Allied Telesis AT-WR4500 manual Packets from the authorized clients through the hs-authchain

All other packets except DNS and login requests from unauthorized clients should pass through the hs- unauth chain

7 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp

And packets from the authorized clients - through the hs-authchain

8 D ;;; www.alliedtelesis.com

chain=hs-unauth dst-address=159.148.147.196 protocol=tcp dst-port=80 action=return

First in the hs-unauthchain is put everything that affects TCP protocol in the /ip hotspot walled- garden ip submenu (i.e., everything where either protocol is not set, or set to TCP). Here we are excluding www.alliedtelesis.com from being redirected to the login page.

9 D chain=hs-unauth action=redirect to-ports=64874 dst-port=80 protocol=tcp

All other HTTP requests are redirected to the Walled Garden proxy server which listens the 64874 port. If there is an allow entry in the /ip hotspot walled-gardenmenu for an HTTP request, it is being forwarded to the destination. Otherwise, the request will be automatically redirected to the HotSpot login servlet (port 64873).

10 D chain=hs-unauth action=redirect to-ports=64874 dst-port=3128 protocol=tcp 11 D chain=hs-unauth action=redirect to-ports=64874 dst-port=8080 protocol=tcp

HotSpot by default assumes that only these ports may be used for HTTP proxy requests. These two entries are used to "catch" client requests to unknown proxies. I.e., to make it possible for the clients with unknown proxy settings to work with the HotSpot system. This feature is called "Universal Proxy". If it is detected that a client is using some proxy server, the system will automatically mark that packets with the http hotspot mark to work around the unknown proxy problem, as we will see later on. Note that the port used (64874) is the same as for HTTP requests in the rule #8 (so both HTTP and HTTP proxy requests are processed by the same code).

11 D chain=hs-unauth protocol=tcp dst-port=443 action=redirect to-ports=64875

HTTPS proxy is listening on the 64875 port

13 I chain=hs-unauth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp

Redirect for SMTP protocol may also be defined in the HotSpot configuration. In case it is, a redirect rule will be put in the hs-smtpchain. This is done so that users with unknown SMTP configuration would be able to send their mail through the service provider's (your) SMTP server instead of going to the [possibly unavailable outside their network of origin] SMTP server users have configured on their computers. The chain is empty by default, hence the invalid jump rule.

15 I chain=hs-auth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp

Providing HTTP proxy service for authorized users. Authenticated user requests may need to be subject to the transparent proxying (the "Universal Proxy" technique and for the advertisement feature). This http mark is put automatically on the HTTP proxy requests to the servers detected by the HotSpot HTTP proxy (the one that is listening on the 64874 port) to be HTTP proxy requests to unknown proxy servers. This is done so that users that have some proxy settings would use the HotSpot gateway instead of the [possibly unavailable outside their network of origin] proxy server users have configured in their computers. The mark is as well put on any HTTP requests done form the users whoose profile is configured to transparently proxy their requests.

14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp

Providing SMTP proxy for authorized users (the same as in rule #12)