Hotspot walled-garden IP problem on 6.37.2 and 6.38rc31

Basilgr · Tue Nov 22, 2016 3:43 pm

Hello all.
We've recently discovered an issue on 6.37.2 still existing on 6.38rc31 that breaks walled-garden ip.

Tested it on 2 routers (6.36.3 and 6.37.2/6.38rc31) by adding 2 lines in walled-garden ip

/ip hotspot walled-garden ip
add action=accept disabled=no !dst-address dst-host=domain.com dst-port=80 protocol=tcp server=hotspot1 !src-address
add action=accept disabled=no !dst-address dst-host=domain.com dst-port=443 protocol=tcp server=hotspot1 !src-address

It produces 4 dynamic ip firewall filter rules
On 6.36.3

 7  D ;;; domain.com
      chain=hs-unauth action=return protocol=tcp dst-address=10.101.0.1 in-interface=ether5-AP-1 dst-port=80 log=no log-prefix="" 
 8  D ;;; domain.com
      chain=hs-unauth action=return protocol=tcp dst-address=10.101.0.1 in-interface=ether5-AP-1 dst-port=443 log=no log-prefix="" 
11  D ;;; domain.com
      chain=hs-unauth-to action=return protocol=tcp src-address=10.101.0.1 out-interface=ether5-AP-1 src-port=80 log=no log-prefix="" 
12  D ;;; domain.com
      chain=hs-unauth-to action=return protocol=tcp src-address=10.101.0.1 out-interface=ether5-AP-1 src-port=443 log=no log-prefix=""

On 6.37.2 and 6.38rc31:

 9  D ;;; domain.com
      chain=hs-unauth action=return protocol=tcp dst-address=10.101.0.1 in-interface=ether10-AP-1 dst-port=80 
11  D ;;; domain.com
      chain=hs-unauth action=return protocol=tcp dst-address=10.101.0.1 in-interface=ether10-AP-1 dst-port=443 
14  D ;;; domain.com
      chain=hs-unauth-to action=return protocol=tcp src-address=10.101.0.1 out-interface=ether10-AP-1dst-port=80 
16  D ;;; domain.com
      chain=hs-unauth-to action=return protocol=tcp src-address=10.101.0.1 out-interface=ether10-AP-1 dst-port=443

Notice the dst-port on the last 2 lines with the out-interface. That should be src-port.

Hotspot walled-garden IP problem on 6.37.2 and 6.38rc31

Hotspot walled-garden IP problem on 6.37.2 and 6.38rc31

Who is online