Hello All,
I have setup a hotspot on an RB532 [ros 2.9.27, f/ware 1.13] as described in the wiki - although I’ve used different addresses and disabled masquerading (see export below) as this is done at our gateway box, but cannot get it to present a login page.
Client connects, gets IP address, etc and shows up in /ip hotspot host, but is unable to ping (because its not authorised, right? 
) or browse - browsing just gets a ‘page cannot be displayed’.
NPA shows that DNS lookup is working (and I can see the entries appear on the RB and ping external sites from the RB), following which SYN packets are sent to the IP received from the DNS. However, these SYN requests are not being answered.
Packets are flowing into the RB and through the firewall, but I can’t trace them frurther than the dynamic filter:
/ip firewall filter print hs-input from 2
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=hs-input protocol=tcp dst-port=64872-64875 action=accept
…as I’m not sure how to go on testing from here… 
The manual says that (as my /ip proxy is disabled, set to 0.0.0.0, etc) they will be dealt with by the ‘local proxy’, but I’m having trouble finding more information.
I have tried creating a binding for the test clients MAC address set to ‘bypass’, putting a site in the walled garden and trying to access that, enabling masquerading on the hotspot, and every combination of, but still the same issue - no ACK’s from the RB.
The important bits from /export (hopefully - apologies in advance for the length)
/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0C:42:04:D7:xx arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default mdix-enable=yes speed=100Mbps comment="" \
disabled=no
...
/ interface wireless
set wlan4 name="wlan4" mtu=1500 mac-address=00:0B:6B:4D:44:xx arp=enabled \
disable-running-check=no radio-name="000B6B4D44xx" mode=ap-bridge \
ssid="HS-Test" area="" frequency-mode=manual-txpower \
country=no_country_set antenna-gain=0 frequency=2412 band=2.4ghz-b \
scan-list=default rate-set=default \
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 \
ack-timeout=dynamic tx-power=5 tx-power-mode=all-rates-fixed \
noise-floor-threshold=default periodic-calibration=default \
periodic-calibration-interval=60 burst-time=disabled dfs-mode=none \
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none \
wds-default-cost=100 wds-cost-range=50-150 wds-ignore-ssid=no \
update-stats-interval=disabled default-authentication=yes \
default-forwarding=no default-ap-tx-limit=0 default-client-tx-limit=0 \
proprietary-extensions=post-2.9.25 hide-ssid=no security-profile=default \
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both \
compression=no allow-sharedkey=no comment="" disabled=no
...
/ ip pool
add name="hs-pool-7" ranges=10.0.6.2-10.0.6.254
...
/ ip dns
set primary-dns=80.58.0.33 secondary-dns=80.58.32.97 allow-remote-requests=no \
cache-size=2048KiB cache-max-ttl=1w
...
/ ip address
add address=10.0.6.1/24 network=10.0.6.0 broadcast=10.0.6.255 \
interface=wlan4 comment="" disabled=no
add address=10.0.0.201/24 network=10.0.0.0 broadcast=10.0.0.255 \
interface=ether1 comment="" disabled=no
/ ip proxy
set enabled=no src-address=0.0.0.0 port=8080 parent-proxy=0.0.0.0:0 \
cache-drive=system cache-administrator="webmaster" \
max-disk-cache-size=none max-ram-cache-size=8000KiB cache-only-on-disk=no \
maximal-client-connections=1000 maximal-server-connections=1000 \
max-object-size=4000KiB max-fresh-time=3d
...
/ ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.10 scope=255 target-scope=10 \
comment="" disabled=no
/ ip firewall nat
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
...
/ ip hotspot
add name="hotspot1" interface=wlan4 address-pool=hs-pool-7 profile=hsprof1 \
idle-timeout=5m keepalive-timeout=none addresses-per-mac=2 disabled=no
...
/ ip hotspot profile
add name="hsprof1" hotspot-address=10.0.6.1 dns-name="" html-directory=hotspot \
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 \
login-by=mac,cookie,http-chap,http-pap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user
add name="admin" password="xxx" profile=default comment="" disabled=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=no
/ ip hotspot walled-garden
/ ip hotspot walled-garden ip
add server=hotspot1 dst-address=159.148.147.196 protocol=tcp dst-port=80 \
action=accept comment="" disabled=no
/ ip dhcp-server
add name="dhcp1" interface=wlan4 lease-time=1h address-pool=hs-pool-7 \
bootp-support=static authoritative=after-2sec-delay disabled=no
...
/ ip dhcp-server network
add address=10.0.6.0/24 gateway=10.0.6.1 dns-server=80.58.0.33,80.58.32.97 \
comment="hotspot network"
...
Any suggestions would be appreciated.