Is it just me that finds Mikrotik email support very unhelpful?
For example, look at this email exchange:
First, I state the issue and ask for soultions:
I have an issue here with users stealing internet via apps like Freedom
and HTTP injectors.
AFAIK they can do this because mikrotik hotspot allows DNS requests for
unauthorized users
Any solutions?
I get this reply:
On 6/26/2018 2:09 PM, Martins S. [MikroTik Support] wrote:
Hello,
You can add firewall filter rules that drop DNS requests to your router. You can learn how to configure firewall rules from this wiki page:
He says to drop DNS requests to the router, I note that the portal requires DNS
On 6/27/2018 8:32 AM, Martins S. [MikroTik Support] wrote:
Hello,
Drop DNS requests by using firewall rule that works only with parameter “hotspot=!auth”.
Best regards,
Martins S.
He suggests that the PAREMETER should be used, ie parameter “hotspot=!auth”
I did not understand. I ask for clarification:
My email:
I have a Hotspot running. If I drop all DNS requests clients will not be
able to resolve the hotspot portal address!
Please send me the command do drop all dns requests for unauthorized
hotspot users
Mikrotik reply:
Hello,
You can not drop DNS requests from unauthorised users on local interface and allow to resolve hotspot DNS at the same time. If you want to drop DNS requests from unauthorised users under local interface, then you can not use dns-name on hotspot server.
Best regards,
Martins S.
None of my questions answered, just repeating exactly what I told him, that is frustrating.
I ask:
What is meant by Paremeter:
Drop DNS requests by using firewall rule that works only with parameter “hotspot=!auth”.
Mikrotik reply:
Hello,
Hotspot is parameter that can be configured on firewall filter rule.
Best regards,
Martins S.
Makes sense??
To note, this valuable exchange took over 10 days to complete… no, not complete…
Sorry, but in my opinion the first response contains everything you need to know, to resolve your issue (if your suspicions are correct, of course).
Why not drop DNS to everything except where you need it ? What is unclear in those emails ?
And your opinion, sir, is certainly better than mine. Just an update, fair is fair and all that, 2 minutes after this post I received a reply from mikrotik, with a workable solution. And about 2 hours after this post I received another reply to my second ticket. Amazing
The solution i received was to drop all DNS traffic, which is workable. But your solution would be better, if I can allow DNS only where I need it that would be great. I need DNS only to resolve the hotspot portal address, it, hotspot.com resolves to 192.168.88.1
I suggest to do not put any personal information like name of the replier in a posting on a public forum. Mikrotik can always ask what your ticket number is, to look into any communication if need.
Thank you to the previous poster for the workaround, since he said it is not ideal. I am eager to know what your solution was. Please post it for our benefit
You know, “does not work” is not very useful reply. You wrote that drop rules from support worked, except they dropped all dns. If you add mine before them, it will allow queries for specific hostname. So some possible exlanations are that you deleted rules from support and only used mine (wrong, everything would be allowed then), or perhaps the required hostname is not literally “hotspot.com” and you did not adjust the regexp correctly, etc… But the response needs more details than just “does not work”.
I had thought that the solution received from Mikrotik was workable, but it is not, as it drops connections from the router itself too. So now, the router cannot resolve DNS or ping or anything.
You did something, but it’s only you who knows exactly what. Nobody here can see it. Even the best of us can make mistakes, typos sneak in unnoticed, things like that. And it’s sometimes hard to see such own mistakes, it’s proven fact. Some people export their configs, post them here for others to see, and often with very good results.