MikroTik

Dear all,

I setup this hotspot system with external radius server(free radius) as authentication and accounting. 3 months ago this works good as intended. I also built windows application to handle voucher/user creation this application serves as some sort of usermanager.

my problem is after 3 months my hotspot login page takes too long to load. however it is till working but it takes 10-15 seconds to load the login page which takes only 2 seconds before.

Please see attached files for diagram and other screen shots.

I want to ask apology in advance, i'm still new in RouterOS and i only follow some videos online that helps me to setup my hotspot.

-----------------------------------------------------------------------------------------------------
[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R vlan_admin 1500 enabled 10 ether10_LAN
1 R vlan_csg 1500 enabled 20 ether10_LAN
2 R vlan_csx 1500 enabled 30 ether10_LAN
3 R vlan_dorm 1500 enabled 40 ether10_LAN
4 R vlan_hotspot 1500 enabled 99 ether10_LAN
5 R vlan_resto 1500 enabled 50 ether10_LAN
(note i only use vlan 10, 40 and 99)
-----------------------------------------------------------------------------------------------------
[admin@MikroTik] /ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 hs-vlan_... vlan_hotspot dhcp_pool173 hsprof2 5m
-----------------------------------------------------------------------------------------------------
[admin@MikroTik] /ip hotspot profile> print
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
html-directory-override="" rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no

1 name="hsprof2" hotspot-address=10.0.0.1 dns-name="" html-directory=hs-hotel
html-directory-override="" rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,http-chap,http-pap,mac-cookie
http-cookie-lifetime=1w split-user-domain=no use-radius=yes
radius-accounting=yes radius-interim-update=received
nas-port-type=wireless-802.11 radius-default-domain=""
radius-location-id="" radius-location-name=""
radius-mac-format=XX:XX:XX:XX:XX:XX
-----------------------------------------------------------------------------------------------------
[admin@MikroTik] /radius> print
Flags: X - disabled
# SERVICE CAL... DOMAIN ADDRESS SECRET
0 hotspot 192.168.1.55 123456
-----------------------------------------------------------------------------------------------------
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S ;;; GLOBE 20MBPS
0.0.0.0/0 120.X.X.X 2
1 A S ;;; PLDT
0.0.0.0/0 210.X.X.X 1
2 A S ;;; PLDT
0.0.0.0/0 210.X.X.X 1
3 ADC 10.0.0.0/22 10.0.0.1 vlan_hotspot 0
4 ADC 120.X.X.X/29 120.X.X.X ether6_GLOBE 0
5 ADC 172.16.10.0/24 172.16.10.1 vlan_csg 0
6 ADC 172.16.20.0/24 172.16.20.1 vlan_csx 0
7 ADC 172.16.50.0/24 172.16.50.1 vlan_resto 0
8 ADC 192.168.1.0/24 192.168.1.1 vlan_admin 0
9 ADC 192.168.2.0/24 192.168.2.1 vlan_dorm 0
10 DC 192.168.88.0/29 192.168.88.1 ether13 255
11 ADC 210.X.X.X/29 210.X.X.X ether5_PLDT 0
-----------------------------------------------------------------------------------------------------
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
11 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443
12 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
13 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
14 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
15 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
16 chain=srcnat action=masquerade out-interface=ether6_GLOBE log=no log-prefix=""
17 chain=srcnat action=masquerade out-interface=ether5_PLDT log=no log-prefix=""
18 chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth
-----------------------------------------------------------------------------------------------------
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ROUTE VLAN40>ISP1
chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes
src-address=192.168.2.0/24 log=no log-prefix=""

1 ;;; ROUTE HOTSPOT>ISP2
chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes
src-address=10.0.0.0/22 log=no log-prefix=""

2 ;;; ROUTE VLAN10>ISP1
chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes
src-address=192.168.1.0/24 log=no log-prefix=""

3 ;;; ROUTE VLAN10>ISP1
chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=yes
src-address=192.168.100.0/24 log=no log-prefix=""

4 chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes
src-address=172.16.10.0/24 log=no log-prefix=""

5 chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes
src-address=172.16.20.0/24 log=no log-prefix=""

6 chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes
src-address=172.16.50.0/24 log=no log-prefix=""

Dear all,

Can anyone also help me why i cant ping my eth gateway through LAN?

Eq. Routers gateway (10.0.0.1/23) VLAN99 (hotspot vlan gateway)
But i cant ping it from my laptop (10.0.0.100).

I think this the cause my trouble since my Login page resides in mikrotik itself (10.0.0.1)

Hi already solved this problem. The cause for this trouble is on my primary ISP (im using load balancing through mangle routing). That once my ISP1 down, my hotspot page response very slow like 2-3mins. My remedy for this is to deactivate ISP1 Ethernet port once it is down.

The cause for this trouble is on my primary ISP (im using load balancing through mangle routing). That once my ISP1 down, my hotspot page response very slow like 2-3mins. My remedy for this is to deactivate ISP1 Ethernet port once it is down.

This sounds like both magle rules and fasttrack are active at the same time. They're not compatible, so when using mangle rules, fasttrack has to be disabled (or severely reconfigured not to fasttrack packets which have to be mangled).

I dont know fasttrack sir but ill search for it. Thank you for this information.

The cause for this trouble is on my primary ISP (im using load balancing through mangle routing). That once my ISP1 down, my hotspot page response very slow like 2-3mins. My remedy for this is to deactivate ISP1 Ethernet port once it is down.

This sounds like both magle rules and fasttrack are active at the same time. They're not compatible, so when using mangle rules, fasttrack has to be disabled (or severely reconfigured not to fasttrack packets which have to be mangled).