Community discussions

MikroTik App
 
User avatar
chimaster
Member Candidate
Member Candidate
Posts: 133
Joined: Tue Feb 07, 2006 8:54 am
Location: Queenstown
Contact:

Re: Walled Garden and SSL sites intermittent problem

Thu Dec 01, 2011 12:07 pm

Seems this is the place I belong...

I've just upgraded 115 Hotspots (from 3.19 through to 4.17) and added SSL, not an Issue.

I'm dumping my config onto a virgin 5.9 RB450G and I'm having

"The Connection was Interrupted"
The connection to hqwifi.co.nz was interrupted while the page was loading.

If I disable SSL all works.


Anyone get to the bottom of this?
 
User avatar
chimaster
Member Candidate
Member Candidate
Posts: 133
Joined: Tue Feb 07, 2006 8:54 am
Location: Queenstown
Contact:

Re: Walled Garden and SSL sites intermittent problem

Thu Dec 01, 2011 12:52 pm

Downgraded to 4.17 and the problem is resolved. SSL works fine.
 
Trisc
Member Candidate
Member Candidate
Posts: 242
Joined: Sat May 29, 2004 11:24 pm
Location: Glos, UK

Re: Walled Garden and SSL sites intermittent problem

Tue Jul 10, 2012 1:11 pm

Just came across this thread. Seems a complicated solution! :shock:

The following dst-host entry

:^.*\.paypal\.com$

in the walled garden seems to work for me! Also handles PayPal mobile site which the above scripts ignore.

Use this regular expression for all secure domains you want in your walled garden.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Walled Garden and SSL sites intermittent problem

Tue Jul 10, 2012 1:24 pm

@Trisc: That solution did not work for me. It works the first download, but after you fill out the payment page, the walled garden won't let you through. The DNS entry has a very short TTL, and is gone by the time you complete the payment page form.

I'm using Authorize.net because I could not get PayPal to work with the walled garden entry.
 
Trisc
Member Candidate
Member Candidate
Posts: 242
Joined: Sat May 29, 2004 11:24 pm
Location: Glos, UK

Re: Walled Garden and SSL sites intermittent problem

Wed Jul 11, 2012 11:18 am

Strange. It has worked fine for us for many years and we exclusively use PayPal on 10 different hotspots. Using a regular expression avoids having anything to do with DNS. It also allows redirection to secure subdomains like mobile.paypal.com if the customer is on a mobile device.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Walled Garden and SSL sites intermittent problem

Wed Jul 11, 2012 2:16 pm

Using a regular expression avoids having anything to do with DNS.
How do you figure that? It is the DNS cache that determines if the client can go through the walled garden. The client does a DNS resolve, and the ip is put in the dns cache. The client browser does not do any more dns resolves during the transaction. The remaining communication is done with the ip the client received from the first dns resolve. If the ip entry in the DNS cache is there only 20 seconds, that is not enough time to complete a payment form. :(

It was temporarily solved with this script.
http://wiki.mikrotik.com/wiki/PayPal_wi ... den_bypass

edit: Unless something has changed, it still works this way, and I still do not use PayPal. If it has changed, then maybe someone from Mikrotik would like to add something here?

The way I see this working is when a unauth client does a port 80 or port 443 request, the walled garden does a check of the ips stored in the dns cache. If the ip is there, it gets the domain name associated with that ip (sort of a "reverse dns lookup") from the dns cache. THEN it compares that domain name with the entries, including the regular expression entries like yours. If it matches one, the request is let through. If it doesn't match any of them, then it isn't let through.

Two things can cause this to refuse to allow a client request through without logging in:
1) The ip is not in the dns cache. This is the PayPal fail.
2) The domain name associated with the ip is not in the walled garden
 
User avatar
tevolo
Member Candidate
Member Candidate
Posts: 114
Joined: Sun Mar 29, 2009 8:39 pm

Re: Walled Garden and SSL sites intermittent problem

Sun Jul 22, 2012 5:56 am

Is there a solution to the SSL problem? I'm on version 5.9 and clients have trouble accessing any https websites over the hotspot. Is there a solution for this problem?
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Walled Garden and SSL sites intermittent problem

Sun Jul 22, 2012 1:12 pm

Is there a solution to the SSL problem? I'm on version 5.9 and clients have trouble accessing any https websites over the hotspot. Is there a solution for this problem?
Is this the same problem? The problem encountered in this thread applies only to unauthorized clients (not logged in) attempting to access some https sites through the walled garden, not authorized clients (logged in) having problems.
 
User avatar
tevolo
Member Candidate
Member Candidate
Posts: 114
Joined: Sun Mar 29, 2009 8:39 pm

Re: Walled Garden and SSL sites intermittent problem

Tue Jul 31, 2012 12:58 am

I'm still trying to evaluate the issue and figure out if it was isolated to one laptop (virus or computer issue), or if it occurred for several users.
 
fruiz002
just joined
Posts: 13
Joined: Fri Jan 06, 2012 1:35 pm

Re: Walled Garden and SSL sites intermittent problem

Sat Dec 22, 2012 9:36 pm

Hi guys,

I'm having exactly the same problem and I did not get yet a solution from Mikrotik. I have also tried the solutions posted here but none works. Can anybody give me a clue?

Thank you very much in advance

Regards
 
neby55
just joined
Posts: 1
Joined: Tue Oct 15, 2013 6:34 pm

Re: Walled Garden and SSL sites intermittent problem

Tue Oct 15, 2013 7:10 pm

Hi,

On my RB433, RouterOS 6.4, walled garden IP List does not works for HTTPS connections. So, I've searched and found another solution.

Generic Walled Garden in HTTPS

- in firewall > filter : (#serverIPaddress is the IP address of the server you want to be walled garden in HTTPS)
  • add an accept rule for chain "hs-unauth-to" with src-address=#serverIPaddress
    add an accept rule for chain "hs-unauth" with dst-address=#serverIPaddress
    put them at the top of rules list
- in firewall > NAT :
  • add an accept rule for chain "pre-hotspot" with src-address=#serverIPaddress
    add an accept rule for chain "pre-hotspot" with dst-address=#serverIPaddress
    put them at the top of rules list
- in IP > Hotspot > Walled Garden :
  • add mydomain.com in Dst. Host field and with action="allow"
    add www.mydomain.com in Dst. Host field and with action="allow"
    (or you can add #serverIPaddress in IP > Hotspot > Walled Garden IP list)
Now, every domain hosted on #serverIPaddress and added in Walled Garden will be accessible in HTTPS (and any other protocol, so be careful) without authentication.

Adding Paypal in HTTPS Walled Garden

Paypal often change its IP adresses, so we can use RouterOs Firewall Adress Lists to make a list.
  • - first, add dnsToAddressList script that get IP addresses from A or CNAME DNS records : http://wiki.mikrotik.com/wiki/Sync_Addr ... _A_Records
    - then, add this script you can name "paypal_address_list". It gets IP addresses for every domain in $Servers and put it in "paypal_address_list" Firewall Adress List.

    ros code

    :global ListName paypal_address_list
    :global Servers {"www.paypal.com"; "www.paypalobjects.com"; "paypalobjects.com"; "paypal.com"}
    /system script run dnsToAddressList
    - finally, just follow Generic Walled Garden in HTTPS chapter using address-list instead of address (src-address=>src-address-list, dst-address=>dst-address-list) and select "paypal_address_list" for these address-lists.
I hope I haven't miss anything and I hope this post can help

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], Bing [Bot], ivicask, mrbroadband, Semrush [Bot] and 96 guests