Skip to content
Mar 9 / Greg

Mikrotik Hotspot Bypass For Authenticated Users

By default hotspot will proxy all traffic, even that of authenticated users. This will slow authenticated user traffic as well as make the CPU work harder on your router. To bypass this behavior you can use the following NAT rule:

/ip nat firewall
add chain=pre-hotspot dst-address=!local hotspot=auth action=accept

“local” should be set to your local subnet. Be sure to drag this rule to the top.

Thanks to Felix (AKA fewi). If you guys were at the US MUM in Phoenix, you would have gotten an ear full. I’m still not sure why his presentation didn’t make it to tiktube.


leave a comment
  1. Omega-00 / Mar 9 2011

    And now for another “possibly dumb comment” from me 😀

    Doesn’t setting the “transparent-proxy=no” option in your user-profile page achieve the same thing?

    About a year ago we hit a whole mess’o’trouble with this being enabled by default on new devices, as far as I’m aware the only traffic that should pass via the proxy when this is on is the traffic to the hotspot html pages (login / status etc)

    It may also be the case for walled garden traffic if you’re using dst-hosts but I’d have to check and see.

  2. Greg / Mar 9 2011

    I believe you are correct Andrew. I know that is also unchecked by default. I saw that shortly after I created the post, but I’m lazy and haven’t verified it yet…hehe

Leave a Comment