Packet Marking and Simple Queues with Hotspots

RouterOS General
1

Hi,

Just to quickly explain what I’m trying to accomplish - I’d like to allow through all unauthenticated hotspot HTTPS traffic, but place it in a simple queue to stop it gobbling all the bandwidth.

The reason is the usual issue surrounding capturing HTTPS traffic on the hotspot without certificate warnings and HSTS failures - the theory being that if we let the traffic through at a slower rate, the users will eventually go to a HTTP site and get the redirect.

The issue I’m having is that I can allow the HTTPS traffic through OK, and the mangle rules are marking packets, I’m even seeing hits on the simple queue, but when I test I’m getting full line rate instead of being limited, so the simple queue is either not working as expected, or more likely my mangle rules are not matching and marking correctly.

Here is the config, I’ve removed the hundreds of lines of WhatsApp prefixes for everyone’s sanity.

/ip firewall address-list
add address=31.13.87.51 comment=WhatsApp list=WhatsApp
add address=169.53.252.64/27 comment=WhatsApp list=WhatsApp
add address=31.13.76.81 comment=WhatsApp list=WhatsApp

/ip firewall filter

add action=accept chain=output log=yes protocol=icmp
add action=return chain=hs-unauth comment="Allow slow un-authed HTTPS" dst-port=443 protocol=tcp
add action=return chain=hs-unauth comment=WhatsApp dst-address-list=WhatsApp
add action=return chain=hs-unauth-to comment="Allow slow un-authed HTTPS" protocol=tcp src-port=443
add action=return chain=hs-unauth-to comment=WhatsApp src-address-list=WhatsApp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes

/ip firewall mangle
add action=mark-packet chain=postrouting dst-port=443 hotspot=!auth new-packet-mark=unauth-https passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting hotspot=!auth new-packet-mark=unauth-https passthrough=yes protocol=tcp src-port=443

/ip firewall nat
add action=return chain=hs-unauth comment="Allow slow un-authed HTTPS"  dst-port=443 protocol=tcp
add action=return chain=hs-unauth comment=WhatsApp dst-address-list=WhatsApp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" out-interface="Checkpoint VLAN123"

/queue simple
add  limit-at=128k/128k max-limit=128k/128k name=unauth-https packet-marks=unauth-https target=""

I know I’m probably missing something fundamental here - would really appreciate any help or advice you could give!

2

This is a bit of a cheeky bump to see if maybe someone can help me with my original query.

As an update, I’ve switched on HTTPS login to test with, installed a Letsencrypt certificate and it all works perfectly fine, except that the CPU on a 16 core CHR image rockets from averaging 4-5% to 22-23% with about 2000 hosts connected (about 200 active and logged in).

CPU usage is an issue as the number of hosts is expected to grow as we load the platform, which is why I’m trying to come up with some out-of-box thinking on how to proceed.