Missing first ping with Hotspot

solar77 · July 18, 2016, 10:29am

I am having a very strange issue and hope to get some answers here. Basiclly the ping to static LAN IP address will always have the 1st packet time-out,then the rest of packets appear to be fine (in 2-3ms range ). If I ping the same IP again immediately, everything is fine. After 2-3 minutes. first packet will time-out again. Same result whether I ping from a local PC or ping from the Mikrotik itself.
I am using a Cloud Core 1009 with Hotspot server (no usermanager) set up on a bridge which currently only include ether 3. ether 1 is used to connect to a ADSL router and ether 2 connects to a satellite broadband modem (only few static IP address is routed to use this connection).

The Lan Network is 10.10.1.0/16 and 10.10.1.x range is used bystatic IP address of APs and
The Lan Network is 10.10.1.0/16 and 10.10.1.x range is used bystatic IP address of APs and IP Phones. all static IP address is added to IP-Blinding in Hotspot. ZoneDirector and IP PBx is added to Walled garden list. DHCP server range 10.10.3.x - 10.10.5.x so all hotspot users are in this range.

Filter rule:

add chain=forward comment="accept established and replated Packet" connection-state=established,related,new
add action=drop chain=forward comment="Drop invalid Packet" connection-state=invalid
add chain=input comment="accept established and related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add chain=input comment="Accept Winbox" dst-port=8291 protocol=tcp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add chain=input comment="Accept Ping on Hotspot" protocol=icmp src-address=10.10.0.0/16
add action=drop chain=input comment="Drop ping from non-Hotspot network" protocol=icmp

NAT:

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" dis
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address
add action=dst-nat chain=dstnat comment="Port forwarding VNC" dst-port=5900 protoco
    5900
add action=masquerade chain=srcnat comment="NAT for Satellite" log=yes out-interfac

Mangle:

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark Route for Satellite" new-routing-mark=Satellite passthrough=no \
    src-address-list=Satellite
add action=mark-connection chain=forward comment="Mark connection for AP Router" new-connection-mark=AP_Router_Connection \
    out-interface=ether1 src-address-list=AP_Router
add action=mark-packet chain=forward comment="Mark Packet for AP Router" connection-mark=AP_Router_Connection \
    new-packet-mark=AP_Router_Packet passthrough=no

Hotspot:

/ip hotspot profile
add hotspot-address=10.10.1.1 http-cookie-lifetime=10m name=hsprof1
/ip hotspot
add address-pool=Hotspot_pool disabled=no interface=Bridge_Hotspot name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=2m mac-cookie-timeout=5m rate-limit=256K/1M session-timeout=30m shared-users=2
add name=admin shared-users=5 transparent-proxy=yes
add idle-timeout=30m keepalive-timeout=5m name=staff rate-limit=256K/1M transparent-proxy=yes
/ip hotspot ip-binding
add address=10.10.1.2 type=bypassed
add address=10.10.1.3 type=bypassed
add address=10.10.1.38 type=bypassed
add address=10.10.1.5 type=bypassed
add address=10.10.1.7 type=bypassed
add address=10.10.1.101 type=bypassed
add address=10.10.1.10-10.10.1.189 type=bypassed
add address=10.10.1.200 type=bypassed
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=10.10.1.2 server=hotspot1
add action=accept disabled=no dst-address=10.10.1.3 server=hotspot1

any thought would be appreciated!

Feklar · July 18, 2016, 4:46pm

When using the hotspot it does strange things to layer2. This is because by default the router ARP poisons the layer2 network to enable it to act as the default gateway for misconfigured clients. But because it does this, it makes it difficult for devices to communicate directly because the ARP tables get messed up on the networking equipment. This typically isn’t an issue because in a hotspot, you don’t want devices to communicate directly, it is generally an uncontrolled network.

So depending on what your end goal is, there are a couple of options.
1.) Set address-pool= to “none” under IP Hotspot to disable the proxy-arp function
2.) Set another layer2 network off of a different interface and use that as a DMZ of sorts for any PCs, printers, and servers that you want to offer. This allows you to lock things down with the built in firewall instead of leaving them exposed on an open network.

solar77 · July 18, 2016, 10:04pm

Hi thanks for your input. I cannot use option 2, not possible in this particular the network infrastructure. If I understand correctly, set address-pool =none in Hotspot server but wifi client device still pick up an IP address from the DHCP server on “Hotspot Bridge” , access the log in page and complete the authentication process?
will give it a try.

Feklar · July 18, 2016, 10:46pm

Yes, every other service/mechanism will work like it should, it just disables the ARP poisoning. So what you do loose is someone bringing in a computer, connecting to wireless with a static IP in a different range, and then being able to get online.

solar77 · July 19, 2016, 8:51am

Feklar , thank you very much. it worked like a charm!
not too worried about someone bringing in computers and set static IP. It’s a holiday resort and WiFi is free. the static IP range is queued to very slow rate anyway.

However later on I might need to set ip for a particular user (or address-pool for a user profile) so that it can be routed to the satellite connection on ether2.
I take it that this is not possible with Prox-ARP disabled?

alternatively I could mark packets within the user profile then use the packet mark to route traffic to eth2.

Feklar · July 19, 2016, 3:32pm

Static IP addresses work fine with or without proxy-arp. The reason why the MikroTik does it is for misconfigured clients. Lets say your hotspot network is 192.168.10.0/23, and a user comes in with a static IP address of 10.0.10.25/24 and a default gateway set of 10.0.10.1. With proxy-arp running the Mikrotik can act as if it is 10.0.10.1 even though it has no IP address within that range since it replies to all ARP requests as if it owns every IP. The packet is then passed onto the hotspot service within the MikroTik and handled from there.

There are several ways to modify how the router will route specific things, in your case the easiest would likely be to have a user profile that assigns them to an address list. You can then refer to that address list in the mangle rules to modify how things are routed. You will also need to get packets from authorized users out of the hotspot process, this is easily done with this NAT rule.

/ip firewall nat add chain=pre-hotspot dst-address-type=!local hotspot=auth

This basically stops packets from being passed to the hotspot process once a user has been authorized on the network. Traffic then will flow through the mangle rules as it normally would. Without this rule traffic is considered to be leaving from the router itself and would require a separate set of rules to get policy based routing done.

solar77 · July 19, 2016, 7:15pm

thanks for your informative reply! Will give the address list a try. Again, very much appreciated!