Hello to the community, I'm new to Mikrotik but not networking so there has been a learning curve.
I've done extensive Googling and haven't found my exact scenario so I'll explain it first before asking for help on the final piece (which through the process of elimination revolves around the firewall/nat on routerOS).
Topology -
v57 - Internet through ASA with PAT/NAT
v56 - Dry Vlan fed by Mikrotik HS on ether1 (tied to bridge1 for hotspot as per setup tutorials)
HS address on v57 is 172.22.0.5
6500 L3 v57 is 172.22.0.1
Client dhcp scope on v56 is 172.22.0.0/20
Cisco 6500 (L3 v57) -> (WAN EC Trunk) Mikrotik (ether1-hs/bridge) -> 6500 (L2 v56 Dry)
Working Connection NAT on routerOS (6500 is not gateway) -
Clients on v56 get valid IP and CNA pop-up on Apple devices with portal page. Login with credentials and immediately get auth and 'Success' 'Done' on Apple CNA pop-up. Their NAT IP is that of 172.22.0.5 on v57 of the bridge1 containing the hs setup.
I've been testing the hotspot/captive portal for deployment within our networks for guest access - as a replacement for a well known monopolized device that's NO-MAD-X. I've successfully tested a base setup along with some variations. A working portal where our CCR1036-8G-2S+ handles NAT, DHCP, Portal works as expected from online tutorials. I've even got it properly working by offloading DHCP to our linux infrastructure (failover redundancy in place).
Issue arises when trying to offload NAT to our current ASA for PAT/NAT once authenticated through routerOS, essentially leaving routerOS as a 'web server' only for the captive portal. One scenario is when NAT happens on the ASA it completely bypasses the hotspot and lets clients directly to the internet. That was fixed with DNS and DHCP for the specific hotspot vlan to point everything to the bridge-interface the hotspot runs on.
Trouble connections (6500 is gateway and NAT on ASA) -
Clients on v56 get valid IP and CNA pop-up on Apple devices with portal page. Login with credentials and move to rlogin.html ('You are connected, click here") but then times out. Never get 'Success' 'Done' on Apple CNA pop-up but routerOS shows device in auth as active. Their NAT IP is that of the scope 172.22.0.0/20 on v57 with PAT from public pool in ASA.
If I enable NAT rule to masquerade on firewall everything works as expected except all the PAT for the LAN is over the bridge interface IP (172.22.0.5) only and the individual PAT is lost that was showing after auth but no internet access. So my issue is getting the later to work properly so each client in 172.22.0.0/20 gets PAT from ASA once auth and actual internet access?
Not sure which 'prints' are needed to understand but a few are below, so sorry for the long first time post but any direction is appreciated.
xponet@DnMS_HS_66] > ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 hs-xpoconnect bridge-xpoconnect pool-xpoconnect xpoconnect 5m
[xponet@DnMS_HS_66] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
11 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
12 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
13 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
14 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
15 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp in-interface=bridge-xpoconnect dst-port=443
[xponet@DnMS_HS_66] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 v57 1
1 A S 10.0.0.0/8 10.242.100.1 1
2 ADC 10.8.8.0/24 10.8.8.251 v254 0
3 ADC 10.242.0.0/17 10.242.100.66 v64 0
4 ADC 172.22.0.0/20 172.22.0.5 bridge-xpoconnect 0
[xponet@DnMS_HS_66] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 RS ether1-xpoconnect ether 1500 1580 10222 B8:69:F4:55:D1:B0
1 ether2 ether 1500 1580 10222 B8:69:F4:55:D1:B1
2 ether3 ether 1500 1580 10222 B8:69:F4:55:D1:B2
3 ether4 ether 1500 1580 10222 B8:69:F4:55:D1:B3
4 ether5 ether 1500 1580 10222 B8:69:F4:55:D1:B4
5 ether6 ether 1500 1580 10222 B8:69:F4:55:D1:B5
6 ether7 ether 1500 1580 10222 B8:69:F4:55:D1:B6
7 ether8 ether 1500 1580 10222 B8:69:F4:55:D1:B7
8 RS sfp-sfpplus1 ether 1500 1580 10222 B8:69:F4:55:D1:AE
9 RS sfp-sfpplus2 ether 1500 1580 10222 B8:69:F4:55:D1:AE
10 R EC-6500 bond 1500 1580 B8:69:F4:55:D1:AE
11 R bridge-xpoconnect bridge 1500 1580 B8:69:F4:55:D1:B0
12 R v57 vlan 1500 1576 B8:69:F4:55:D1:AE
13 R v64 vlan 1500 1576 B8:69:F4:55:D1:AE
14 R v254 vlan 1500 1576 B8:69:F4:55:D1:AE
[xponet@DnMS_HS_66] >