Good Evening,

I am having an issue with redirect to hotspot login page for unauthenticated users. The Mikrotik I am on is v6.9 CCR1016 Cloud Router. If I type in the gateway IP address (10.100.20.1) it goes to the log in page but trying to go to google for redirect isn't working. If I place the mac-address in the radius it authenticates and allows access to google, etc. Here is the output of firewall and hotspot.

/////////Firewall Configuration\\\\\\\\\\\\\\\
/ip firewall layer7-protocol
add name=torrentsites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|ente\
rtane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bit\
unity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova\
|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
/ip firewall address-list
add address=10.11.100.0/24 list=Restrict-Access
add address=10.158.0.0/24 list=Restrict-Access
add address=10.11.102.0/24 list=Restrict-Access
add address=172.16.0.0/16 list=Restrict-Access
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment=torrentsites layer7-protocol=\
torrentsites src-address=10.0.0.0/8
add action=drop chain=forward comment=dropDNS dst-port=53 layer7-protocol=\
torrentsites protocol=udp src-address=10.0.0.0/8
add action=drop chain=forward comment=keyword_drop content=torrent \
src-address=10.0.0.0/8
add action=drop chain=forward comment=trackers_drop content=tracker \
src-address=10.0.0.0/8
add action=drop chain=forward comment=get_peers_drop content=getpeers \
src-address=10.0.0.0/8
add action=drop chain=forward comment=info_hash_drop content=info_hash \
src-address=10.0.0.0/8
add action=drop chain=forward comment=announce_peers_drop content=\
announce_peers src-address=10.0.0.0/8
add action=drop chain=forward comment=p2p_drop p2p=all-p2p src-address=\
10.0.0.0/8
/ip firewall mangle
add action=change-mss chain=forward dst-address=0.0.0.0/0 new-mss=1300 \
protocol=tcp src-address=172.16.0.0/16 tcp-flags=syn
add action=change-mss chain=forward dst-address=0.0.0.0/0 new-mss=1300 \
protocol=tcp src-address=192.168.0.0/16 tcp-flags=syn
add action=change-mss chain=forward dst-address=0.0.0.0/0 new-mss=1300 \
protocol=tcp src-address=10.0.0.0/8 tcp-flags=syn
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes

//////////////Hotspot\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
/ip hotspot profile
set [ find default=yes ] login-by=mac,http-chap,http-pap mac-auth-password=\
visp use-radius=yes
add hotspot-address=10.100.20.1 login-by=mac,http-chap,http-pap \
mac-auth-password=XXXX name=hsprof1 use-radius=yes
/ip hotspot
add disabled=no interface=ether10 name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no idle-timeout=none on-logout="/ip ho\
tspot host remove [find where address=\"\$address\" and !authorized and !b\
ypassed]"
/ip hotspot user
add name=admin password=XXXX
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes

Okay I torched the interface and it looks like its just requesting DNS but doesn't force a redirect. I did setup a DNS name and set DHCP network dns to the mikrotik gateway address. Still nothing won't redirect but I can put in the DNS Name of the hotspot or IP and get to the login page on the mikrotik.

Do you have valid operating dns server IPs entered in "/ip dns"? Have "allow-remote-requests=yes"?
I don't see a masquerade entry for the WAN interface. Does it require one?

I actually just fixed it. The DNS settings where correct but the way this is setup is a vpn tunnel over to another router then out to the internet. Well the DNS resolve was looking up sourcing from the external ip on the box but there isn't a route so it would just timeout. After setting up a static route for 8.8.8.8 and 8.8.4.4 this worked without an issue. Here is the network diagram piece of it


Customers ----- Mikrotik Cloud ------ VPN TUNNEL --- Router ---- INET
Eth1 and 2 DSL and Fiber connection only static route to other router endpoint for vpn tunnel
DNS would use one of the eth1 or eth2 addresses to look up but no route found.
I then setup a route 8.8.8.8 and 8.8.4.4 on both Eth1 and Eth2 to go out there for dns lookup. Rest of the traffic goes through the vpn tunnel. I do believe I can setup a src-nat rule in the mikrotik to source dns from the loopback ip or the interface to have dns traffic go out the vpn tunnel.

I actually just fixed it. The DNS settings where correct but the way this is setup is a vpn tunnel over to another router then out to the internet. Well the DNS resolve was looking up sourcing from the external ip on the box but there isn't a route so it would just timeout. After setting up a static route for 8.8.8.8 and 8.8.4.4 this worked without an issue. Here is the network diagram piece of it


Customers ----- Mikrotik Cloud ------ VPN TUNNEL --- Router ---- INET
Eth1 and 2 DSL and Fiber connection only static route to other router endpoint for vpn tunnel
DNS would use one of the eth1 or eth2 addresses to look up but no route found.
I then setup a route 8.8.8.8 and 8.8.4.4 on both Eth1 and Eth2 to go out there for dns lookup. Rest of the traffic goes through the vpn tunnel. I do believe I can setup a src-nat rule in the mikrotik to source dns from the loopback ip or the interface to have dns traffic go out the vpn tunnel.

Hi, I know this is an old thread

But i'm facing similar problem with yours
For a while my hotspot working just fine, the redirection login page show up when client connect to the network.

Yesterday I add another WAN's line so now I have 2 WANs and combine it using Load Balancing PCC Failover.
The LB works fine.
But, the hotspot login page is not redirecting, it only show up if i open my mikrotik's ip address.

Can you show me how to route the dns 8.8.8.8 and 8.8.4.4 in the mikrotik?

Thx