proxy access list entries affect hotspot walled garden users

Hey guys,

Just noticed an issue between the ip proxy settings and ip hotspot walled-garden settings.

Firstly, an export of my walled garden:

/ip hotspot walled-garden
add action=allow comment="place hotspot rules here" disabled=yes
add action=allow comment="" disabled=no dst-host=*bom.gov.au*
add action=allow comment="" disabled=no dst-host=*google.com.au dst-port=80
add action=allow comment="" disabled=no dst-host=*maps.google.com.au*
add action=allow comment=Paypal-allowance disabled=no dst-host=":^www\\.paypal\\.com\$" dst-port=443
add action=allow comment=Paypal-allowance disabled=no dst-host=":^content\\.paypalobjects\\.com\$" dst-port=443
add action=allow comment=Paypal-allowance disabled=no dst-host=*.akamaiedge.net
add action=allow comment="" disabled=no dst-host=addons.mozilla.org dst-port=443
add action=allow comment="" disabled=no dst-host=sb-ssl.google.com dst-port=443
add action=deny comment="" disabled=no dst-host=images.google.com.au
add action=deny comment="" disabled=no dst-host=video.google.com.au
add action=allow comment=Paypal-allowance disabled=no dst-host=":^www\\.paypal\\.com\$" dst-port=80
add action=allow comment="Allow firefox addons otherwise browser generates error on startup" disabled=no dst-host=addons.mozilla.org dst-port=443
add action=allow comment="similar error to firefox but with google chrome and other google plugins" disabled=no dst-host=sb-ssl.google.com dst-port=443
add action=allow comment="stop error from locking up firefox when using ubiquity" disabled=no dst-host=ubiquity.mozilla.com dst-port=443

and a copy of my proxy acl:

/ip proxy access
add action=allow comment="" disabled=no src-address=192.168.X.X/24
add action=allow comment="if rule not added, no access to walled garden content" disabled=no src-address=172.16.11.0/24
add action=deny comment="" disabled=no

Now the issue:

We occasionally use the web-proxy to get in remotely to a local switch/ap etc etc. For this reason although we normally leave the proxy turned off I have some access rules in there to a) prevent anyone on the internet from finding it as an open proxy while we are doing the work and b) in case someone leaves it on after they’ve done their work.

I noticed however that regardless of the proxy being turned on or off, if I didn’t create an allow entry that included the local hotspot users ip range then they would simply get the proxy “Error: forbidden” when trying to access any of the sites listed above in the walled garden other than paypal

Is anyone seeing similar issues? I know the proxy is used as part of the hotspot redirection/walled garden setup but I wouldn’t think it should share the same access list at all.

This is on an x86 server running v4.3

Proxy could be disabled, but there is transparent-proxy option, when proxy is used for HotSpot clients (and access-list is used as well).

Ok, so thats fine.. the proxy acl is also used for walled garden entries, any idea why the paypal entries weren’t affected in the same way then?
The walled garden ip entries I know are shown up as dynamic entries in the firewall filter table so that explains why they aren’t affected, the paypal one is a bit of a mystery.

You should have a copy of my supout from ticket no: 2010010366000011 if you need to check anything out.

Thanks,
Omega-00

Walled garden is not the same as walled-garden ip.
Paypal entries were address to walled-garden. What is the problem with Paypal entries?

The paypal entries still worked, while the rest of the entries didn’t.

When you have simple, maps.google.com.au without any symbols.
Does it work?

Just tried now, with the dst-host=maps.google.com.au
I still get the forbidden message (when the access list entry is disabled)

Yet paypal is still working.

I will be upgrading to 4.5 tomorrow if I haven’t seen any issue with it on the test routers so will try again after that as well.

What is your local network IP address by the way?