No doubt. The netmap may not be enough, dunno. But other suggestion is to look hotspot "jump" rules in /ip/firewall/filter and .../nat.[...]
Unfortunately, I can still access the Mikrotik's WebIF when I type access.local in the browser. In other words, the hotspot “doesn’t show itself”.
[...]
So Mikrotik probably doesn't want to make it that easy for us![8)]( "Cool")
maybe there's something wrong with my netmap rules?
See /ip/hotspot is essentially implemented as some dynamic firewall rules. But if you look at them, they use some FW extensions to take actions based on a "hotspot=" state. e.g.
Code:
/ip/firewall/nat add hotspot=<tab>auth from-client http local-dst to-client So perhaps create a static rule, based on WG src-address, that mimics the dynamic action=jump rules, in both NAT and filter, added by /ip/hotspot to the forward and input chain. i.e., the action=jump is what essentially "forks" the traffic based on the "hotspot=!auth" from the firewall rule.
But the key detail is the hotspot state looks available to use in your own firewall rules. Thus, theoretically, could have similar fork for hotspot=!auth or hotspot=auth in your filter rule, except matching on the WG addresses.
See docs, but
hotspot (auth | from-client | http | local-dst | to-client; Default: )- Matches packets received from HotSpot clients against various HotSpot matchers.
auth - matches authenticated HotSpot client packets
from-client - matches packets that are coming from the HotSpot client
http - matches HTTP requests sent to the HotSpot server
local-dst - matches packets that are destined to the HotSpot server
to-client- matches packets that are sent to the HotSpot client
There a bit more complexity I'm sure, but that's be the concept.
Statistics: Posted by Amm0 — Tue Mar 19, 2024 5:51 pm