Manual:IP/Hotspot/Walled Garden: Difference between revisions
(One intermediate revision by the same user not shown) | |||
Line 8: | Line 8: | ||
<br /> | <br /> | ||
HTTP walled-garden | HTTP walled-garden menu permits authentication bypass settings for HTTP and HTTPs resources. | ||
Wildcard properties (dst-host and path) match a complete string (i.e., they will not match "example.com" if they are set to "example"). Available wildcards are '*' (match any number of any characters) and '?' (match any one character). | |||
Regular expressions are also accepted here, but if the property should be treated as a regular expression, it should start with a colon (':'). | |||
To show that no symbols are allowed before the given pattern, we use ^ symbol at the beginning of the pattern. | |||
To specify that no symbols are allowed after the given pattern, we use $ symbol at the end of the pattern. | |||
===Example=== | |||
To only permit bypassed access in walled garden to "www.example.com/test" but not to "www.example.com/test/test.php" : | |||
<pre> | |||
/ip hotspot walled-garden | |||
add dst-host=:^www.example.com path=":/test\$" | |||
</pre> | |||
(note the trailing $ requires the escape character '\' to stop it from be processed as an actual $ character in the url) | |||
===Properties=== | ===Properties=== | ||
Line 131: | Line 147: | ||
|default= | |default= | ||
|desc=Destination IP address, IP address of the WEB-server. Ignored if '''dst-host''' is already specified. | |desc=Destination IP address, IP address of the WEB-server. Ignored if '''dst-host''' is already specified. | ||
}} | |||
{{Mr-arg-table | |||
|arg=src-address-list | |||
|type=IP | |||
|default= | |||
|desc=[[Manual:IP/Firewall/Address_list | Source IP address list]]. Ignored if '''dst-host''' is already specified. | |||
}} | |||
{{Mr-arg-table | |||
|arg=dst-address-list | |||
|type=IP | |||
|default= | |||
|desc=[[Manual:IP/Firewall/Address_list | Destination IP address list]]. Ignored if '''dst-host''' is already specified. | |||
}} | }} | ||
Revision as of 09:53, 9 June 2017
Walled Garden
Sub-menu: /ip hotspot walled-garden
HTTP walled-garden menu permits authentication bypass settings for HTTP and HTTPs resources.
Wildcard properties (dst-host and path) match a complete string (i.e., they will not match "example.com" if they are set to "example"). Available wildcards are '*' (match any number of any characters) and '?' (match any one character). Regular expressions are also accepted here, but if the property should be treated as a regular expression, it should start with a colon (':'). To show that no symbols are allowed before the given pattern, we use ^ symbol at the beginning of the pattern. To specify that no symbols are allowed after the given pattern, we use $ symbol at the end of the pattern.
Example
To only permit bypassed access in walled garden to "www.example.com/test" but not to "www.example.com/test/test.php" :
/ip hotspot walled-garden add dst-host=:^www.example.com path=":/test\$"
(note the trailing $ requires the escape character '\' to stop it from be processed as an actual $ character in the url)
Properties
Property | Description |
---|---|
action (allow | deny; Default: allow) | Action to perform, when packet matches the rule
|
server (string; Default: ) | Name of the HotSpot server, rule is applied to. |
src-address (IP; Default: ) | Source address of the user, usually IP address of the HotSpot client |
method (string; Default: ) | HTTP method of the request |
dst-host (string; Default: ) | Domain name of the destination web-server |
dst-port (integer; Default: ) | TCP port number, client sends request to |
path (string; Default: ) | The path of the request, path comes after '''http://dst_host/''' |
Read-only properties
Property | Description |
---|---|
dst-address (IP) | |
hits (integer) |
IP Walled Garden
Sub-menu: /ip hotspot walled-garden ip
Walled-garden menu for the IP requests (Winbox, SSH, Telnet, SIP, etc.)
Properties
Property | Description |
---|---|
action (allow | deny | reject; Default: allow) | Action to perform, when packet matches the rule
|
server (string; Default: ) | Name of the HotSpot server, rule is applied to. |
src-address (IP; Default: ) | Source address of the user, usually IP address of the HotSpot client |
dst-address (IP; Default: ) | Destination IP address, IP address of the WEB-server. Ignored if dst-host is already specified. |
src-address-list (IP; Default: ) | Source IP address list. Ignored if dst-host is already specified. |
dst-address-list (IP; Default: ) | Destination IP address list. Ignored if dst-host is already specified. |
dst-host (string; Default: ) | Domain name of the destination web-server. When this parameter is specified dynamic entry is added to Walled Garden |
dst-port (integer; Default: ) | TCP port number, client sends request to |
protocol (integer | string; Default: ) | IP protocol |
Example
When adding walled garden IP entry several dynamic rules are created. For example, lets add www.paypalobject.com
/ip hotspot walled-garden ip add action=accept disabled=no dst-host=www.paypalobject.com
Now if you look at walled garden menu you will see dynamic entry for object we just added
[admin@493G] /ip hotspot walled-garden> print detail Flags: X - disabled, D - dynamic 0 D ;;; www.paypalobject.com dst-address=68.178.232.99 action=allow hits=0
Also dynamic firewall and NAT rules are added to allow paypalobject.com resolved address
[admin@493G] /ip firewall filter> print dynamic Flags: X - disabled, I - invalid, D - dynamic ... 7 D ;;; www.paypalobject.com chain=hs-unauth action=return dst-address=68.178.232.99 ... 10 D ;;; www.paypalobject.com chain=hs-unauth-to action=return src-address=68.178.232.99
[admin@493G] /ip firewall nat> print dynamic Flags: X - disabled, I - invalid, D - dynamic ... 8 D ;;; www.paypalobject.com chain=hs-unauth action=return dst-address=68.178.232.99 ...
[ Top | Back to Content ]