Very strange problem with Mikrotik HotSpot

Altar · February 3, 2016, 7:36pm

On first, sorry for my english.
I want to ask you for your help in solving a very serious and strange problem.

I have 1100AHx2 connected to my private network with several public Access Points.
On routerboard I have active HotSpot server with users db and captive portal through which users must log-in in order to gain access to the Internet.

Everything working perfectly, but, from beginning of this year (maybe, after upgrading router os) I register unexplained behavior with this hotspot.
Some users when connect to the access point does not appear captive portal from MikroTik.
They have totally denial of service with Mikrotik (192.168.0.1/23).
They can get an IP address from the DHCP pool on this Mikrotik, but then they can’t ping router and can’t show HotSpot Captive Portal. And of course they do not have access to the Internet.

BUT some other users on the same Access Point (same time) but different mobile phones, or tablets or notebooks - they have. After approximatelly 1-2 days is layout of working and non-working users different.

BUT, when I disable HotSpot (in IP->HotSpot->Servers) and enable it again - all users begin working (for a while, for hours or on few days, it’s different).

I’m totally desperate.

Here is log from active HotSpot:

Feb  3 15:58:42 MikroTik DanielaH (192.168.0.86): trying to log in by cookie
Feb  3 15:58:42 MikroTik DanielaH (192.168.0.86): using profile <ziaci>
Feb  3 15:58:42 MikroTik DanielaH (192.168.0.86): adding ip->user binding
Feb  3 15:58:42 MikroTik DanielaH (192.168.0.86): logged in
Feb  3 15:58:42 MikroTik DanielaH (2C:8A:72:8F:6B:C2): remove cookie: user logged in
Feb  3 15:58:42 MikroTik DanielaH (2C:8A:72:8F:6B:C2): add cookie: user logged in
Feb  3 15:58:50 MikroTik hotspot1: new host detected 24:0A:64:16:EB:89/192.168.0.76 by UDP :50762 -> 192.168.0.1:53
Feb  3 15:58:50 MikroTik hotspot1: host 24:0A:64:16:EB:89/192.168.0.76 is blocked
Feb  3 15:59:02 MikroTik hotspot1: new host detected 8C:3A:E3:35:45:A6/192.168.0.72 by UDP :58736 -> 192.168.0.1:53
Feb  3 15:59:02 MikroTik hotspot1: host 8C:3A:E3:35:45:A6/192.168.0.72 is blocked
Feb  3 15:59:20 MikroTik hotspot1: new host detected 74:04:2B:2C:4A:F1/192.168.0.39 by UDP :54048 -> 192.168.0.1:53
Feb  3 15:59:20 MikroTik hotspot1: host 74:04:2B:2C:4A:F1/192.168.0.39 is blocked
Feb  3 15:59:30 MikroTik hotspot1: new host detected E0:2C:B2:09:A7:82/192.168.0.56 by UDP :12989 -> 192.168.0.1:53
Feb  3 15:59:30 MikroTik hotspot1: host E0:2C:B2:09:A7:82/192.168.0.56 is blocked
Feb  3 15:59:52 MikroTik hotspot1: new host detected 24:0A:64:16:EB:89/192.168.0.76 by UDP :51767 -> 192.168.0.1:53
Feb  3 15:59:52 MikroTik hotspot1: host 24:0A:64:16:EB:89/192.168.0.76 is blocked
Feb  3 16:00:05 MikroTik hotspot1: new host detected 8C:3A:E3:35:45:A6/192.168.0.72 by UDP :20212 -> 192.168.0.1:53
Feb  3 16:00:05 MikroTik hotspot1: host 8C:3A:E3:35:45:A6/192.168.0.72 is blocked
Feb  3 16:00:20 MikroTik hotspot1: new host detected 74:04:2B:2C:4A:F1/192.168.0.39 by UDP :55918 -> 192.168.0.1:53
Feb  3 16:00:20 MikroTik hotspot1: host 74:04:2B:2C:4A:F1/192.168.0.39 is blocked
Feb  3 16:00:31 MikroTik hotspot1: new host detected E0:2C:B2:09:A7:82/192.168.0.56 by UDP :24008 -> 192.168.0.1:53
Feb  3 16:00:31 MikroTik hotspot1: host E0:2C:B2:09:A7:82/192.168.0.56 is blocked
Feb  3 16:00:56 MikroTik hotspot1: new host detected 24:0A:64:16:EB:89/192.168.0.76 by UDP :52291 -> 192.168.0.1:53
Feb  3 16:00:56 MikroTik hotspot1: host 24:0A:64:16:EB:89/192.168.0.76 is blocked
Feb  3 16:01:07 MikroTik hotspot1: new host detected 8C:3A:E3:35:45:A6/192.168.0.72 by UDP :16441 -> 192.168.0.1:53
Feb  3 16:01:07 MikroTik hotspot1: host 8C:3A:E3:35:45:A6/192.168.0.72 is blocked
Feb  3 16:01:23 MikroTik hotspot1: new host detected 74:04:2B:2C:4A:F1/192.168.0.39 by UDP :29483 -> 192.168.0.1:53
Feb  3 16:01:23 MikroTik hotspot1: host 74:04:2B:2C:4A:F1/192.168.0.39 is blocked
Feb  3 16:01:31 MikroTik hotspot1: new host detected E0:2C:B2:09:A7:82/192.168.0.56 by UDP :36269 -> 8.8.8.8:53
Feb  3 16:01:31 MikroTik hotspot1: host E0:2C:B2:09:A7:82/192.168.0.56 is blocked
Feb  3 16:01:58 MikroTik hotspot1: new host detected 24:0A:64:16:EB:89/192.168.0.76 by UDP :59117 -> 192.168.0.1:53
Feb  3 16:01:58 MikroTik hotspot1: host 24:0A:64:16:EB:89/192.168.0.76 is blocked
Feb  3 16:02:11 MikroTik hotspot1: new host detected 8C:3A:E3:35:45:A6/192.168.0.72 by UDP :42875 -> 192.168.0.1:53
Feb  3 16:02:11 MikroTik hotspot1: host 8C:3A:E3:35:45:A6/192.168.0.72 is blocked
Feb  3 16:02:23 MikroTik hotspot1: new host detected 74:04:2B:2C:4A:F1/192.168.0.39 by UDP :8101 -> 192.168.0.1:53
Feb  3 16:02:23 MikroTik hotspot1: host 74:04:2B:2C:4A:F1/192.168.0.39 is blocked
Feb  3 16:02:31 MikroTik hotspot1: new host detected E0:2C:B2:09:A7:82/192.168.0.56 by UDP :22234 -> 8.8.8.8:53
Feb  3 16:02:31 MikroTik hotspot1: host E0:2C:B2:09:A7:82/192.168.0.56 is blocked
Feb  3 16:03:11 MikroTik hotspot1: new host detected 24:0A:64:16:EB:89/192.168.0.76 by UDP :57696 -> 192.168.0.1:53
Feb  3 16:03:11 MikroTik hotspot1: host 24:0A:64:16:EB:89/192.168.0.76 is blocked
Feb  3 16:03:12 MikroTik hotspot1: new host detected 8C:3A:E3:35:45:A6/192.168.0.72 by UDP :16228 -> 192.168.0.1:53
Feb  3 16:03:12 MikroTik hotspot1: host 8C:3A:E3:35:45:A6/192.168.0.72 is blocked
Feb  3 16:03:29 MikroTik hotspot1: new host detected 74:04:2B:2C:4A:F1/192.168.0.39 by UDP :43195 -> 192.168.0.1:53
Feb  3 16:03:29 MikroTik hotspot1: host 74:04:2B:2C:4A:F1/192.168.0.39 is blocked
Feb  3 16:04:08 MikroTik hotspot1: new host detected E0:2C:B2:09:A7:82/192.168.0.56 by UDP :14842 -> 192.168.0.1:53
Feb  3 16:04:08 MikroTik hotspot1: host E0:2C:B2:09:A7:82/192.168.0.56 is blocked
Feb  3 16:04:13 MikroTik hotspot1: new host detected 8C:3A:E3:35:45:A6/192.168.0.72 by UDP :2919 -> 192.168.0.1:53
Feb  3 16:04:13 MikroTik hotspot1: host 8C:3A:E3:35:45:A6/192.168.0.72 is blocked
Feb  3 16:04:22 MikroTik hotspot1: new host detected 24:0A:64:16:EB:89/192.168.0.76 by UDP :52663 -> 192.168.0.1:53
Feb  3 16:04:22 MikroTik hotspot1: host 24:0A:64:16:EB:89/192.168.0.76 is blocked
Feb  3 16:04:34 MikroTik hotspot1: static host 20:6E:9C:8D:8B:05/192.168.0.141 added, ip 192.168.0.141
Feb  3 16:05:03 MikroTik hotspot1: new host detected 00:F8:1C:33:F1:20/192.168.0.85 by UDP :16839 -> 192.168.0.1:53
Feb  3 16:05:03 MikroTik 00: F8:1C:33:F1:20 (192.168.0.85): trying to log in by mac
Feb  3 16:05:03 MikroTik 00: F8:1C:33:F1:20 (192.168.0.85): local user not found
Feb  3 16:05:03 MikroTik 00: F8:1C:33:F1:20 (192.168.0.85): login failed: invalid username or password
Feb  3 16:05:03 MikroTik hotspot1: static host 00:F8:1C:33:F1:20/192.168.0.85 added, ip 192.168.0.85
Feb  3 16:05:06 MikroTik KlaraZ (192.168.0.85): trying to log in by cookie
Feb  3 16:05:06 MikroTik KlaraZ (192.168.0.85): using profile <ziaci>
Feb  3 16:05:06 MikroTik KlaraZ (192.168.0.85): adding ip->user binding
Feb  3 16:05:06 MikroTik KlaraZ (192.168.0.85): logged in

WHY IS SOMEONE BLOCKED AND SOMEONE NO???
And what this “blocked” mean?

I have no active Firewall rules now because this, but there is no problem.
After restarting hotspot - no one is blocking. But only for a while…

Many Thx for all advice.

ZeroByte · February 3, 2016, 7:48pm

Two things come to mind-

SSL and IP address pool size. SSL was my first thought, but after reading the entire post, I’m thinking that isn’t related because resetting the hotspot wouldn’t fix issues where some clients require a more secure SSL than your certificate has… so I’m thinking IP address pool…

Is it common that many users have a different “to address” than their actual address in the hosts tab?

Check your IP pools for used addresses and see if it looks like you’re just running out of addresses…

We had to start using /22 on all of our hotspots when the explosion of i-things took place a few years ago.

Altar · February 3, 2016, 8:04pm

I’ve verified this before.
DHCP address pool have many unused address. In addition, I set the lease time to one hour and few minutes today
but without positive results.
As I mentioned before, the assignment of IP address working fine but then, communication of host with a hotspot server is denied (it looks like - by hotspot itself).

I don’t use any SSL for now.

ZeroByte · February 3, 2016, 8:10pm

Right, but there’s also a list (I forget just where - I think it’s on the pool itself) of available IPs for the hotspot to use. Normally, it tries to use the same IP for the hotspot IP as the host IP… but an address might be free in DHCP but still reserved in the hotspot.

This is due to the fact that the hotspot also tries to allow clients to use the service without changing their IP address configuration at all. If a user shows up with a corporate laptop and they don’t have admin rights to change the IP configuration of their network settings, they may have a static IP of 10.241.186.94/16 on their computer, but the hotspot will just assign a dummy IP of 192.168.1.12 and nat based on this…

If THAT pool is empty, then it would behave like you’re seeing…

I’m not saying this is guaranteed to be the source of the problem, but it /could/ be the problem, so check it out. Anything more than that, and I’d have to do packet captures or something like that to figure out more about what’s going on on the wire itself.

Altar · February 3, 2016, 8:37pm

You are absolutely right. Something occurred me thanks to your contribution. maybe…
Maybe you mean list (IP->Hotspot->Hosts). there is long list of active hotspot clients with their ip address, mac address.
Some records remain hanging for several days or until i restart hotspot.

ZeroByte · February 3, 2016, 9:03pm

That’s the one. Perhaps you need an idle timeout on your hotspot.

Altar · February 4, 2016, 6:47am

Zero, You are my HERO!
it seems that this was the problem. As you say, I was set “none” on idle timeout.
Now I set 30 mins timeout and everything working again.
I will see after some time.

MANY, MANY, MANY THX.

ZeroByte · February 5, 2016, 7:29pm

Can you tell this happened to me before?