For now my solution was to capture the devices who are making a connection to captive.apple.com (the phones make a conectivity check to that host), take them to an address list, and make a script to copy the address list to ip bindings (i didnt try if it will work with walled garden src-adress-list), so they can bypass the hotspot. (And i already try to only walled garden captive.apple.com, it just gives a false positive to the iphone making it think that it have free internet)
So far i checked that every process its ok, the mikrotik make the redirection to the hotspot rules(and the hotspot page on the mikrotik), but the iphone never get up the captive portal or the default navigator with the captiveportal url, we even tried to use the local address in a url navigator (chrome,safari), and it calls that the connection doesnt work, its like is trying to access a proxy or via a proxy like the google data saver (its a guess, not a conclusion)
Edited:Added a second image of proof of correct response of the mikrotik to the user passing it the login.html
After that nothing happens on the iphone,
i will pass the export compact:
Code: Select all
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether2 ] arp=reply-only
set [ find default-name=ether3 ] master-port=ether2
/interface pptp-client
add connect-to=x.x.x.x disabled=no name=pptp-out1 password=X-XXXxxxXx user=x-X
/interface eoip
add !keepalive mac-address=02:B3:1B:44:9F:A0 name=eoip-tunnel1 remote-address=172.16.30.9 tunnel-id=3090
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=Data-saver regexp="\\x05\\x63\\x68\\x65\\x63\\x6b\\x09\\x67\\x6f\\x6f\\x67\\x6c\\x65\\x7a\\x69\\x70\\x03\\x6e\\x65\\x74|\\x08\\x63\\x6f\\x6d\\x70\\x72\\x65\\x73\\x73\\x09\\x67\\x6f\\x6f\\x67\\x6c\\x65\\x7a\\x69\\x70\\x03\\x6e\\x65\\x74|\\x09\
\\x64\\x61\\x74\\x61\\x73\\x61\\x76\\x65\\x72\\x0a\\x67\\x6f\\x6f\\x67\\x6c\\x65\\x61\\x70\\x69\\x73\\x03\\x63\\x6f\\x6d"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add dns-name=hotspot.local.com hotspot-address=192.168.88.1 html-directory=flash/hotspot http-cookie-lifetime=1d login-by=cookie,http-chap,http-pap name=hsprof2 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=2h shared-users=10
/ip pool
add name=hs-pool-2 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.89.20-192.168.89.254
add name=hs-pool-5 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add add-arp=yes address-pool=hs-pool-2 disabled=no interface=ether2 lease-time=4h name=dhcp1
add address-pool=dhcp_pool1 authoritative=after-2sec-delay interface=ether4 name=dhcp2
/ip hotspot
add address-pool=hs-pool-2 disabled=no idle-timeout=45m interface=ether2 name=hotspot1 profile=hsprof2
add address-pool=hs-pool-5 interface=ether5 name=hs-ether5
/queue simple
add max-limit=9M/22M name=Internet queue=pcq-upload-default/pcq-download-default target=192.168.88.0/24
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
add name=work policy=local,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!telnet,!ssh,!ftp,!write,!policy,!dude skin=WorkCafe
/interface bridge port
add bridge=bridge1 interface=ether4
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.89.1/24 disabled=yes interface=ether4 network=192.168.89.0
add address=10.5.50.1/24 comment="hotspot network" interface=ether5 network=10.5.50.0
add address=192.168.45.2/30 interface=eoip-tunnel1 network=192.168.45.0
/ip arp
add address=192.168.88.93 interface=ether2 mac-address=80:2A:A8:30:96:A2
/ip dhcp-client
add dhcp-options=hostname,clientid
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.93 client-id=1:80:2a:a8:30:96:a2 mac-address=80:2A:A8:30:96:A2 server=dhcp1
add address=192.168.88.15 client-id=1:5c:51:81:82:e9:7d mac-address=5C:51:81:82:E9:7D server=dhcp1
add address=192.168.88.16 client-id=1:b8:63:4d:e6:21:9e mac-address=B8:63:4D:E6:21:9E server=dhcp1
add address=192.168.88.17 client-id=1:b8:63:4d:ee:e2:53 mac-address=B8:63:4D:EE:E2:53 server=dhcp1
add address=192.168.88.14 client-id=1:5c:51:81:82:e9:5f mac-address=5C:51:81:82:E9:5F server=dhcp1
add address=192.168.88.13 client-id=1:b0:c0:90:ba:1e:8f mac-address=B0:C0:90:BA:1E:8F server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 comment="hotspot network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=32
add address=192.168.89.0/24 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=208.67.222.123,208.67.220.123
/ip dns static
add address=146.112.61.106 disabled=yes name=petardas.com
add address=146.112.61.106 disabled=yes name=www.petardas.com
add address=146.112.61.106 name=check.googlezip.net
add address=146.112.61.106 name=datasaver.googleapis.com
add address=146.112.61.106 name=compress.googlezip.net
/ip firewall address-list
add address=captive.apple.com list="Captive APPLE"
/ip firewall filter
add action=drop chain=input comment="Bloqueo Chrome Data Saver" layer7-protocol=Data-saver src-address=192.168.88.0/24
add action=accept chain=input src-address=192.168.88.0/24
add action=accept chain=forward src-address-list=Iphones
add action=accept chain=input dst-address-list=Iphones
add action=add-src-to-address-list address-list=Iphones address-list-timeout=5s chain=forward dst-address-list="Captive APPLE" log=yes
add action=accept chain=forward disabled=yes dst-address=104.104.43.69 src-address=192.168.88.0/24
add action=drop chain=forward connection-limit=15,32 disabled=yes dst-address=radius.external.server.cloud dst-port=80 log=yes log-prefix=RADIUSDOS protocol=tcp
add action=drop chain=forward comment="Bloqueo Chrome Data Saver" layer7-protocol=Data-saver src-address=192.168.88.0/24
add action=accept chain=forward comment="Aceptar Conexion Contra AWS" dst-address=radius.external.server.cloud
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Bloqueo Entre Clientes " dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=drop chain=input comment="Bloqueo Flood DNS" dst-port=53 in-interface=pptp-out1 protocol=udp
/ip firewall nat
add action=accept chain=dstnat src-address-list=Iphones
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address-list=Iphones to-addresses=208.67.222.123
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="Enmascaramiento General" out-interface=ether1
add action=masquerade chain=srcnat disabled=yes out-interface=*6
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.88.94 to-addresses=192.168.88.1
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=yes src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
add action=dst-nat chain=dstnat comment="Redireccion a OpenDNS" dst-port=53 protocol=udp to-addresses=208.67.222.123
add action=dst-nat chain=dstnat comment="Redireccion a OpenDNS" dst-port=53 protocol=tcp to-addresses=208.67.222.123
/ip hotspot ip-binding
add mac-address=80:2A:A8:30:96:A2 type=bypassed
add disabled=yes mac-address=00:DB:DF:74:27:37 server=hotspot1 type=bypassed
add disabled=yes mac-address=00:1C:25:18:18:57 server=hotspot1 type=bypassed
add mac-address=A0:99:9B:79:6B:99 type=bypassed
add mac-address=B0:C0:90:BA:1E:8F type=bypassed
add mac-address=5C:51:81:82:E9:5F type=bypassed
add mac-address=5C:51:81:82:E9:7D type=bypassed
add mac-address=B8:63:4D:EE:E2:53 type=bypassed
add mac-address=B8:63:4D:E6:21:9E type=bypassed
add disabled=yes mac-address=F4:31:C3:C5:F2:50 type=bypassed
add address=192.168.88.204 type=bypassed
add address=192.168.88.236 type=bypassed
add address=192.168.88.20 type=bypassed
add address=192.168.88.253 type=bypassed
add address=192.168.88.16 type=bypassed
add address=192.168.88.17 type=bypassed
add address=192.168.88.11 type=bypassed
add address=192.168.88.6 type=bypassed
add address=192.168.88.4 type=bypassed
add address=192.168.88.23 type=bypassed
add address=192.168.88.32 type=bypassed
add address=192.168.88.33 type=bypassed
/ip hotspot user
add name=admin password=XxXxxX
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=radius.external.server.cloud
add dst-host=radius.external.server.cloud
add dst-host=captive.apple.com
add dst-host=hotspot.local.com
add dst-host=192.168.89.253
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=radius.external.server.cloud !dst-port !protocol server=hotspot1 !src-address
add action=accept disabled=no dst-address=radius.external.server.cloud !dst-port !protocol server=hotspot1 !src-address
add action=accept disabled=no dst-address=192.168.88.1 !dst-port !protocol server=hotspot1 !src-address
add action=accept disabled=no dst-address=104.104.43.69 !dst-port !protocol server=hotspot1 !src-address
/ip route
add disabled=yes distance=1 gateway=186.121.207.161
add distance=1 dst-address=172.16.0.0/12 gateway=172.16.10.1
add distance=1 dst-address=172.16.30.9/32 gateway=172.16.10.1
/ip service
set telnet address=192.168.0.0/16,172.16.0.0/12
set ftp disabled=yes
set ssh address=192.168.0.0/16,172.16.0.0/12
set api disabled=yes
set api-ssl disabled=yes
/radius
add address=radius.external.server.cloud secret=3468849Lp service=hotspot timeout=5s
add address=192.168.89.253 disabled=yes secret=produccion123 service=hotspot timeout=5s
/system clock
set time-zone-name=America/XX_xx
NOTE2: The ARP is only working with DHCP Arp Leasings
NOTE3: The script is not posting here, if you have the same problem and need the script just post that you have the same problem or different problem and i will pass it on another post.
NOTE4: I just change my public IPs, and external radius to avoid problems.
Like i said i dont try to blame mikrotik for this error, i just dont have the equipments to test it myself, i really dont use iphones and the client is on other region of my country, i just want to get a conclusion to this problem, for my point of view is something with the new IoS Version, without the hotspot it works like a charm, but i need proofs or data collection to post it as a bug to the apple feedback program :S, if someone can help me on that. Or maybe im wrong and i really dont know how to configure a Hotspot, thats why i leave my code for evaluation .
Thanks in advancement
BR
Xcelsium