Many issues in my HotSpot network.

mahaaud8401 · October 7, 2015, 10:43am

Hello everyone,

I’m setting up the Hotspot internet for my apartment, but I’ve got many issues. First of all, I will explain my configuration.

I’m using Mikrotik Cloud Core CCR-1009-8G-1S with 2 WANs fiber optic to operate, which the settings are

/ ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="10.10.0.1" disabled=no port=89
set ssh address="" disabled=yes port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/
/ system clock
set time-zone-name=Asia/Bangkok
/
/ system ntp client
set enabled=yes mode=unicast primary-ntp=128.138.141.172 secondary-ntp=118.175.67.83
/
#|
#|
#| Define all parameters
#|
#|
:global wanAddress1 192.168.1.1/24
:global wanNetwork1 192.168.1.0
:global wanNetwork1Subnet 192.168.1.1/24
:global wanBroadcast1 192.168.1.255
:global wanGateway1 192.168.1.1

:global wanAddress2 192.168.2.1/24
:global wanNetwork2 192.168.2.0
:global wanNetwork2Subnet 192.168.2.1/24
:global wanBroadcast2 192.168.2.255
:global wanGateway2 192.168.2.1

:global localAddress 10.10.0.1/16
:global localNetwork 10.10.0.0
:global localNetwork2 10.10.0.0/16
:global localBroadcast 10.10.255.255
:global localGateway 10.10.0.1
:global localDNS 10.10.0.1
:global localPool 10.10.0.100-10.10.254.254

:global dnsServer 8.8.8.8,8.8.4.4

#|
#|
#| Assign interace's name
#|
#|
/interface set "ether1" name="PORT1_LAN"
/interface set "ether2" name="PORT2_WAN"
/interface set "ether3" name="PORT3_WAN"
/interface set "ether4" name="PORT4_LAN"
/interface set "ether5" name="PORT5_LAN"
/interface set "ether6" name="PORT6_LAN"
/interface set "ether7" name="PORT7_LAN"
/interface set "ether8" name="PORT8_LAN"


#|
#|
#| Assign master port switch
#|
#|
/interface ethernet set PORT4_LAN,PORT5_LAN,PORT6_LAN,PORT7_LAN,PORT8_LAN master-port=PORT1_LAN


#|
#|
#| Assign ipaddress to our interfaces
#|
#|

#| Port 2 -> WAN 1
/ip address add address=$wanAddress1 network=$wanNetwork1 broadcast=$wanBroadcast1 interface=PORT2_WAN

#| Port 3 -> WAN 2
/ip address add address=$wanAddress2 network=$wanNetwork2 broadcast=$wanBroadcast2 interface=PORT3_WAN

#| Port 1 -> Local LAN
#| Port 4 -> Local LAN
#| Port 5 -> Local LAN
#| Port 6 -> Local LAN
#| Port 7 -> Local LAN
#| Port 8 -> Local LAN
/ip address add address=$localAddress network=$localNetwork broadcast=$localBroadcast interface=PORT1_LAN


#|
#| Mark incoming package on input's chain
#|
/ip firewall mangle add chain=input in-interface=PORT2_WAN action=mark-connection new-connection-mark=PORT2_WAN_conn
/ip firewall mangle add chain=input in-interface=PORT3_WAN action=mark-connection new-connection-mark=PORT3_WAN_conn


#|
#| Mark routing package on output's chain
#|
/ip firewall mangle add chain=output connection-mark=PORT2_WAN_conn action=mark-routing new-routing-mark=to_PORT2_WAN
/ip firewall mangle add chain=output connection-mark=PORT3_WAN_conn action=mark-routing new-routing-mark=to_PORT3_WAN


#|
#| Accept all packages if they come from local
#|
/ip firewall mangle add chain=prerouting dst-address=$wanNetwork1Subnet action=accept in-interface=PORT1_LAN
/ip firewall mangle add chain=prerouting dst-address=$wanNetwork2Subnet action=accept in-interface=PORT1_LAN

#|
#| Do the load balance package
#|
/ip firewall mangle add chain=prerouting dst-address-type=!local in-interface=PORT1_LAN per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=PORT2_WAN_conn passthrough=yes
/ip firewall mangle add chain=prerouting dst-address-type=!local in-interface=PORT1_LAN per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=PORT3_WAN_conn passthrough=yes

#|
#| Mark output network for packages
#|
/ip firewall mangle add chain=prerouting connection-mark=PORT2_WAN_conn in-interface=PORT1_LAN action=mark-routing new-routing-mark=to_PORT2_WAN
/ip firewall mangle add chain=prerouting connection-mark=PORT3_WAN_conn in-interface=PORT1_LAN action=mark-routing new-routing-mark=to_PORT3_WAN


#|
#| Add routing table
#|
/ip route add dst-address=0.0.0.0/0 gateway=$wanGateway1 routing-mark=to_PORT2_WAN check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=$wanGateway1 distance=1 check-gateway=ping


/ip route add dst-address=0.0.0.0/0 gateway=$wanGateway2 routing-mark=to_PORT3_WAN check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=$wanGateway2 distance=2 check-gateway=ping


#|
#|
#| Assign NAT
#|
#|
/ip firewall nat add chain=srcnat out-interface=PORT2_WAN action=masquerade
/ip firewall nat add chain=srcnat out-interface=PORT3_WAN action=masquerade


#|
#|
#| Assign allow DNS
#|
#|
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=$dnsServer


#|
#|
#| Assign DHCP server
#|
#|
/ip pool add name=default-dhcp ranges=$localPool
/ip dhcp-server add name=default address-pool=default-dhcp interface=PORT1_LAN disabled=no
/ip dhcp-server network add address=$localNetwork2 gateway=$localGateway dns-server=$localDNS

To summarize above settings, it uses ether1 to be primary LAN port, and ether2, ether3 are WAN ports, which perform the load balancing. I’m also assign the local IP subnet as 10.10.0.0/16 and local gateway and DNS are 10.10.0.1

When I run above scripts, everything works very well. Then I also run the script to prevent virus & flooding DNS that provided by Mikrotik wiki site. That’s also working good. Still has no problem.

But right after I’ve enabled hotspot and radius feature on my MT by using WinBox (Enable by using GUI, not a script), there are these issues occurred

1 When unauthorized users access some website (e.g. Facebook). It does not redirect them to the login page. It will try to connect that site until it returns the connection timed out error. Unauth users have to manually enter the login page URL in order to login. This issue happened both in Wireless connection and plugged LAN cable.

2 When I tried to use my iPhone (with iOS 8.4) to connect my HotSpot WiFi, the CNA appears and shows the login page, but after I logged in, I was redirected to status page, but the CNA is not automatically close as it suppose to do. So the WiFi still not connect. Only option that I can do is press cancel on the top right of CNA and WiFi will not connected. I know that I could just open the web browser and enter the login URL then I can use my WiFi, or follow this tutorial http://wiki.mikrotik.com/wiki/Manual:Customizing_Hotspot#iOS_popup_checker_override, but I think this is not a good approach for the end-users at all, I would leave this to be my final approach to do. This issue happened only with the iOS device (iPhone and iPad) with iOS 8.4. I can login and surf the Internet with no problem in plugged LAN cable device.

2.1 So, I’ve modified alogin.html by stop them to open status page in popup windows and force them to redirect to Google

<script language="JavaScript"> 
<!--
    function startClock() {
	location.href = 'http://www.google.com';
    }
//-->
</script>

What happen after I tried to login in my iPhone is I still faced the same problem. When I’ve logged in from the iOS CNA, it redirect me to Google site, but it shows only white-blank page for a short time, then it redirects me to status page again! It looks like I’m accessing Google site without authenticate with the system, but actually I did it!

Could somebody can figure out these problems to me? My firewall and hotspot information will be posted below.

Firewall Filters

0  D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!aut>
      log=no log-prefix="" 

 1  D chain=forward action=jump jump-target=hs-unauth-to 
      hotspot=to-client,!auth log=no log-prefix="" 

 2  D chain=input action=jump jump-target=hs-input hotspot=from-client log=no 
      log-prefix="" 

 3  D chain=input action=drop protocol=tcp hotspot=!from-client 
      dst-port=64872-64875 log=no log-prefix="" 

 4  D chain=hs-input action=jump jump-target=pre-hs-input log=no log-prefix="" 

 5  D chain=hs-input action=accept protocol=udp dst-port=64872 log=no 
      log-prefix="" 

 6  D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 log=no 
      log-prefix="" 

 7  D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth log=no 
      log-prefix=""

Firewall NAT

0  D chain=dstnat action=jump jump-target=hotspot hotspot=from-client log=no 
      log-prefix="" 

 1  D chain=hotspot action=jump jump-target=pre-hotspot log=no log-prefix="" 

 2  D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53 
      log=no log-prefix="" 

 3  D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53 
      log=no log-prefix="" 

 4  D chain=hotspot action=redirect to-ports=64873 protocol=tcp 
      hotspot=local-dst dst-port=80 log=no log-prefix="" 

 5  D chain=hotspot action=redirect to-ports=64875 protocol=tcp 
      hotspot=local-dst dst-port=443 log=no log-prefix="" 

 6  D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp 
      hotspot=!auth log=no log-prefix="" 

 7  D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth 
      log=no log-prefix=""

Hotspot profile

 
 1   name="hsprof1" hotspot-address=10.10.0.1 
     dns-name="internet.ppresidence.com" html-directory=hotspot rate-limit="" 
     http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=http-pap 
     split-user-domain=no use-radius=yes radius-accounting=yes 
     radius-interim-update=received nas-port-type=wireless-802.11 
     radius-default-domain="" radius-location-id="" radius-location-name="" 
     radius-mac-format=XX:XX:XX:XX:XX:XX

DNS

servers: 8.8.8.8,8.8.4.4
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 512
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 5000KiB
          cache-max-ttl: 1w
             cache-used: 32Ki

I feel like it is my incorrect firewall filters and NAT configuration. But I don’t know where are the problems.

Thank you.