4 ip-level walled garden, 5 one-to-one nat static address bindings – Allied Telesis AT-WR4500 User Manual

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

231

RouterOS v3 Configuration and User Guide

Example

To allow unauthorized requests to the www.example.com domain's /paynow.html page:

[admin@AT-WR4562] ip hotspot walled-garden> add path="/paynow.html" \
\... dst-host="www.example.com"
[admin@AT-WR4562] ip hotspot walled-garden> print
Flags: X - disabled, D - dynamic
0 dst-host="www.example.com" path="/paynow.html" action=allow
[admin@AT-WR4562] ip hotspot walled-garden>

10.3.4

IP-level Walled Garden

Submenu level: /ip hotspot walled-garden ip

Description

This menu is manages Walled Garden for generic IP requests. See the previous section for managing
HTTP and HTTPS protocol specific properties (like the actual DNS name, HTTP method and path used
in requests).

Property Description

action (accept | drop | reject; default: accept) - action to undertake if a packet matches the rule:
accept - allow the access to the page without prior authorization
drop - the authorization is required to access this page
reject - the authorization is required to access this page, in case the page will be accsessed withot
authorization ICMP reject message host-unreachable will be generated
dst-address (IP address) - IP address of the destination web server
dst-host (text; default: "") - domain name of the destination web server (this is not a regular expression
or a wildcard of any kind). The DNS name specified is resolved to a list of IP addresses when the rule is
added, and all those IP addresses are used
dst-port (integer; default: "") - the TCP or UDP port (protocol MUST be specified explicitly in the
protocol property) a client has send the request to
protocol (integer | ddp egp encap ggp gre hmp icmp idpr-cmtp igmp ipencap ipip ipsec-ah ipsec-esp iso-
tp4 ospf pup rdp rspf st tcp udp vmtp xns-idp xtp) - IP protocol name
server (name) - name of the HotSpot server this rule applied to
src-address (IP address) - IP address of the user sending the reques

10.3.5

One-to-one NAT static address bindings

Submenu level: /ip hotspot ip-binding

Description

You can setup NAT translations statically based on either the original IP address (or IP network), or the
original MAC address. You can also allow some addresses to bypass HotSpot authentication (i.e., they will
be able work without having to log in to the network first) and completely block some addresses.

Property Description

address (IP address / [netmask]; default: "") - the original IP address or network of the client
mac-address (MAC address; default: "") - the source MAC address of the client
server (name|all; default: all) - the name of the server the client is connecting to
to-address (IP address; default: "") - IP address to translate the original client address to. If address
property is given as network, this is the starting address for the translation (i.e., the first address is
translated to to-address, address + 1 to to-address + 1, and so on)
type (regular | bypassed | blocked) - type of the static binding entry
regular - perform a one-to-one NAT translation according to the values set in this entry
bypassed - perform the translation, but exclude the client from having to log in to the HotSpot system
blocked - the translation will not be preformed, and all packets from the host will be dropped