HotSpot/Vlan/DHCP Issues

trace323 · July 9, 2016, 12:26am

Hello All.. I have a CCR1009 on a property. I have a 350/20 TWC Connection.

I use a hotspot a simple hotspot config. I use vlan 100 for wireless traffic.

CCR Setup
ETH1-DHCP (TWC)
ETH7 - MGMT Network ( 192.168.0.0/24
EHT8- LAN (192.168.10.1/21

Core Switch 26 POE Port.
I have 1-15 Ruckus AP’s.
All wireless APS are tagged for VLAN 100 for traffic.
25- Goes to ETH7 FOR MGMT
26 - Goes to ETH8 for LAN Traffic

There is times when a user that has Windows Vista they’r not able to receive a DHCP off my network for some odd reason. What I have to do is remove VLAN10 and put vlan10 to the Mikrotik and he is able to obtain an IP address after that. I have alot of Mikrotiks deployed in a lot of places and I have to do this often. I have tried several firmware but no firmware fixes that issue.

I have tried many adjustments on the DHCP sever but it makes no change. I even created input rules for port 67,68 and no change either. I have a use a Bridge. I have tried it with a bridge and without a bridge same stuff. I do have RSTP turned off since i don’t use that. I have that turned off throughout my switch.

I have a Terms of agreement page. There is times where users have a hard time seeing the tos page and there users who have no issues at all. So once they connect to the wifi, they should be taken to my disclaimer page but that does not happen. I know at times we have them go a page that is not cache or anything like that. We have them go to abc.com and it redirects them to my disclaimer page. 95% that works and at times it does not work.

Is there a way that I can make it when they connect to the wireless network it forces them to go to my terms of service page?

If anyone can help that would be great.

I will throw it out there. I have a Nomadix at a property same setup as with a CCR and I have no DHCP issues with Vista/Windows7 Enterprises PC’s. I also have no issues with guest seeing my tos page.

If you guys need a config of my CCR please let me know.

Thanks All

pukkita · July 9, 2016, 10:32am

Please post the CCR export.

trace323 · July 9, 2016, 1:18pm

jul/01/2016 22:22:19 by RouterOS 6.32.2
# software id = 
#
/interface bridge
add name="Guest Bridge" protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1588 name="ether1 - WAN DHCP"
set [ find default-name=ether2 ] l2mtu=1588 name="ether2" 
set [ find default-name=ether3 ] l2mtu=1588
set [ find default-name=ether4 ] l2mtu=1588
set [ find default-name=ether5 ] l2mtu=1590
set [ find default-name=ether6 ] l2mtu=1590 name="ether6" rx-flow-control=on tx-flow-control=on
set [ find default-name=ether7 ] l2mtu=1590 name="ether7 - MGMT"
set [ find default-name=ether8 ] l2mtu=1590 name="ether8 - LAN"
set [ find default-name=sfp1 ] l2mtu=1590 mac-address=4C:5E:0C:C5:92:37

/ip neighbor discovery
set "ether1 - WAN DHCP" discover=no
set "ether2 - " discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
set "ether6 -" discover=no
set "ether7 - MGMT" discover=no
set "ether8 - LAN" discover=no
set sfp-sfpplus1 discover=no
set sfp1 discover=no
set "Guest Bridge" discover=no

/interface vlan
add interface="ether8 - LAN" l2mtu=1586 name=vlan100 vlan-id=100

/ip dhcp-server option
add code=15 name=RuckusDNS

/ip hotspot profile
set [ find default=yes ] login-by=cookie,http-chap,http-pap
add hotspot-address=192.168.10.1 login-by=cookie,http-chap,http-pap name=hsprof1

/ip hotspot user profile
set [ find default=yes ] idle-timeout=1d keepalive-timeout=1d rate-limit=\
    10M/30M session-timeout=1d shared-users=unlimited

/ip pool
add name="Guest Pool" ranges=192.168.10.2-192.168.15.254
add name="MGMT Pool" ranges=192.168.0.11-192.168.0.100

/ip dhcp-server
add add-arp=yes address-pool="Guest Pool" disabled=no interface="Guest Bridge" \
    lease-time=1d name=dhcp1
add add-arp=yes address-pool="MGMT Pool" disabled=no interface="ether7 - MGMT" \
    lease-time=3d name=dhcp2

/ip hotspot
add address-pool="Guest Pool" disabled=no idle-timeout=1d interface=\
    "Guest Bridge" keepalive-timeout=1d name=hotspot1 profile=hsprof1

/queue simple
add limit-at=5M/20M max-limit=5M/20M name=\
    "RM 236 XBOX COD 03/08/16 50:1A:C5:D7:B5:E9" target=192.168.10.174/32

/interface bridge port
add bridge="Guest Bridge" horizon=1 interface=vlan100

/ip settings
set rp-filter=strict

/ip address
add address=192.168.10.1/21 comment="Guest Hotspot" interface="Guest Bridge" \
    network=192.168.8.0
add address=192.168.0.1/24 comment=Managment interface="ether7 - MGMT" network=\
    192.168.0.0

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface="ether1 - WAN DHCP" use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=192.168.0.0/24 dhcp-option=RuckusDNS gateway=192.168.0.1
add address=192.168.8.0/21 comment="hotspot network" dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.10.1

/ip dns
set allow-remote-requests=no servers=8.8.8.8,8.8.4.4

/ip firewall filter
add chain=input dst-port=67 protocol=udp
add chain=input dst-port=68 protocol=udp

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=masquerade chain=srcnat comment="masquerade LAN network" \
    src-address=192.168.8.0/21
add action=masquerade chain=srcnat comment="masquerade MGMT  network" \
    src-address=192.168.0.0/24

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip hotspot ip-binding
add address=192.168.0.0/24 type=bypassed
add comment="XXX" mac-address=00:26:5E:8B:DB:4C type=bypassed
add comment="XXX" mac-address=64:00:6A:39:F5:4C type=bypassed
add address=192.168.14.44 mac-address=D4:0B:1A:5F:16:24 server=hotspot1 \
    to-address=192.168.14.44 type=bypassed

/ip hotspot service-port
set ftp disabled=yes

/ip hotspot user
add name=xx password=xxx

/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=xxxxxxxx(urlfortospage) server=hotspot1

/ip hotspot walled-garden ip
add action=accept disabled=no protocol=icmp server=hotspot1
add action=accept disabled=no dst-port=53 server=hotspot1

/ip proxy
set cache-path=web-proxy1

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/lcd
set default-screen=stats-all time-interval=daily

/system ntp client
set primary-ntp=xxxxx
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR

pukkita · July 10, 2016, 9:50am

As long as the ip, dhcp server and hotspot server are all set on either the same vlan or bridge interface it shouldn’t make no difference vs using a bridge with just the vlan por added. BTW, why horizon=1?

I have never experienced the problems with vlan interfaces you mention.

What is the CCR firmware (System > Routerboard) ? Is up todate? (latest is 3.27 on CCRs).

What is the POE switch brand/model?

In order to troubleshoot this, you need to torch or capture/wireshark ether8 to check for vlan tags presence, or the vlan interface (no vlan tags) for the specific client mac not getting DHCP. Seems sometimes packets aren’t reaching the CCR with the proper tags.

trace323 · July 10, 2016, 9:40pm

pukkita:

As long as the ip, dhcp server and hotspot server are all set on either the same vlan or bridge interface it shouldn’t make no difference vs using a bridge with just the vlan por added. BTW, why horizon=1?

I have never experienced the problems with vlan interfaces you mention.

What is the CCR firmware (System > Routerboard) ? Is up todate? (latest is 3.27 on CCRs).

What is the POE switch brand/model?

In order to troubleshoot this, you need to torch or capture/wireshark ether8 to check for vlan tags presence, or the vlan interface (no vlan tags) for the specific client mac not getting DHCP. Seems sometimes packets aren’t reaching the CCR with the proper tags.

The reason why I use horizion 1 because it isolates the vlan. It doesn’t let other vlans see it, or mix cross if I have another vlan. So it’s always habit to use it.

Yes I am on the current firmware.

It is a Netgear ProSafe M4100-26POE - I’ve used other switches as swell and same thing. It’s not a switch issue. - If they’re not reaching the Mikrotik with the proper tags, that would be a MIkrotik Issue if correct?

I had a similiar post I did a while ago but it didnt go anywhere to be honest.

I am using a Nomadix Gateway for one of my sites, I have no issues at all with it. Same setup, just with this one I have a Mikrotik.

I can’t do a wireshark on a client pc, it’s hard to do that. Especially when they’re calling in for technical support to get online..

trace323 · July 10, 2016, 9:53pm

It’s gets very irritating because I have a lot of sites where I have Mikrotiks deployed and I have this issues in a lot of them. I have different users throughout the world. I hate removing the vlan and readding the vlan because I really shouldn’t have to do that.

I’m not sure if anyone else have this same issue or not, not sure if they have a similiar setup like I do or not.

I would really want my DHCP to work perfectly with every device and os. Vista, Windows 7, Windows 7 Enterprise , WIndws 8 , Windows 10.

I mean I have removed a Mikrotik in the past and put a regular router. It works fine. No issues with the DHCP for Vista users and Windows 7 Enterprise guest. -

Also, I have issues when user have VPN software on there PC/ goverment laptop/ work laptop they can’t see my Terms Of Service Page because the VPN software does not let them.

The VPN software requires them have * Internet* access before doing anything. Is there a way around this?

I’ve had users with VPN software still be able to manage to my TOS page and get passed my TOS page. Once they passsed my TOS page they can access there VPN and do work stuff.

It’s weird.

trace323 · July 12, 2016, 12:57am

Any?
Anyone else?

pukkita · July 13, 2016, 11:47am

Looks to me you edited the export, is this the case?

When I advised to torch or do a capture for later analysis with wireshark I referred to the mikrotik router, not the users PC.

Regarding horizon, do you add vlans to that bridge? try this: if you don’t need that bridge, put the service on top of the vlan interface directly, just in case RSTP is being triggered for whatever reason on that bridge causing you such problems.

Trying to guess what could be the issue in your case, never experienced problems with DHCP on vlans, but again I haven’t seen a vista PC in years. No problem with either Windows xp, 7, 8, 10, os X 10.6 onwards, ios 7 onwards, or android devices.

Regarding VPN please provide more detail… you’ll had to reverse engineer what “internet probe” is such VPN software trying to access, and add it to the walled garden…

trace323 · August 1, 2016, 11:58pm

Yes, I did edit the export. I removed the unnecessary stuff from it.

I have done a dhcp debugging. It seems the Mikrotik dhcp does the offer but nothing back from the user. Not sure if the packet is going all the way through or not. Ofcourse i cant do wireshark on a user laptop.

Yes , I do add vlans to the bridge. I need that bridge due to my hotspot network. It’s just weird. I can remove the Mikrotik and put a different router and works fine.. No dhcp issues at all.

It’s like a hidden mist from different users.

Electwai · August 2, 2016, 7:45am

Hello folks,
I have a min groove 2hn I want to connect to my rb2011 as an access point so I can broadcast my wireless over a wide area.

The issues now are that :

I can’t get the groove 2hn to relay the dhcp of the rb2011 as in I don’t want the groove to have dhcp but use the dhcp of the rb2011.
I can’t seem to get the groove wireless broadcasting.

trace323 · September 10, 2016, 5:50pm

Anyone???

I need some help on this.. People say they’ve had similar issues and some people say they dont…

pukkita · September 11, 2016, 11:50am

I am puzzled by your problem, have routers (my own home router for example) doing software VLANs for years, zero problems.

If you’re using latest ROS, latest firmware, and have netinstalled the router, and still experience the problem, generate a supout in that same moment and send it to support with a precise description of the problem, or a link to this post.

If you truly experience this on ALL your routers, then I think the common denominator should be on the configs… your problems could be related to MTU.

trace323 · September 11, 2016, 8:55pm

Pukkita:

Yes, I am having major issues with this. I thought it was my config at first, but I manually setup this ups. I’ve been done a simple config, no vlans or anything and same shit. I can take away the Mikrotik and put a diff router and bam works fine. I don’t use netinstall.

Why do you think it would be the MTU?

trace323 · October 5, 2018, 5:22pm

Hello

Anyone else experience is this as well?

ashpri · October 26, 2018, 3:30am

I am, with Hap AC Lite on ROS 6.43.4. The router is connected to an office switch and a public area switch (both Unifi US-24-250W devices). The 5 APs are all Unifi. 1 Native mgmt vlan and 7 tagged vlans.

I have tried:

Making sure admin mac is enabled
Switching bridge between none, STP and RSTP
Switching off bridge fast forward, fast path and unchecked use IP Firewall
Increasing dhcp lease time to 6 hours

We are re-crimping the cables to see if it will solve the issue.

Update : The issue is not mikrotik. There is an unexpected rogue dhcp server in the form of a hdmi over ip transmitter in one of the vlans. What I don’t understand is why it prevents clients in other vlans getting dhcp requests from the mikrotik.