Using a regular expression avoids having anything to do with DNS.
How do you figure that? It is the DNS cache that determines if the client can go through the walled garden. The client does a DNS resolve, and the ip is put in the dns cache. The client browser does not do any more dns resolves during the transaction. The remaining communication is done with the ip the client received from the first dns resolve. If the ip entry in the DNS cache is there only 20 seconds, that is not enough time to complete a payment form.
It was temporarily solved with this script.
http://wiki.mikrotik.com/wiki/PayPal_wi ... den_bypass
edit: Unless something has changed, it still works this way, and I still do not use PayPal. If it has changed, then maybe someone from Mikrotik would like to add something here?
The way I see this working is when a unauth client does a port 80 or port 443 request, the walled garden does a check of the ips stored in the dns cache. If the ip is there, it gets the domain name associated with that ip (sort of a "reverse dns lookup") from the dns cache. THEN it compares that domain name with the entries, including the regular expression entries like yours. If it matches one, the request is let through. If it doesn't match any of them, then it isn't let through.
Two things can cause this to refuse to allow a client request through without logging in:
1) The ip is not in the dns cache. This is the PayPal fail.
2) The domain name associated with the ip is not in the walled garden