改變www服務端口為8081:
/ip service set www port=8081/ip service set hotspot port=80
Setup hotspot profile to mark authenticated users with flow name "hs-auth":
/ip hotspot profile set default mark-flow="hs-auth" login-method=enabled-address
/ip hotspot user add name=user1 password=1
重定向所有未授權用戶的tcp請求到hotspot服務
/ip firewall dst-nat add in-interface="ether2" flow="!hs-auth" protocol=tcp action=redirect
to-dst-port=80 comment=" redirect unauthorized clients to hotspot service"
允許dns請求、icmp ping ;拒絕其他未經認證的所有請求:
/ip firewall add name=hotspot-temp comment="limit unauthorized hotspot clients"
jump-target=hotspot-temp comment="limit access for unauthorized hotspot clients"
action=accept comment="accept requests for hotspot servlet"
action=accept comment="accept requests for local DHCP server"
jump-target=hotspot-temp comment="limit access for unauthorized hotspot clients"
comment="return if connection is authorized"
comment="allow ping requests"
comment="allow dns requests"
comment="reject access for unauthorized clients"
Create hotspot chain for authorized hotspot clients:
/ip firewall add name=hotspot comment="account authorized hotspot clients"
/ip firewall rule forward add action=jump jump-target=hotspot
comment="account traffic for authorized hotspot clients"
客戶機輸入任何網址,都自動跳轉到登陸頁面,輸入賬號密碼,繼續瀏覽。
如果使用ftp、pop3等,也必須先通過網頁登錄,才可以使用,當然使用winbox的時候也必須先登錄。這裡一定要注意網卡ether的名字
改變hotspot服務端口為80,為用戶登錄頁面做準備:
增加一個用戶:
/ip firewall rule forward add in-interface=ether2 action=jump
/ip firewall rule input add in-interface=ether2 dst-port=80 protocol=tcp
/ip firewall rule input add in-interface=ether2 dst-port=67 protocol=udp
/ip firewall rule input add in-interface=ether2 action=jump
/ip firewall rule hotspot-temp add flow="hs-auth" action=return
/ip firewall rule hotspot-temp add protocol=icmp action=return
/ip firewall rule hotspot-temp add protocol=udp dst-port=53 action=return
/ip firewall rule hotspot-temp add action=reject
創建hotspot通道給認證後的hotspot用戶
Pass all through going traffic to hotspot chain: