Hi,
We’ve had a RB3011 running with an captive portal for about 5 years. Everything worked fine until we upgraded to newer version a few years back.
With any reasonably new version of RouterOS we see this behavior;
- After a fresh boot, everything works as expected
- After a while (hours to a few days) clients stop beeiing redirected to the captive portal, and cannot access it by typing the address
We’ve tried several newer versions, but have quiqly downgraded to the most recent version that has been working OK; 6.44.6 (from 2019)
These release notes gave us hope once, but upgrading beyond this version did not help either.
What’s new in 6.46.3 (2020-Jan-28 10:46):
*) hotspot - fixed redirect to log in page (introduced in v6.45);
We just tested to adapt the same config to an RB2011 for testing and did an upgrade to 7.1.3, but saw the same issue after a few hours.
Relevant snips from the config:
/ip hotspot profile
set [ find default=yes ] http-proxy=192.168.0.1:8080
add dns-name=wifi.XXXX.org hotspot-address=192.168.0.1 html-directory=\
XXXX-hotspot http-cookie-lifetime=1w http-proxy=0.0.0.0:8080 \
https-redirect=no login-by=cookie,http-chap,https,http-pap,mac-cookie \
name=XXXX-hotspot-profile radius-default-domain=XXXX\
radius-interim-update=30m ssl-certificate=wifi.XXXX.org.cer_0 \
use-radius=yes
/ip hotspot
add disabled=no idle-timeout=8h interface=LAN name=XXXX-hotspot profile=\
XXXX-hotspot-profile
add idle-timeout=8h interface=hotspot2 name=hotspot2 profile=\
XXX-hotspot-profile
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no shared-users=unlimited
/ip firewall address-list
add address=192.168.0.2-192.168.1.254 list=allowed_to_router
add address=10.30.20.0/24 list=allowed_to_router
add address=172.16.254.0/24 list=allowed_to_router
add address=192.168.0.144/28 list=premium
add address=192.168.0.190 comment="admin user" list=premium
add address=192.168.0.60 comment=iot list=premium
/ip firewall filter
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input comment="ssh 22022" dst-port=22022 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="00 Cambridge"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="ms list src" \
new-packet-mark=ms passthrough=no src-address-list=MS
add action=mark-packet chain=prerouting comment="ms list dst" \
dst-address-list=MS new-packet-mark=ms passthrough=no
add action=mark-packet chain=forward comment="premium download" \
dst-address-list=premium hotspot="" in-interface="00 Cambridge" \
new-packet-mark=premium_download passthrough=no
add action=mark-packet chain=prerouting comment="premium upload" \
in-interface=LAN new-packet-mark=premium_upload passthrough=no \
src-address-list=premium
add action=mark-packet chain=prerouting comment="normal client upload" \
in-interface=LAN new-packet-mark=client_upload passthrough=no \
src-address-list=!premium
add action=mark-packet chain=prerouting comment="normal client download" \
dst-address-list=!premium in-interface="00 Cambridge" new-packet-mark=\
client_download passthrough=no
/ip firewall nat
add action=dst-nat chain=hotspot dst-port=53 layer7-protocol=!localdns \
priority=0 protocol=udp src-address=192.168.0.128/27 to-addresses=8.8.8.8 \
to-ports=53
add action=dst-nat chain=hs-auth connection-limit=100,0 dst-port=53 fragment=\
no hotspot="" log=yes log-prefix=DNSXXX protocol=udp src-address=\
192.168.0.0/24 to-addresses=8.8.8.8 to-ports=53
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
add action=redirect chain=dstnat disabled=yes dst-port=80 in-interface=LAN \
protocol=tcp to-ports=8080
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface="00 Cambridge" src-address=192.168.0.0/23 to-addresses=\
AA.BB.141.34
/ip firewall raw
add action=accept chain=prerouting
/ip firewall service-port
set tftp disabled=yes
set sip sip-timeout=10h
/radius
add address=192.168.0.3 comment=Radiusdesk secret=aaaaa service=\
hotspot,wireless timeout=1s300ms
Any idea why this might be happening? We would really like to be able to upgrade to something regularly patched.
As this happens quite often with our setup, and seemingly not at others, I suspect that there’s something related to our setup.
Edit: remove irrelevant parts of config, and clarify question.