PCC issue with Hotspot: possible issue with Hotspot: Auth fuction

ne30n2 · July 22, 2017, 10:33am

I am setting up my CCR1009 with following config. I’m implementing pcc method for loadbalancing. Surfing on bridge 2 (LAN with no login Authen) is working fine. However, when it come to surfing on bridge1 (Hotspot Authen) the internet is not working. It is taking long time to load one page and sometime it doesn’t even load up.
Ether1-3: WAN1-3 (WAN1 200Mbs WAN2 200Mbs WAN3 50Mbs)
Ether4-5(bridge1): Hotspot login
Ether6-7(bridge2): Lan with no login

I’m not sure where the problem is. But what I have experiment which solve the issue are

Remove “Hotspot: Auth” setting in PCC method: However this lead to no login page for user => please see screenshot
Disable some of the config in PCC method: Everything work except that it doesn’t utilize full potential of PCC method. This make mikrotik to think that I have an equal speed for each WAN => please see screenshot

Please help.

Here is my code.

/interface bridge
add arp=reply-only comment="bridge1: ether 4-5 as HOTSPOT" name=bridge1
add comment="bridge2: ether 6-7 as LAN" name=bridge2

/interface ethernet
set [ find default-name=ether1 ] comment=Ether name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-WAN
set [ find default-name=ether3 ] name=ether3-WAN
set [ find default-name=ether4 ] name=ether4-HOTSPOT
set [ find default-name=ether5 ] name=ether5-HOTSPOT
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN

/interface pppoe-client
add add-default-route=yes comment=PPPOE disabled=no interface=ether1-WAN \
    keepalive-timeout=10 name="pppoe-out1 (ether1)" password=XXX \
    use-peer-dns=yes user=XXX
add add-default-route=yes disabled=no interface=ether2-WAN keepalive-timeout=\
    10 name="pppoe-out2 (ether2)" password=XXXX use-peer-dns=yes user=\
    XXX

/ip firewall layer7-protocol
add name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

/ip hotspot profile
add dns-name=wifi.xxx.com hotspot-address=10.10.10.1 login-by=\
    http-chap,https,mac-cookie name=HOTSPOT ssl-certificate=\
    wifi_xxx_com.crt_0 use-radius=yes

/ip hotspot
add disabled=no idle-timeout=4h interface=bridge1 name=hotspot1 profile=\
    HOTSPOT

/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=1d on-login=\
    "/tool fetch mode=http url=\"\"" on-logout=\
    "/tool fetch mode=http url=\"\"" shared-users=unlimited \
    transparent-proxy=yes
add !idle-timeout keepalive-timeout=1d name=unlimited_user shared-users=\
    unlimited transparent-proxy=yes
add !idle-timeout keepalive-timeout=1d name=shared1user shared-users=1 transparent-proxy=yes

/ip pool
add name=pool_HOTSPOT ranges=10.10.10.2-10.10.10.254
add name=pool_LAN ranges=10.10.20.2-10.10.20.254

/ip dhcp-server
add add-arp=yes address-pool=pool_HOTSPOT disabled=no interface=bridge1 \
    lease-time=1d name=HOTSPOT_dhcp
add address-pool=pool_LAN disabled=no interface=bridge2 lease-time=4h name=\
    LAN_dhcp

/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw password=\
    xxx time-zone=+07:00

/interface bridge port
add bridge=bridge1 interface=ether4-HOTSPOT
add bridge=bridge1 interface=ether5-HOTSPOT
add bridge=bridge2 interface=ether6-LAN
add bridge=bridge2 interface=ether7-LAN

/ip address
add address=192.168.10.2/24 comment="WAN: ether1" disabled=yes interface=\
    ether1-WAN network=192.168.10.0
add address=192.168.20.2/24 comment="WAN: ether2" disabled=yes interface=\
    ether2-WAN network=192.168.20.0
add address=192.168.30.2/24 comment="WAN: ether3" interface=ether3-WAN \
    network=192.168.30.0
add address=10.10.10.1/24 comment="HOTSPOT: bridge ether4-5" interface=\
    bridge1 network=10.10.10.0
add address=10.10.20.1/24 comment="LAN: bridge ether 6-7" interface=bridge2 \
    network=10.10.20.0
add address=10.0.10.1/24 comment="Access point IP to HOTSPOT" interface=\
    bridge1 network=10.0.10.0
add address=10.0.20.1/24 comment="Access point IP to LAN" interface=bridge2 \
    network=10.0.20.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=10.10.10.0/24 comment="HOTSPOT pool" dns-server=10.10.10.1 \
    gateway=10.10.10.1
add address=10.10.20.0/24 comment="LAN pool" dns-server=10.10.20.1 gateway=\
    10.10.20.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall address-list
add address=192.168.20.0/24 comment="WAN1: 192.168.20.0/24" list=WAN2
add address=192.168.30.0/24 comment="WAN1: 192.168.30.0/24" list=WAN3
add address=192.168.10.0/24 comment="WAN1: 192.168.10.0/24" list=WAN1
add address=10.10.10.0/24 comment="HOTSPOT: 10.10.10.0/24" list=LAN_HOTSPOT
add address=10.10.20.0/24 comment="LAN: 10.10.20.0/24" list=LAN_HOTSPOT

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=add-src-to-address-list address-list=bit-list \
    address-list-timeout=1m chain=forward comment="Block Bittorrent" \
    dst-address-list=!bit-unblock-list layer7-protocol=layer7-bittorrent-exp \
    src-address-list=!bit-unblock-list
add action=add-src-to-address-list address-list=bit-list \
    address-list-timeout=1m chain=forward dst-address-list=!bit-unblock-list \
    layer7-protocol=layer7-bittorrent-exp src-address-list=!bit-unblock-list \
    src-address-type=local
add action=drop chain=forward dst-port=!80,443 protocol=tcp src-address-list=\
    bit-list
add action=drop chain=forward protocol=udp src-address-list=bit-list

/ip firewall mangle
add action=accept chain=prerouting in-interface="pppoe-out1 (ether1)"
add action=accept chain=prerouting in-interface="pppoe-out2 (ether2)"
add action=accept chain=prerouting dst-address-list=WAN3
add action=accept chain=prerouting dst-address-list=LAN_HOTSPOT in-interface=\
    bridge1

add action=mark-connection chain=input comment="INPUT: mark connection" \
    connection-mark=no-mark in-interface="pppoe-out1 (ether1)" \
    new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    "pppoe-out2 (ether2)" new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether3-WAN new-connection-mark=WAN3_conn passthrough=yes

add action=mark-routing chain=output comment="OUTPUT: mark connection" \
    connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3 passthrough=yes

#PPC HOTSPOT: 4x for WAN1 (200Mbs) + 4x for WAN2 (200Mbs) + 1x for WAN2 (30Mbs)
add action=mark-connection chain=prerouting connection-mark=\
    no-mark dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
    src-address:9/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
    src-address:9/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
    src-address:9/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
    src-address:9/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
    src-address:9/4
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
    src-address:9/5
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
    src-address:9/6
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
    src-address:9/7
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local hotspot=auth in-interface=bridge1 \
    new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=\
    src-address:9/8

#PPC LAN: 4x for WAN1 (200Mbs) + 4x for WAN2 (200Mbs) + 1x for WAN2 (30Mbs)
add action=mark-connection chain=prerouting  connection-mark=\
    no-mark dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN1_conn passthrough=yes per-connection-classifier=src-address:9/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN1_conn passthrough=yes per-connection-classifier=src-address:9/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN1_conn passthrough=yes per-connection-classifier=src-address:9/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN1_conn passthrough=yes per-connection-classifier=src-address:9/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN2_conn passthrough=yes per-connection-classifier=src-address:9/4
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN2_conn passthrough=yes per-connection-classifier=src-address:9/5
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN2_conn passthrough=yes per-connection-classifier=src-address:9/6
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN2_conn passthrough=yes per-connection-classifier=src-address:9/7
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge2 new-connection-mark=\
    WAN3_conn passthrough=yes per-connection-classifier=src-address:9/8

add action=mark-routing chain=prerouting connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn new-routing-mark=to_WAN3 passthrough=yes

/ip firewall nat
add action=passthrough chain=unused-hs-chain disabled=yes
add action=masquerade chain=srcnat out-interface="pppoe-out1 (ether1)"
add action=masquerade chain=srcnat out-interface="pppoe-out2 (ether2)"
add action=masquerade chain=srcnat out-interface=ether3-WAN
add action=masquerade chain=srcnat src-address=10.10.10.0/24

/ip route
add check-gateway=ping distance=1 gateway="pppoe-out1 (ether1)" routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway="pppoe-out2 (ether2)" routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.30.1 routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway="pppoe-out1 (ether1)"
add check-gateway=ping distance=2 gateway="pppoe-out2 (ether2)"
add check-gateway=ping distance=3 gateway=192.168.30.1

Here is the screenshot

ne30n2 · July 24, 2017, 7:15am

I managed to solve this issue by adding NAT rule as following. Hoping someone came across this post will find a solution to there problem.

/ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth

rftnon · July 25, 2017, 6:23pm

thank you ..

please .. but any work good ?

1500718101460.jpg
or
1500718029195.jpg
or
1500718056415.jpg

ne30n2 · July 26, 2017, 3:57pm

1500718056415.jpg Is working fine after adding the Nat rule in previous post.

rogerdk · December 28, 2018, 7:56pm

Hi, I am having a problem similar to yours, the code you shared to fix it, must be placed at the beggining of nat rules or where?

miankamran7100 · September 12, 2024, 10:16am

haik01:

I managed to solve this issue by adding NAT rule as following. Hoping someone came across this post will find a solution to there problem.
/ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth

when I use hotspot: auth traffic stop passing from these rules

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=
auth new-connection-mark=wan1_conn passthrough=yes
per-connection-classifier=src-address-and-port:2/0 src-address-list=
“LAN-Address List”
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=
auth new-connection-mark=wan2_conn passthrough=yes
per-connection-classifier=src-address-and-port:2/1 src-address-list=
“LAN-Address List”[/b].

thanks