2003 09:43:00
gateway: 128.1.1.1
primary-dns: 207.69.188.186 (yours will likely be different)
secondary-dns: 192.195.1.2 (if your DHCP server provides a second DNS server. Yours will differ.)
[admin@MikroTik] ip dhcp-client> /ip
17) [admin@MikroTik] ip> /ip hot (This abbreviation moves you to folder "hotspot". The first 2 or 3 letters of commands will usually work.)
(Now we run the Mikrotik Hotspot Setup Wizard.)
18) [admin@MikroTik] ip hotspot> setup
Select interface on which to run HotSpot
19) hotspot interface: ether2 (You enter the <ether2> which is the port used by the external access point for HotSpot Access.)
Enable universal client configuration? (Note: This feature permits a roaming hotspot client (user) to have ANY IP ADDRESS and GATEWAY ADDRESS set into his computer networking setup and still operate the Hotspot. This feature is NOT AVAILABLE to demo hotspot licenses.)
NOTE! For the FREE DEMO LICENSE, you MUST answer NO to this question.
20) enable universal client: yes (paid license users MAY erase the default <no> and enter yes. Note: The Universal Client feature allows a user with "any" IP address to access into the HotSpot without changing his fixed IP address setup by only selecting your SSID. If you enable the Universal Client, you WILL NOT be able to use the DWL-900AP+ in REPEATER mode. The IP "mangle" that Universal Client uses to allow a user with "any" IP address to login to the HotSpot confuses simple repeaters such as the DWL-900AP+.
Now we setup the HotSpot address for the Access Point interface on ether2. This is your selected hotspot gateway IP address for your Hotspot Access Point. It must be in the range of your Hotspot Pool selected below.
21) Local address of hotspot network gateway: 10.5.50.1/24 (Just press ENTER if the default is OK, otherwise enter your own gateway IP address for your HOTSPOT system. Don’t change this unless you understand what you are doing.)
22) masquerade hotspot network: yes
Now we set up the pool for HotSpot IP addresses. This is your assigned range for DHCP generated Hotspot IP addresses. 10.5.50.1 is reserved for the hotspot gateway IP address.
23) Address pool of hotspot network will be: 10.5.50.2-10.5.50.254 (If you want to put some fixed IP addresses inside this DHCP pool range, they will operate just fine. (Note: If you are tempted to set the upper bound to some other number such as 200 to allow space for FIXED IP addresses for some devices, this is NOT a good idea This is because if later you use Universal Client mode, then for the fixed IP addresses outside the HotSpot's DHCP range, the UC will double assign a second IP address to the "out of range" MAC addresses and this can cause strange results such as timeout timers not working properly. Note also: Due to a bug in the hotspot setup wizard in current Mikrotik software, you cannot have a range of 10.5.50.50-10.5.50.254 and leave the range 2 through 49 open. If you fail to follow this guidance, you will find that multiple users cannot reliably login to the hotspot. Just use the default and be happy! )
Now setup so the router can access your SMTP server. Select SMTP server IP address of your mail server's SMTP server 207.69.188.15 (You have to put in YOUR SMTP server's IP address for outbound email. This can be your ISP's SMTP server or a local server. If you do not have an SMTP server, enter some unused IP address in the IP range used by ether1. (DEMO users will not get this option.)
24) ip address of smtp server: 207.69.188.15
Use local DNS cache?
25) use local dns cache: yes (You get to pick if you want the HotSpot to use the dns cache or go outside to your external DNS server for each DNS request.)
Now we setup the DNS configuration. Enter YOUR router gateway IP or your ISP's recommended DNS server IP address here. It may be that only your router gateway IP will work here if your router provides DNS services. Using your ISP's DNS server will usually be faster if your router permits this or if you plan to use PPPoE on ether1 connected directly to a DSL or Cable modem.
Setup DNS Configuration
26) dns servers: 192.168.168.1 Should be the same as your other DNS server entries.
Now we create the first local hotspot user. It is easy to create additional hotspot users using WinBox at a later time. Using WinBox, you can set up a <guest> profile which allows multiple logons without password and other profiles (such as the default) that allow only one login per name. In addition, this same profile can set the Tx and Rx baud rates allowed for each separate user profile. Each user ID can be set up with the same or different password or no password at all.
27) Name of local hotspot user: admin (This is the hotspot administrator's user ID. You can change if you wish. WRITE THIS AND THE PASSWORD DOWN! This is NOT the same as the Mikrotik Router's User ID and PASSWORD.)
28) password for the user: admin (This is administrator's password. Change as you see fit.)
Note: Setting up additional users is easy to do using WinBox. There is no provision for HotSpot users to self-register their own user names and passwords for "free hotspot" use. In fact, there is no real need on a “free hotspot". However, you can, for instance, set up "guest" as a user name with no password and set up a “guests” profile in WinBox USER PROFILES. Then add a note on the html login screen that "GUEST users may login as <guest> with no password for low speed internet access" or similar if you wish to offer universal low speed access to transient guests as well as offering "known users" high speed access. This change of speed requires additional entries for guest baud rates in the hotspot user profiles. I suggest having multiple entries in the user table for “guest” including guest, GUEST, Guest, and <guest> to try to cover all combinations a user is likely to enter in the login window. See Mikrotik HotSpot manual for more information on how to setup the WinBox software and enter additional users and passwords.
Select another port for (www) service.
port 80 is (normally) used by www service, select some other port for this service.
29) another port for service: 8081
Normally port 80 is used for (www) service. But on the Hotspot ether2 port, port 80 is used by the Hotspot Services and login html page. This means that if you wish to be able to access the winbox, then you will have to use port 8081 to access the router from the WINBOX interface. The Hotspot system demands use of port 80.
Use transparent web proxy for hotspot clients?
A "web proxy" is a cache used to store webpages, images, etc so that repeated accesses to such items do not have to go all the way to the destination sever when users go to the same webpage (such as http://www.yahoo.com) repeatedly over a short time. Such proxy servers typically have a short lifetime to avoid furnishing "stale" data to users.
NOTE! For the FREE DEMO LICENSE, this feature is NOT AVAILABLE and you MUST answer NO to this question.
30) use transparent web proxy: yes (Answer "yes" for paid license users.)
Now, let's see if we are communicating with the external Access Point and user. Note that unless you actually have a computer or access point connected to and powered up and linked to the ether2 port this entire printout (Flags:X .....) will be BLANK. If you wait to plug in your computer or access point until AFTER you execute this command and then execute it again (up arrow brings up prior command(s)), it can be 30+ seconds after you plug in the cable before you get the printout. Make SURE you have a "connected" light on both ends of your ether2 to computer/AP cable. The actual IP addresses may differ.
31) [admin@MikroTik] ip hotspot> universal client print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# MAC-ADDRESS ADDRESS TO-ADDRESS INTERFACE IDLE-TIME
0 D 00:05:5D:5F:4E:34 10.5.50.100 10.5.50.100 ether2 10s
See item 32a) below for proper syntax for version 2.7.x and earlier revisions.
32) [admin@MikroTik] ip hotspot> /ip hotspot profile set default shared-users=1 (versions 2.8.x and higher)
32a) [admin@MikroTik] ip hotspot> /ip hotspot profile set default only-one=yes (versions BELOW 2.8)
This command sets the hotspot to accept SINGLE logins from the default user group. You will need to setup a <guests> user profile with the "only-one" parameter "unchecked" in the winbox IP>HOTSPOT>USER>ROFILE settings. We need this on our Hotspot system so multiple simultaneous <guest> logins can occur. To install and enter the WINBOX program, proceed as follows: a) connect either to your local LAN router/hub that is feeding the ether1 (public) port or b) connect to the hotspot port, and login to the hotspot as the admin with password. Once connected one of these two ways, you can install and enter WinBox by calling up your browser and entering the PUBLIC IP address of your Mikrotik router as the URL with port 8081 as: http://192.168.168.28:8081. Then click on the WinBox icon on the upper left of the browser window and download <winbox.exe> to a suitable directory on your computer. Then execute the file winbox.exe load WinBox. (You can use Windows Explorer to send an icon to your desktop if you wish.) Then Click the WinBox icon on your desktop to go to winbox.) To set up the guest listings, click on USERS>Groups. You will see three default groups with read, write, and all privileges. Add (click +) groups: guest, registered, member (for example). Give these groups ONLY web privileges. Then exit all winbox screens after clicking OK on each. Now click on USERS and add all the names you need and assign them to whichever group you wish. Then go to the IP>HOTSPOT>ROFILES and you will see your users listed. Double click on the profile line “guests” and view the popup window. You should see the profile name “guests”, mark-flow should be “hs-auth”, and the ONLY-ONE should be UNchecked (or "shared users" should be set to maybe 50), and login method should be “enabled-address”. All else blank for now. This screen will allow multiple simultaneous logins to the guest group. Here in this window you can also set up timeouts, bandwidth allowances, and other variables. Consult your Mikrotik manual for more details.
==========================================
At this point, the basic hotspot setup is completed and you should be able to enter any normal URL into the browser of a computer connected by wireless to the Wireless Access Point (may need to use a crossover cable if AP is directly connected to the ether2 NIC) and see the login screen. Enter your user ID and password (admin, admin) and you should be connected through to the internet. You should also be able to connect a Windows computer NIC directly to the ether2 port using a crossover cable if you want to try out the system operation without using the wireless link initially. You may want to edit the Login.html, trouble.html and other login-related pages using FrontPage, Dreamweaver or similar to customize these for your particular installation. Don't try and edit using Netscape Composer or it will likely fail to work with Mikrotik. (Mine did.)
Here is my list of "Gotchas" that will hopefully keep you from having some of the problems I did in getting started in further applications
==========================================
ADDING A THIRD NIC PORT TO SERVE YOUR LOCAL LAN.
If you add a THIRD port to the router, you can isolate your Hotspot from your local LAN and prevent Hotspot users from having any access to your local LAN which is using a common DSL or Cable internet line. Add the third ethernet card as ether3 and enter the following programming to activate the ether3 port. With this arrangement and programming, Hotspot users connected on ether2 and any local LAN users connected via ether3 will have full internet access via ether1, but will be isolated from each other.
Note: Demo software users have only 4 total NAT entries allowed and other limitations which will not permit all of the following to be entered. No harm in seeing how far you can get for your own configuration. Remember that the "web-proxy" commands are inoperative in the DEMO licensed software.
The IP address range of the third port will be 192.168.2.1 to 192.168.2.254. The gateway address of the third port will be 192.168.2.1. When the third LAN card is added to the computer, it will show up in the interface print list as ether3 and it will be "X" which means out of service. Note that which port is designated as ether1, ether2, and ether3 (by the computer) may change if the third LAN card is added AFTER the above Hotspot programming.
36) [admin@MikroTik] > /interface
37) [admin@MikroTik] > print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 R ether1 ether 1500
1 R ether2 ether 1500
2 X ether3 ether 1500
(Note: To enable ether3, in case it is disabled (X), proceed as follows.
38) [admin@MikroTik] interface> enable ether3
39) [admin@MikroTik] interface> print
<!--[if !supportLineBreakNewLine]-->Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 R ether1 ether 1500
1 R ether2 ether 1500
2 R ether3 ether 1500
(Note: The R above shows that all three ports are now "Running". Note that the ether1 card is known as #0 in the list ID.)
40) [admin@MikroTik] interface> /ip
41) [admin@MikroTik] ip> ad
42) [admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.168.28/24 192.168.168.0 192.168.168.255 ether1
1 ;;; hotspot network
10.5.50.1/24 10.5.50.0 10.5.50.255 ether2
43) [admin@MikroTik] ip address> add address=192.168.2.1/24 comment="Home network" interface=ether3
44) [admin@MikroTik] ip address> .. ( The .. means drop back one directory level.)
45) [admin@MikroTik] ip> /ip pool add name=home_dhcp_pool ranges=192.168.2.2-192.168.2.199
(Note: Adds new DHCP pool name to list. Leaves IP addresses 192.168.2.200 through 192.168.2.254 for use by fixed IP address devices.)
46) [admin@MikroTik] ip> /ip dhcp-server add name="home_dhcp_server" interface=ether3 lease-time=24h \ address-pool=home_dhcp_pool netmask=24 gateway=192.168.2.1 \ disabled=no
Note: The above sets up the new DHCP server for ether3 port so users can get IP addresses in the range. Also sets up the gateway as address 192.168.2.1.
47) [admin@MikroTik] ip> firewall src-nat add src-address=192.168.2.0/24 action=masquerade
(Note: Sets up to masquerade all of the IPs on ether3 so they can access the internet via ether1 using the gateway 192.168.2.1.)
At this point, if ether1 is connected to a LAN port with IP=192.168.168.1 (or YOUR router's gateway address) you SHOULD be able to connect to ether3 and make an immediate connection to the internet.
==================================================================
The following (optional) commands are grouped so you can pick and choose which services you may want to block/add.
====
Now for additional Added features, firewall filters, PPPoE, and etc.
48) [admin@MikroTik]ip> /ip firewall dst-nat add dst-address=0.0.0.0/0:53 protocol=udp \ action=nat to-dst-address=192.168.168.1 \ comment="intercept all DNS requests" This commands that all DNS requests will be grabbed and repointed to your local router at 192.168.168.1. This is already done automatically for the Hotspot (ether2) interface. If you want to add this for ether3 but NOT all interfaces (in case you have more than 3 ports) you would add <in-interface=ether3> to the line above.
Note the [BRACKETS] in the command below.
49) [admin@MikroTik] ip> /ip firewall dst-nat set [find comment="intercept all DNS requests”] \ to-dst-address=192.168.168.1 action=nat
The above finds the comment "intercept all DNS requests" and sends all related DNS requests to 192.168.168.1.
Note: As an ALTERNATIVE to the above you could use: </ip firewall dst-nat set [find comment="intercept all DNS requests"] \ to-dst-address=10.5.50.1> However, sending the DNS calls DIRECTLY to the DNS server is saves router processing time and is preferred.)
50) [admin@MikroTik] ip> address print (This shows how your network is setup.)
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; Public Internet Network
192.168.168.28/24 192.168.168.0 192.168.168.255 ether1
1 ;;; hotspot network
10.5.50.1/24 10.5.50.2 10.5.50.255 ether2
2 ;;; Home Network
192.168.2.1/24 192.168.2.0 192.168.2.255 ether3
====
Now we put in blocking filters to prevent ANY access to ether2 and ether3 from the internet ether1.
51) [admin@MikroTik] ip>/ip web-proxy access add src-address=192.168.2.0/24 (This for future use by port ether3. Putting it in now assures it is installed in the correct sequence later when you finish installing ether3.)
52) [admin@MikroTik] ip>/ip web-proxy access add src-address=10.5.50.0/24 (This for use by the HotSpot on ether2)
53) [admin@MikroTik] ip>/ip web-proxy access add action=deny (This denys access from all other ports such as ether1.)
(Note: The three commands above protect your ether2 and ether3 users from access from the internet. This will allow ONLY local clients on your local LAN and on your HotSpot to access the web-proxy. If you are running your Mikrotik box behind a NAT/firewall and already on a local LAN, this is not essential, but it can't hurt. Failure to put in this protection will leave you "wide open" if you are connected directly to the internet via PPPoE or LAN without benefit of other firewall protection.
====
Now we add commands to allow Winbox, our mail server, and other local servers connected to ether2 to operate.
First we open up the four ports so Winbox and its associated FTP client can operate from all ports to the Mikrotik Router.
54) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:3987 protocol=tcp \ comment="accept winbox-tls"
55) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:8081 protocol=tcp \ comment="accept winbox"
56) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:20-21 protocol=tcp \ comment="accept ftp"
At this point, Winbox can connect to the router through any of the three ether(x) ports. However you might want to limit who can connect either by having a src-address=xxx.xxx.xxx.xxx/32 (/32 single ip) or set WHO can connect to the service under /ip service.====At this point, you should be able to connect a Windows computer with NIC (with crossover cable) into the ether3 port and access the internet via the ether1 connection to the internet as well as have the ether2 port operating as a Hotspot controller. As of this point, no inbound traffic from thepublic port ether1 to ether2 or ether3 is permitted. Ether 1 must be connected to a LAN router interface to the internet with DHCP service ongateway address 192.168.168.1.====Now we add filters to allow outside users on the internet to access our mail server. Most ISPs block access to port 25 but you can insert any port you wish for the xxx below.57) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:25 protocol=tcp \ comment="accept incoming SMTP" Now we add a filter to allow access to port 110 so mail server users can collect their mail58) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:110 protocol=tcp \ comment="allow POP3 mail pickup"You can add additional filters as needed. We also need to add filters to direct incoming mail traffic to our mail server which happens to be on IP address 192.168.2.66.====THESE FILTERS are a "work in progress" Check back and I am working on PPPoE and more filters and will add them when they are checked out and working.=======================================================OPTIONAL ADDITIONAL FEATURES:You may wish to have some computers arranged so that they automatically login and so no manual LOGON sequence is required. There are two ways to do this. One way is to use the remote client's MAC address as the password and the other is to use "cookies". a) To Automatically LOGIN the computer with MAC=00:80:C8:AC:EE:34, enter the following commands: 59) [admin@MikroTik] /ip hotspot set auth-mac=yes auth-mac-password=yes [admin@MikroTik] /ip hotspot user add name=00:80:C8:AC:EE:34 \ password=00:80:C8:AC:EE:34 [admin@MikroTik] /ip hotspot user add name=00:80:A4:CC:EF:84 \ password=00:80:A4:CC:EF:84Following these commands, the particular computers with the two selected MAC addresses will immediately login (automatically) and connect whenever browser access to a URL is attempted. You can add any number of automatic logins by this approach. In addition, Cookies can be used for automatic login. See the Mikrotik Manual for details.------------------------You may want to allow users to access certain websites WITHOUT having to login to the Hotspot. For instance, you might wish to allow them to access the Atlanta Free Net website at http://www.atlantafreenet.org before they login. What you do is to include firewall rules in the hotspot-temp chain to allow access to particular IP addresses PRIOR to the firewall rule which rejects all other traffic from temporary addresses. This new rule MUST be placed BEFORE the "redirect to hotspot service rule. To do this you enter the following commands:60a) [admin@MikroTik] /ip firewall dst-nat add dst-address=x.x.x.x:32 dst-port=80 protocol=tcp \ action=accept60b) [admin@MikroTik] /ip firewall rule hotspot-temp add dst-address=x.x.x.x/32 dst-port=80 protocol=tcp \ action=returnAgain: You must place these rules BEFORE the final REJECT rules. Note that you MUST use an IP address. A URL cannot be used. Note that Mikrotik will soon have a version allowing URLs instead of IP addresses in this mode.
-------------------------
You may wish to add a rule to allow all users to use your mailserver port 25 REGARDLESS of what their mail server settings happen to be. You will need to be careful to setup your mail server to avoid becoming a spam relay! Here is how you set up the Mikrotik to direct any/all port 25 traffic to YOUR mailserver's port 25. The following assumes 192.168.168.66 is your mailserver.
61) [admin@MikroTik] /ip firewall dst-nat add src-address=10.5.50.0/24 dst-port=25 protocol=tcp \ to-dst-address=192.168.168.66 action=nat \ comment="Translate all SMTP TCP port 25 traffic to our mail server"
----------------------
Editing the login.html page
If you want to edit the text on the login page, you must be aware of the fact that normal html editors such as Mozilla Composer, DreamWeaver, and FrontPage can "mess up" the login page so it will not work with Mikrotik any longer. Mikrotik uses a special non-standard format for one item which you will have to verify does not get changed by your editor.
The problem is with lines like this:
<form %form-input%>
The HTML editor knows, that it is not a valid construction and makes it to look like this:
<form %form-input="">
which is not a valid construction for hotspot. You will have to manually remove the "" from such lines and insert the % back instead..
-----------------------------
Hotspot users must access the Hotspot by use of a browser with JAVA support. This currently includes IE5/6, Netscape 4/6/7 and Mozilla 1.4 among many others.
======================================================I want to express my appreciation for the able assistance of Eje Gustafsson of the The Family Entertainment Network http://www.fament.com for his able assistance in finishing up this design and in particular for the firewall filter design and other special features. Mr. Gustafsson is a design consultant on the Mikrotik and Star OS Hotspot Routers and I am impressed with his expertise. FEN also sells Mikrotik software licenses and "solid state FLASH disk drives" for use with the Mikrotik software. With this flash drive, a router can be built with no floppy/CDROM/Hard Drive for reliability.The instructions in this article are copyrighted (c) by Joe Mehaffey 2003. These directions may be freely copied for individual use PROVIDED the article is not changed/edited or used commercially without the written approval of the author. |
|