Hi all,
I have a hotspot where I want to drop all https traffic while user is not idendified.
So as Mikortik manual told
https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example
I add this firewall rule:
/ip firewall nat add chain=hs-unauth action=return protocol=tcp dst-port=443 place-before=0
With this firewall rule I face that some walled gaden rules that before was working seems not to work anymore.
Facebook uses this fcdn urls with different IPs on different regions:
https://scontent.fbcn9-1.fna.fbcdn.net/v/t1.0-1/p100x100/52602031_2819965134695431_8468455006855495680_n.png?_nc_cat=106&_nc_ht=scontent.fbcn9-1.fna&oh=3aec456bc9b92f5447bc5bc34ddbdc41&oe=5D06C023
77.226.195.145
https://scontent.fmad3-5.fna.fbcdn.net/v/t1.0-1/p100x100/52602031_2819965134695431_8468455006855495680_n.png?_nc_cat=106&_nc_ht=scontent.fmad3-5.fna&oh=3cf05944b6f2dc798f759d4830034e14&oe=5D06C023
213.99.19.81
https://scontent.ftpe8-3.fna.fbcdn.net/v/t1.0-1/p100x100/52602031_2819965134695431_8468455006855495680_n.png?_nc_cat=106&_nc_ht=scontent.ftpe8-3.fna&oh=4afb49b3c41711d70083d0c44604db20&oe=5D06C023
203.74.69.145
Until now, I had on walled-garden:
/ip hotspot walled-garden
*.fbcdn.net
fbcdn.net
And I could see the images correctly coming from that urls.
Now I can’t see, sometimes yes, most of time not, the images coming from that URLs.
I did try to add on walled garden IP
fbcdn.net
*fbcdn.net
fbcdn
… and more combinations
But can’t find the rule that works correct on all the different urls that can be server by facebook to show images.
Anyone can help on what to do to be available to see all this urls correctly with the new firewall rule ?
Thanks a lot!!
Hi !!!
plase any one? any idea ?
Thanks,
Still finding a solution…
Easy test… create a hotspot.
Add rule:
/ip firewall nat add chain=hs-unauth action=return protocol=tcp dst-port=443 place-before=0
Add on walled garden
fbcdn.net
*fbcdn.net
fbcdn
and before logged in open on browser this image for example
https://scontent.fmad3-5.fna.fbcdn.net/v/t1.0-1/p100x100/52602031_2819965134695431_8468455006855495680_n.png?_nc_cat=106&_nc_ht=scontent.fmad3-5.fna&oh=3cf05944b6f2dc798f759d4830034e14&oe=5D06C023
You will see that the image won’t be shown even when we have add the url to walled gaden !
I’m asking for someone to find the way to keep the firewall rule and add whatever on walled garden to be available to show the image
Thanks
It’s because your rule is the first rule - and explicitly drops all https traffic. The rule that allows the walled garden values likely comes after that.
paste your /ip firewall filter export and we may be able to tell you the best place to pop the rule.
Walled garden setup already restricts user browsing, why do you want to block all https for hs-unauth? what are you trying to achieve with this rule? there may be a better way.
Hi Joegoldman,
if you test the rule it is not filtering all https only the https from site not added on walled garden.
I get from:
https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example
SSL certificate key size will impact load on www service on hotspot server. Effects of this is seen from hosts that have not yet been authenticated with server. In this situation various services on these hosts like Dropbox for example are trying to contact their servers and are constantly bouncing against hotspot server. Per experiment ~60hosts with only Dropbox installed on them could cause up to 50-60% CPU load on lower end mipsbe devices like RB951 or similar models.
one option to avoid that would be to disable HTTPs redirect with this firewall rule:
/ip firewall nat add chain=hs-unauth action=return protocol=tcp dst-port=443 place-before=0
I found it was a nice idea while user is logging to hotspot and stop to see some ssl warnings frome background apps that try to connect to ssl and the popups with ssl warnings.
So the test is easy.
Just create a hotspot add some sites to walled gaden and even they are ssl you will be availabe to see them.
But I faced that the urls I shared can’t be served.
So I’m wandering why
Thanks !