Hotspot redirect ignored by Apple devices

Hi,

I am using a mAP2n access point (v6.30.4) connected to a Raspberry Pi to serve web pages using Lighttpd.

The set-up is an intranet, so there is no general internet connectivity.

I have configured the Mikrotik hotspot and walled garden only to serve certain domains (hosted on the RPi) and to redirect requests for all other domains to a landing page. There is no user login, only redirection.

This works for most devices (including Android phones and tablets) but some devices (including all Apple devices) seem not to be redirected to the landing page. Instead, iPhones, Macbooks etc. all get served the default page in the lighttpd.conf (in this case /mnt/external/www/index.html).

Why is the hotspot treating some clients differently to others? Is the fact that many of these clients are Apple significant or a red herring?

/flash/hotspot/ contains one file (redirect.html), which contains:

$(if http-status == 302)Hotspot Redirect$(endif)
$(if http-header == "Location")http://welcome.local$(endif)
<html>
<head>
<title>Hotspot Redirect</title>
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta http-equiv="refresh" content="0; url=http://welcome.local">
</head>
</html>

Correct behaviour (302, redirect to intranet landing page) from most devices:

$ curl -v http://an-external-domain.com/
*   Trying 192.168.103.254...
* TCP_NODELAY set
* Connected to an-external-domain.com (192.168.103.254) port 80 (#0)
> GET / HTTP/1.1
> Host: an-external-domain.com
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 302 Hotspot Redirect
< Cache-Control: no-cache
< Content-Length: 141
< Content-Type: text/html
< Date: Thu, 01 Dec 2016 14:52:46 GMT
< Expires: 0
< Location: http://welcome.local
<
<html>
<head><title>Error 302: Hotspot Redirect</title></head>
<body>
<h1>Error 302: Hotspot Redirect</h1>
</body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host an-external-domain.com left intact

Incorrect behaviour (200, no redirect, served wrong page) from some devices:

$curl -v http://an-external-domain.com/
*   Trying 192.168.103.254...
* TCP_NODELAY set
* Connected to an-external-domain.com (192.168.103.254) port 80 (#0)
> GET / HTTP/1.1
> Host: an-external-domain.com
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "2707996152"
< Last-Modified: Tue, 06 Dec 2016 10:24:25 GMT
< Content-Length: 49
< Date: Tue, 06 Dec 2016 13:51:06 GMT
< Server: lighttpd/1.4.31
<
This is the page at /mnt/external/www/index.html
* Curl_http_done: called premature == 0
* Connection #0 to host an-external-domain.com left intact

Any help greatly appreciated. This is very puzzling.

Hotspot treats all devices equally. Maybe there is some bug somewhere. You could run packet sniffer in RouterOS and check for differences. We could try to replicate your setup here, if you could do the packet dump anyway, since you already have it running. Email support@mikrotik.com so we can try to solve it.

OK. I have captured the packets and will send them to support. Thanks.

Maybe as it’s only intranet with no internet access is not routing to a web site. Do you have a dhcp server using a gateway or no gateway ip setup?

There is DHCP on the Mikrotik, which allocates addresses in the 192.168.103.0/24 range. The default gateway is 192.168.103.1.

Example client associated to the AP:

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::e9df:acab:88b2:52bd%11
IPv4 Address. . . . . . . . . . . : 192.168.103.181
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.103.1

I haven’t yet heard back from Mikrotik support, but will post when I have an answer.

The problem is related to the bridge.
You web-server and client are at the same bridge interface, and packets from iphone goes to bridge, they are not hitting firewall.
Please, enable “use-ip-firewall=yes” or move server to another IP subnet.

Wonderful. Setting use-ip-firewall=yes solved the problem.

Thanks guys.