Filter
Top Products
234 AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
All other packets except DNS and login requests from unauthorized clients should pass through the hs-
unauth chain
7 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp
And packets from the authorized clients - through the hs-auth chain
8 D ;;; www.alliedtelesis.com
chain=hs-unauth dst-address=159.148.147.196 protocol=tcp dst-port=80
action=return
First in the hs-unauth chain is put everything that affects TCP protocol in the /ip hotspot walled-
garden ip submenu (i.e., everything where either protocol is not set, or set to TCP). Here we are
excluding www.alliedtelesis.com from being redirected to the login page.
9 D chain=hs-unauth action=redirect to-ports=64874 dst-port=80 protocol=tcp
All other HTTP requests are redirected to the Walled Garden proxy server which listens the 64874 port.
If there is an allow entry in the /ip hotspot walled-garden menu for an HTTP request, it is being
forwarded to the destination. Otherwise, the request will be automatically redirected to the HotSpot
login servlet (port 64873).
10 D chain=hs-unauth action=redirect to-ports=64874 dst-port=3128 protocol=tcp
11 D chain=hs-unauth action=redirect to-ports=64874 dst-port=8080 protocol=tcp
HotSpot by default assumes that only these ports may be used for HTTP proxy requests. These two
entries are used to "catch" client requests to unknown proxies. I.e., to make it possible for the clients
with unknown proxy settings to work with the HotSpot system. This feature is called "Universal Proxy". If
it is detected that a client is using some proxy server, the system will automatically mark that packets
with the http hotspot mark to work around the unknown proxy problem, as we will see later on. Note
that the port used (64874) is the same as for HTTP requests in the rule #8 (so both HTTP and HTTP
proxy requests are processed by the same code).
11 D chain=hs-unauth protocol=tcp dst-port=443 action=redirect to-ports=64875
HTTPS proxy is listening on the 64875 port
13 I chain=hs-unauth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp
Redirect for SMTP protocol may also be defined in the HotSpot configuration. In case it is, a redirect rule
will be put in the hs-smtp chain. This is done so that users with unknown SMTP configuration would be
able to send their mail through the service provider's (your) SMTP server instead of going to the [possibly
unavailable outside their network of origin] SMTP server users have configured on their computers. The
chain is empty by default, hence the invalid jump rule.
15 I chain=hs-auth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp
Providing HTTP proxy service for authorized users. Authenticated user requests may need to be subject
to the transparent proxying (the "Universal Proxy" technique and for the advertisement feature). This
http mark is put automatically on the HTTP proxy requests to the servers detected by the HotSpot
HTTP proxy (the one that is listening on the 64874 port) to be HTTP proxy requests to unknown proxy
servers. This is done so that users that have some proxy settings would use the HotSpot gateway instead
of the [possibly unavailable outside their network of origin] proxy server users have configured in their
computers. The mark is as well put on any HTTP requests done form the users whoose profile is
configured to transparently proxy their requests.
14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
Providing SMTP proxy for authorized users (the same as in rule #12)