-1

I have a router os installed on a virtual server, with 3 interfaces:

lan-192.168.1.1/24

wan-192.168.2.1/24

wifi-192.168.3.1/24

I have a PPOE client to connect over WAN to ISP and get static public IP

x.x.x.x

I have a windows server with DNS, HTTP services on LAN interface, and 1 wireless access point on WIFI interface.

I have created rules for block incoming connection from internet, except 80,53,...

I have created dst-nat from my public IP x.x.x.x to local server IP. Another dst-nat from LAN to server LAN IP address. Also SRC NAT to masqurade, LAN and WIFI connections to server. Another SRC-NAT masqurade for access internet.

Also mikrotik DNS service used to get records and catch from my local server DNS service.

All things work good, until, I want create hotspot service on WIFI interface. dynamic firewall filters and NATs destroy all things work.

Scenario is access WIFI users to internet by authentication and access local server locally and free. Also internet access for lan users free. Also public web access to my server from internet.

Thanks in advance!

Community
  • 1
  • 1
MKeshavarzian
  • 5
  • 1
  • 8

1 Answers1

0

NOTE: Skip to TLDR if you just want the direct answer.

This configuration has been made far more complicated than necessary. I'm going to write this up from memory because I don't have an unused router handy at the moment, but this should work.

I'm going to make some assumptions here:

  • You do not want anyone from the WAN or PPPoE to be able to reach your LAN.
  • You don't want anyone from the WIFI to be able to reach your LAN except for HTTP or DNS.
  • You FULLY intend to circle back once everthing is working and ENABLE HTTPS on your server. THIS IS IMPORTANT!!!

First, set up everything to work without restriction. No rules except for a single masquerade entry. You want to masquerade all traffic NOT destined for 192.168.0.0/16. This rules is all you will need. the DST-NAT rules are unnecessary unless you want to provide service to traffic on the PPPoE interface.

Next, add the following firewall rules under the FORWARD chain:

  • ACCEPT all Established and all Related traffic (no other restrictions).
  • ACCEPT FROM 192.168.3.0/24 TO TCP 80,53,443 destined for your Windows Server IP address.
  • ACCEPT FROM 192.168.3.0/24 TO ICMP destined your Windows Server IP address.
  • ACCEPT FROM 192.168.1.0/24 TO !192.168.0.0/16. This allows Internet access for the LAN.
  • ACCEPT FROM 192.168.3.0/24 TO !192.168.0.0/16. This allows Internet access for the WIFI.
  • DROP everything else.

Make sure everything still works. These basic rules will give you at least some protection on your LAN from random people connecting to your WIFI. This way, if you ever disable your Hotspot to allow unrestricted access through your Wifi, you're LAN is still protected.

* TLDR *

Now you can set up your hotspot. The most important part is on your Walled Garden IP list tab, under IP -> Hotspot. You must add entries here allowing access to whatever servers you want to function before someone logs on, specifically your server's HTTP, DNS, etc services. The Hotspot will translate these into automatically-created firewall rules for you.

Finally, I would remiss if I didn't tell you that this is not a complete firewall setup, and there's all sorts of stuff that can go wrong here if things are not implemented properly. My email is in my profile here if you are interested in paid assistance.

C. Taylor
  • 328
  • 1
  • 6