YAHOO CHAT STILL WORKING AFTER HOTSPOT LOGOUT

dunga · January 26, 2011, 10:13am

Hello All,
I have witnessed some issues in my MT.I am using it as a Hotspot for my wireless and wired connections. When someone login to hotspot and the time exhausted, he cannot open any web site again but cant still chat. I want to know why such is happening and why must it be so.

I want a situation where as the ticket in hotspot exhausts, all connections will be closed including yahoo chat unless the person login again.

Your help will be appreciated.

Here is my firewall rules
[admin@SILVER] /ip firewall> export

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=drop chain=forward comment=“tcp connection limit”
connection-limit=41,32 disabled=no protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=“http mark” disabled=no
dst-port=80 new-connection-mark=http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=“” connection-mark=http_conn
disabled=no new-packet-mark=http_conn passthrough=no
add action=mark-connection chain=prerouting comment=“p2p mark” disabled=no
new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment=“” connection-mark=p2p_conn
disabled=no new-packet-mark=p2p_conn passthrough=no
add action=mark-connection chain=prerouting comment=“smtp mark” disabled=no
dst-port=25 new-connection-mark=smtp_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=“” connection-mark=smtp_conn
disabled=no new-packet-mark=smtp_conn passthrough=no
add action=mark-connection chain=prerouting comment=“pop mark” disabled=no
dst-port=110 new-connection-mark=pop_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=“” connection-mark=pop_conn
disabled=no new-packet-mark=pop_conn passthrough=no
add action=mark-connection chain=prerouting comment=“other connections”
disabled=no new-connection-mark=other_conn passthrough=yes
add action=mark-packet chain=prerouting comment=“” connection-mark=other_conn
disabled=no new-packet-mark=other_conn passthrough=no
add action=mark-connection chain=prerouting comment=“sip mark”
connection-type=sip disabled=no new-connection-mark=sip_conn passthrough=
yes
add action=mark-packet chain=prerouting comment=“” disabled=no
new-packet-mark=sip_conn packet-mark=sip_conn passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether2
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=no src-address=192.168.200.0/24
/ip firewall service-port
set ftp disabled=no ports=21

sergejs · January 26, 2011, 2:37pm

I have witnessed some issues in my MT.I am using it as a Hotspot for my wireless and wired connections. When someone login to hotspot and the time exhausted, he cannot open any web site again but cant still chat. I want to know why such is happening and why must it be so.

I’m not big expert in yahoo chat. However I assume, that message are posted in program somehow, but they are not delivered to the person, who should receive them. If you do not have any walled-garden or other exception rules.

Feklar · January 26, 2011, 3:17pm

My best guess is that this is because they have left Yahoo chat up, and it has an established connection in the router. Because it’s an established connection, and not a new one, it will continue to work.

dunga · January 28, 2011, 12:13pm

How can this be stopped as it is making things difficult for us.I need it to be stopped.

Thanks

sergejs · January 28, 2011, 2:02pm

If user clicked logout button, there should not be any established connections left.

Feklar · January 28, 2011, 3:05pm

dunga said it was after a hard timeout in the hotspot however and not them clicking on the logout button. I’ve seen the same thing happen when when you block a specific IP address in the filter, if they have any established connections in the connection tracking table, they can continue with those connections. Any new ones are blocked. You have to clear out those connections from the table in order to prevent those specific connections from continuing to pass traffic.

There’s not really a clean way of doing it with a hard timeout. You can clear out the connections table, but by doing that you basically are going to break everyone’s connection until the reestablish it. Not a big deal for normal web browsing, but if anyone has a VPN going or is streaming something that can cause problems for them.

You can script something that will clear out the connections for only certain IP addresses, that would be the best way of doing it, but I don’t know of a reliable way of you getting or storing their specific IP address to be used in a script. You could attempt to grab all of the IP addresses from unauthorized users and clear out their connections, and run the script every so often, or upon a logout event. This is off the top of my head, but the script should look something like this:

:foreach ENTRY in=[/ip hotspot host find !authorized] do={
:local IP [/ip firewall address-list get number=$ENTRY address ];
/ip firewall connection remove [/ip firewall connection find src-address~"^$IP:"]
}