Hotspot problem

Hi,

I have a problem with setting up hotspot to work properly. I have configuration like this. RB800 has eth1 connected to switch that leads to internet connection and on eth2 is linksys which server as AP.

I’m trying to setup open free hotspot, so only trial (guest) users. So user connects, gets redirected to login page, clicks accept and he can surf the web. For guests i made new user profile, and the problem is if i choose “use transparent proxy” for that profile, hotspot is working fine for http, but not for https pages. If i turn of “transparent proxy” user can’t surf at all, neither http or https (only pages in walled garden are working then). There are no rules in firewall/nat except those that were made dynamically for hotspot.

Any ideas?

Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip firewall export”, “/ip hotsport export”, and an accurate network diagram.

Hi aliquiss.

Something else to check based on what you’ve said so far, do you have a nat rule for traffic coming from the hotspot out the wan interface?
As fewi has indicated, including more information about the setup will give us an idea of what you’re attempting and where the problem is.

Hi.
Here is the output you asked for. It’s pretty basic configuration, since i’m only testing the feature. Setup is something like this.
AP----10.20.30/24----RB800—192.168.201.0/24----switch----router—wan

Thing is i have to connect it to a quite a big network to get access to internet. I would look for a issue there, since everything there is NATed properly, nothing is blocked or anything.

/ip address print detail

0 address=10.20.30.1/24 network=10.20.30.0 interface=ether3
actual-interface=ether3

1 address=192.168.201.48/24 network=192.168.201.0 interface=ether1
actual-interface=ether1



/ip route print detail
0 A S dst-address=0.0.0.0/0 gateway=192.168.201.1
gateway-status=192.168.201.1 reachable ether1 distance=1 scope=30
target-scope=10

1 ADC dst-address=10.20.30.0/24 pref-src=10.20.30.1 gateway=ether3
gateway-status=ether3 reachable distance=0 scope=10

2 ADC dst-address=192.168.201.0/24 pref-src=192.168.201.48 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10


/interface print detail
0 R name=“ether3” type=“ether” mtu=1500 l2mtu=1600 max-l2mtu=9116

1 R name=“ether1” type=“ether” mtu=1500 l2mtu=1600 max-l2mtu=9500

2 X name=“ether2” type=“ether” mtu=1500 l2mtu=1600 max-l2mtu=9500


/ip firewall export

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
/ip firewall nat
add action=accept chain=pre-hotspot comment=“place hotspot rules here”
disabled=yes
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no


/ip hotspot export

/ip hotspot user profile

set default idle-timeout=none keepalive-timeout=2m name=default rate-limit=
1000/1000 shared-users=unlimited status-autorefresh=1m transparent-proxy=
no
add idle-timeout=none keepalive-timeout=2m name=guest rate-limit=75k/300k
shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot profile
set default dns-name=“” hotspot-address=0.0.0.0 html-directory=hotspot
http-proxy=0.0.0.0:0 login-by=http-pap,trial name=default rate-limit=“”
smtp-server=0.0.0.0 split-user-domain=no trial-uptime=30m/1d
trial-user-profile=guest use-radius=no
add dns-name=10.20.30.1 hotspot-address=10.20.30.1 html-directory=hotspot
http-proxy=0.0.0.0:0 login-by=http-chap,http-pap,trial name=KLC
rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no trial-uptime=
30m/30m trial-user-profile=guest use-radius=no
/ip hotspot
add disabled=no idle-timeout=none interface=ether3 keepalive-timeout=none
name=KLC profile=KLC
/ip hotspot service-port
set ftp disabled=no ports=21

Also can someone explain me in a bit more details what “transparent proxy” actually does? Since i dont use proxy and don’t need it, i dont understand why the client who connects to hotspot can’t surf if that feature is off.

EDIT: Its seems that i can open https pages with transparent proxy turned on after i added this to NAT
Same rule exists in hs-anauth chain (by default)
/ip firewall nat
add action=redirect chain=hs-auth disabled=no dst-port=443 protocol=tcp
to-ports=64875

But the problem now is that if user tries to go to https page before he clicks accept he doesn’t gets redirected to login page.
Someone had this problem before http://forum.mikrotik.com/t/hotspot-redirects-https-and-the-browser-shows-an-ssl-error/45826/1

Remove that NAT rule again. It’s the wrong fix.

The problem is that 192.168.201.0/24 (and possibly networks further upstream) don’t have a route to your Hotspot network. Either make sure everything behind whatever router eventually NATs you has routes to that network - the how on that is up to you, we don’t know anything about that network and it presumably doesn’t run on RouterOS - or NAT on your RouterBOARD:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Source_NAT

This is an extremely fundamental TCP/IP problem and has nothing to do with the other thread you found.

Transparent proxy means that the router redirects some traffic to itself, splitting it into two connections: client to Hotspot, Hotspot to destination. It chooses the closest IP address to the destination as a source, which is on the 192.168.201.0/24 network. That’s why HTTP works. The fix isn’t to redirect more traffic to the Hotspot since it can’t - for example - do email, or ICMP. The fix is to either route properly, or source NAT all traffic without making the Hotspot process it.