I've just setup a simple hotspot with a few custom login pages. I'm using simple PAP authentication with only one user, profile and server. Half of the time after a successful login, the redirect to the user's original destination fails with a "gateway timeout" from the Mikrotik HttpProxy. Simple refreshing the page successfully loads it and we don't appear to have any problems after this point. I've combed through the logs and can't seem to find what is going on.
Any thoughts? Below is my hotspot config:
Code: Select all
# dec/28/2012 15:16:44 by RouterOS 5.22
# software id = 0VBJ-WLFZ
#
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no use-radius=no
add dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=zmcdef rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name="" hotspot-address=192.168.88.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=hsprof1 rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
/ip hotspot
add address-pool=guest-pool disabled=no idle-timeout=none interface="Guest 1" \
keepalive-timeout=none name=server1 profile=zmcdef
/ip hotspot user profile
set [ find default=yes ] idle-timeout=1h keepalive-timeout=2m name=default \
session-timeout=12h shared-users=2000 status-autorefresh=1m \
transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add disabled=no name=freeaccess password=freeaccess profile=default server=\
server1
Code: Select all
/ip dhcp-server
add address-pool=guest-pool authoritative=after-2sec-delay bootp-support=static disabled=no interface="Guest 1" lease-time=1h name=guest-dhcp
add address-pool=office-pool authoritative=after-2sec-delay bootp-support=static disabled=no interface="Office 1" lease-time=1d name=office-dhcp
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.150.17.0/27 dhcp-option="" dns-server=10.150.17.1 domain=ashland.office.zmc gateway=10.150.17.1 ntp-server="" wins-server=""
add address=192.168.88.0/24 dhcp-option="" dns-server=192.168.88.1 domain=ashland.guest.zmc gateway=192.168.88.1 ntp-server="" wins-server=""
Code: Select all
/ip firewall address-list
add address=10.150.17.0/27 disabled=no list=masquerade
add address=192.168.88.0/24 disabled=no list=masquerade
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward connection-mark=hotspot-ignore disabled=yes \
hotspot=""
add action=accept chain=input connection-mark=hotspot-ignore disabled=yes \
hotspot=""
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="Accept Winbox, SSH and WWW" disabled=\
no dst-port=8291,22,80 protocol=tcp
add action=accept chain=input comment="Accept ICMP (PING)" disabled=no \
protocol=icmp
add action=accept chain=input comment="Allow SNMP" disabled=no dst-port=161 \
protocol=udp
add action=accept chain=input comment="Allow DNS" disabled=no protocol=udp \
src-port=53
add action=accept chain=input comment="Allow SNTP" disabled=no dst-port=123 \
protocol=udp
add action=accept chain=input comment="Allow all input from Hotspot" \
disabled=no src-address=192.168.88.0/24
add action=jump chain=input comment="Drop all input" disabled=no jump-target=\
logdrop
add action=log chain=logdrop disabled=no log-prefix="" src-address=\
192.168.88.0/24
add action=drop chain=logdrop disabled=no
add action=log chain=forward disabled=no log-prefix=hstraffic src-address=\
192.168.88.0/24
/ip firewall mangle
add action=mark-connection chain=forward disabled=yes dst-address=0.0.0.0/0 \
dst-port=88,3074,53 hotspot=from-client new-connection-mark=\
hotspot-ignore passthrough=yes protocol=udp
add action=mark-connection chain=forward disabled=yes dst-address=0.0.0.0/0 \
hotspot=from-client new-connection-mark=hotspot-ignore passthrough=yes \
protocol=icmp
add action=mark-connection chain=forward disabled=yes dst-address=0.0.0.0/0 \
dst-port=3074,53 hotspot=from-client new-connection-mark=hotspot-ignore \
passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=no dst-address=0.0.0.0/0 \
src-address=10.150.17.0/27
add action=accept chain=srcnat comment="Bypass masquerade for time clock" \
disabled=no dst-address=0.0.0.0/0 src-address=10.150.17.245
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no