Hotspot Capturing All Traffic

JWilson2132 · November 24, 2016, 4:13am

I am running RouterOS v6.36 on a MikroTik CCR1016-12G Cloud Core Router.

TL;DR
I have an odd issue. When I have the Hotspot enabled on my guest LAN, I cannot access my management LAN. I need to be able to access the Management VLAN20 from the Office LAN and remotely via WAN.

The setup
Ether12 - WAN connection.
Ether11 - 172.20.1.1/24 “Office LAN”
Ether10 - 10.59.0.1/16 “Guest LAN” - VLAN10
Ether09 - 192.168.1.1/24 “Management LAN” - VLAN20
Ether08 thru 01 - Disabled with no connections

The hotspot is configured to operate on the Guest VLAN10

The problem
The Office LAN can access the internet like normal without any interaction with the hotspot regardless if the hotspot is enabled or disabled. (This is the expected behavior and operates as it should.)
With the hotspot disabled, I can access the Management VLAN20 from the Office LAN and remotely via NAT on the WAN connection without any problems.
With the hotspot enabled, when I try to access the Management VLAN20 from either the Office LAN or via WAN, the hotspot captures the traffic and tries to redirect me to the login page. (I receive a DNS error because it redirects me to the 10.59.0.1 ip address.)

I must note that I know the firewall rules work from top down. When the hotspot is enabled, it dynamically creates firewall rules and NAT rules. I have tried moving the hotspot rules down below my existing rules, but that still did not fix the redirect issue. Only when the hotspot is disabled, and the dynamic rules removed, is when I have access to the Management VLAN20.

I hope this makes sense. (Also, I can always access the router web interface regardless if the hotspot is enabled or disabled. However, I use WinBox instead of the web interface.)

JWilson2132 · November 24, 2016, 5:11am

55 Views and no help? Thanks guys… This is about to cause me to pull out what is left of my hair!

I have noticed through trial and error that if I change the management port of the devices I’m trying to access to something other than 80, I can access them just fine regardless of whether the hotspot is active or not. So the simple solution would be to change the management port on all the devices. However, I can only change it on some of the devices. The firmware on the other devices have the management interface fixed on port 80 and it cannot be changed. So just changing the port is not going to work.

I really need help, PLEASE?!

omega-00 · November 24, 2016, 1:30pm

Hi mate, sorry no one had responded to this one yet.

What I’m getting from your post is that you want to be able to access the office LAN without needing to be logged in behind the hotspot? Because typically once you’re logged into the hotspot you should be able to access anything that isn’t firewalled off.. be that another network on the same router, or get out to the internet itself.

Simple solution, if that is what you’re trying to do: Add a walled garden IP entry for the office range, allowing anyone behind the hotspot to access it without being logged in.

As something you can paste into terminal, it would look like this:

/ip hotspot walled-garden ip add dst-address=172.20.1.1/24 action=accept comment="Allow access to office network"

With that said, if it is a genuine “anyone can access me” hotspot network then I would avoid doing this and perhaps limit connectivity to a few specific IP’s (or require login before accessing anything) in the name of security.

Let me know how you go!