TLS Host & Hotspot

Hello,
I’ve been trying to use TLS Host with Hotspot filter/nat rules but no luck
Using an offsite script, i am adding ip addreses via api to an address-list (HOTSPOT-PREAUTH) that will be able to access services (like facebook) bypassing hotspot. I know Walled garden doesn’t work for ssl and we are expecting tls support for it but i thought i give it a try.

/ip firewall filter add action=return chain=hs-unauth comment="HotSpot BYPASS" src-address-list=HOTSPOT-PREAUTH protocol=tcp tls-host=*.facebook.com
/ip firewall filter add action=return chain=hs-unauth-to comment="HotSpot BYPASS" dst-address-list=HOTSPOT-PREAUTH 
/ip firewall nat add action=return chain=hotspot comment="HotSpot BYPASS" hotspot=!local-dst src-address-list=HOTSPOT-PREAUTH

If i remove tls-host=*.facebook.com, every ip in HOTSPOT-PREAUTH has internet access. With tls-host (and several other hostnames required by facebook to work), i see no matches.

I’ve tried packet/connection marking via mangle rules with tls-host, and matching these packets on the filter/nat rules.
I am seeing matches on the mangle rules but not matches the nat/filter rules.

/ip firewall filter add action=return chain=hs-unauth comment="HotSpot BYPASS" packet-mark=SOCIAL-BYPASS src-address-list=HOTSPOT-PREAUTH
/ip firewall filter add action=return chain=hs-unauth-to comment="HotSpot BYPASS" dst-address-list=HOTSPOT-PREAUTH 
/ip firewall nat add action=return chain=hotspot comment="HotSpot BYPASS" hotspot=!local-dst src-address-list=HOTSPOT-PREAUTH
/ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=SOCIAL-BYPASS passthrough=yes protocol=tcp src-address-list=HOTSPOT-PREAUTH tls-host=*.facebook.com
/ip firewall mangle add action=mark-packet chain=prerouting connection-mark=SOCIAL-BYPASS new-packet-mark=SOCIAL-BYPASS passthrough=yes

or even

/ip firewall filter add action=return chain=hs-unauth comment="HotSpot BYPASS" connection-mark=SOCIAL-BYPASS src-address-list=HOTSPOT-PREAUTH
/ip firewall filter add action=return chain=hs-unauth-to comment="HotSpot BYPASS" dst-address-list=HOTSPOT-PREAUTH 
/ip firewall nat add action=return chain=hotspot comment="HotSpot BYPASS" hotspot=!local-dst src-address-list=HOTSPOT-PREAUTH
/ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=SOCIAL-BYPASS passthrough=yes protocol=tcp src-address-list=HOTSPOT-PREAUTH tls-host=*.facebook.com

I think this is because connection tracking is being done after hotspot rules.
Any thoughts on this? Or is this a dead-end aproach?

The tls-host matcher is useless for directly allowing traffic or NAT. You’d need to allow whole connection, but TCP starts with SYN packet that doesn’t contain any useful info, hostname matched by tls-host comes only in later packet, but then it’s too late.