Hello everyone,

This system is running a hotspot, sometimes an user shows up and the CPU goes to 100%. I've tried to search what's going on and i'm stuck at this.
The only thing I know is the user does not authenticate and start to send/receive this packets.

Any ideas? A script / firewall to block this?

If 100kbps of traffic causes 100% CPU use you have much bigger problems...

Use Tools / Profile to find out where the CPU is spent.

Hi R1CH,
Thanks for your reply.

Everytime this happens I block the MAC in Hotspot > IP-Binginds.

So it happened again today and here are some informations:



Sometimes it does not take 100% CPU use, just around 15-25% ( only for this IP tasks ).
I've noticed that it happens with Android phones, and appears that it's trying to reach Google IP's.

Hi R1CH,
Thanks for your reply.

Everytime this happens I block the MAC in Hotspot > IP-Binginds.

So it happened again today and here are some informations:



Sometimes it does not take 100% CPU use, just around 15-25% ( only for this IP tasks ).
I've noticed that it happens with Android phones, and appears that it's trying to reach Google IP's.

Add this rules
/ip firewall filter
add action=accept chain=pre-hs-input comment="Limit https unauth " \
connection-state=new disabled=no dst-limit=1,1,src-address/1m40s dst-port=\
64875 protocol=tcp
add action=reject chain=pre-hs-input connection-state=new disabled=no dst-port=\
64875 protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=pre-hs-input comment="limit http unauth" \
connection-state=new disabled=no dst-limit=1,1,src-address/1m40s dst-port=\
64874 protocol=tcp
add action=reject chain=pre-hs-input connection-state=new disabled=no dst-port=\
64874 protocol=tcp reject-with=icmp-admin-prohibited


It will cap http/https auth request, and CPU usage will back to normal.
5.x compatible, not sure if 6.x will need some syntax changes.

Position this rules on top of others pre-hs-inpit rules

Hi karwos,

I've tested on 6.x, it worked as it seems to be.

As soon this problem happen again I'll test this rules and post a reply here.
Thanks!

i tested the above rules with hotspot login page.
when i click rapidly (F5) refresh in chrome at login page i can see that mikrotik cpu usage was 20-30%. the above rules didnt filter this.
when i was rapidly pressing a bookmark http link (http://www.imdb.com) at chrome the cpu usage was normal 5-10%. above rules was filtering my attempt.

Why are you running a hotspot on a switch? The switch should have limited firewall rules. All the natting and hotspot functionality should be on a router.

i tested the above rules with hotspot login page.
when i click rapidly (F5) refresh in chrome at login page i can see that mikrotik cpu usage was 20-30%. the above rules didnt filter this.
when i was rapidly pressing a bookmark http link (http://www.imdb.com) at chrome the cpu usage was normal 5-10%. above rules was filtering my attempt.

This rules was written for 5.x and well tested.
I remember there was some diffrence in time counting in 5.x not remember now.
Though, yiu can check rule counters, and see which rule didn't hit the request ( did you moved these rules on top if chain ? (

yes i moved them at top.
the rules are working when you make multiple requests to login to hotspot. eg when you try to open a set of mupltiple bookmarks at once or when you click various bookmarks too fast.
thanx for this rule set.

Hi paulct,

This is a work-in-progress system to control hotspot use and integration with hotel programs.
So I'm testing in various types of RouterOS based systems, such as CRS's, RB's and CCR's.
This problem showed up ( until now ) on CRS's site.

You can see more here:
user: trial
pass: trial
http://prodatastelecom.com.br/sites/mikrotik/airspot/