This has been a pain in my ass for some time now so I came up with a workaround that doesn't care which OS you are using.
So my thinking was since the client is not logged in to the Hotspot yet then It would not matter if I cut off the internet of it. So the idea is to put my new clients in a list that will not be allowed to masquerade except for the redirected domain of the Hotspot after the login splash screen. Then on Hotspot login the address list should get a counter of a few minutes and during that time the Captive Portal stays open presenting the redirected website. When the timer goes to 00:00:00 the captive portal closes and the client continues normally.
Step 1. In the [/ip dhcp-server] used for the hotspot I added a lease-script
lease-script="/ip firewall address-list add list=LoggedIn address=$leaseActIP comment=$leaseActMAC"
Step 2. In the [/ip hotspot user profile] I added an on-login script to the client's profile
on-login="/ip firewall address-list_set timeout=00:03:00 [find comment=$"mac-address"]"
Step 3. In the [/ip firewall address-list] I added an address-list with the domain of the redirected website
add address=www.redirected-website.com list=Redirection
Step 4. In the [/ip firewall nat] I added a rule to masquerade calls from the IPs in the address-list created from the dhcp-server with direction to the address-list of the redirection domain and another rule for masquerading the Hotspot domain except those in the address-list created from the dhcp-server.
add action=masquerade chain=srcnat dst-address-list=Redirection src-address-list=LoggedIn
add action=masquerade chain=srcnat src-address=10.0.0.0/24 src-address-list=!LoggedIn
Please let me know if this could be made better.