Manual:IP/Hotspot/Walled Garden

From MikroTik Wiki
Jump to: navigation, search
Version.png

Applies to RouterOS: v3, v4, v5+

Walled Garden

Sub-menu: /ip hotspot walled-garden


HTTP walled-garden menu permits authentication bypass settings for HTTP and HTTPs resources.

Wildcard properties (dst-host and path) match a complete string (i.e., they will not match "example.com" if they are set to "example"). Available wildcards are '*' (match any number of any characters) and '?' (match any one character). Regular expressions are also accepted here, but if the property should be treated as a regular expression, it should start with a colon (':'). To show that no symbols are allowed before the given pattern, we use ^ symbol at the beginning of the pattern. To specify that no symbols are allowed after the given pattern, we use $ symbol at the end of the pattern.

Icon-warn.png

Warning: If Walled Garden contains entry for HTTP site which is used for Hotspot detection on mobile applications (mobile phones, tablets, laptops, etc.), then Hotspot will not be automatically detected and login pop-up will not appear by itself on client device.


Example

To only permit bypassed access in walled garden to "www.example.com/test" but not to "www.example.com/test/test.php" :

/ip hotspot walled-garden
add dst-host=:^www.example.com path=":/test\$"

(note the trailing $ requires the escape character '\' to stop it from be processed as an actual $ character in the url)

Properties

Property Description
action (allow | deny; Default: allow) Action to perform, when packet matches the rule
  • allow - allow access to the web-page without authorization
  • deny - the authorization is required to access the web-page
server (string; Default: ) Name of the HotSpot server, rule is applied to.
src-address (IP; Default: ) Source address of the user, usually IP address of the HotSpot client
method (string; Default: ) HTTP method of the request
dst-host (string; Default: ) Domain name of the destination web-server
dst-port (integer; Default: ) TCP port number, client sends request to
path (string; Default: ) The path of the request, path comes after '''http://dst_host/'''

Read-only properties

Property Description
dst-address (IP)
hits (integer)

IP Walled Garden

Sub-menu: /ip hotspot walled-garden ip


Walled-garden menu for the IP requests (Winbox, SSH, Telnet, SIP, etc.)

Properties

Property Description
action (allow | deny | reject; Default: allow) Action to perform, when packet matches the rule
  • allow - allow access to the web-page without authorization
  • deny - the authorization is required to access the web-page
  • reject - the authorization is required to access the resource, ICMP reject message will be sent to client, when packet will match the rule
server (string; Default: ) Name of the HotSpot server, rule is applied to.
src-address (IP; Default: ) Source address of the user, usually IP address of the HotSpot client
dst-address (IP; Default: ) Destination IP address, IP address of the WEB-server. Ignored if dst-host is already specified.
src-address-list (string; Default: ) Source IP address list.
dst-address-list (string; Default: ) Destination IP address list. Ignored if dst-host is already specified.
dst-host (string; Default: ) Domain name of the destination web-server. When this parameter is specified dynamic entry is added to Walled Garden
dst-port (integer; Default: ) TCP port number, client sends request to
protocol (integer | string; Default: ) IP protocol

Example

When adding walled garden IP entry several dynamic rules are created. For example, lets add www.paypalobject.com

/ip hotspot walled-garden ip
add action=accept disabled=no dst-host=www.paypalobject.com

Now if you look at walled garden menu you will see dynamic entry for object we just added

[admin@493G] /ip hotspot walled-garden> print detail 
Flags: X - disabled, D - dynamic 
 0 D ;;; www.paypalobject.com
     dst-address=68.178.232.99 action=allow hits=0 

Also dynamic firewall and NAT rules are added to allow paypalobject.com resolved address

[admin@493G] /ip firewall filter> print dynamic 
Flags: X - disabled, I - invalid, D - dynamic 
...
 7 D ;;; www.paypalobject.com
     chain=hs-unauth action=return dst-address=68.178.232.99 
...

10 D ;;; www.paypalobject.com
     chain=hs-unauth-to action=return src-address=68.178.232.99 
[admin@493G] /ip firewall nat> print dynamic 
Flags: X - disabled, I - invalid, D - dynamic 
...
 8 D ;;; www.paypalobject.com
     chain=hs-unauth action=return dst-address=68.178.232.99 
...


[ Top | Back to Content ]