Is it just me that finds Mikrotik email support very unhelpful?

For example, look at this email exchange:





First, I state the issue and ask for soultions:

>>>> I have an issue here with users stealing internet via apps like Freedom
>>>> and HTTP injectors.
>>>> AFAIK they can do this because mikrotik hotspot allows DNS requests for
>>>> unauthorized users
>>>>
>>>> Any solutions?

I get this reply:

>> On 6/26/2018 2:09 PM, Martins S. [MikroTik Support] wrote:
>>> Hello,
>>>
>>> You can add firewall filter rules that drop DNS requests to your router. You can learn how to configure firewall rules from this wiki page:
>>>
>>> https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
>>>
>>> Best regards,
>>> Martins S.

He says to drop DNS requests to the router, I note that the portal requires DNS

On 6/27/2018 8:32 AM, Martins S. [MikroTik Support] wrote:
> Hello,
>
> Drop DNS requests by using firewall rule that works only with parameter "hotspot=!auth".
>
> Best regards,
> Martins S.
> --

He suggests that the PAREMETER should be used, ie parameter "hotspot=!auth"

I did not understand. I ask for clarification:

My email:

> I have a Hotspot running. If I drop all DNS requests clients will not be
> able to resolve the hotspot portal address!


Please send me the command do drop all dns requests for unauthorized
hotspot users

Mikrotik reply:

Hello,

You can not drop DNS requests from unauthorised users on local interface and allow to resolve hotspot DNS at the same time. If you want to drop DNS requests from unauthorised users under local interface, then you can not use dns-name on hotspot server.

Best regards,
Martins S.
--

None of my questions answered, just repeating exactly what I told him, that is frustrating.



I ask:

What is meant by Paremeter:
Drop DNS requests by using firewall rule that works only with parameter "hotspot=!auth".

Mikrotik reply:

Hello,

Hotspot is parameter that can be configured on firewall filter rule.

Best regards,
Martins S.
--

Makes sense??

To note, this valuable exchange took over 10 days to complete...... no, not complete........

And I still dont have a solution.

Sorry, but in my opinion the first response contains everything you need to know, to resolve your issue (if your suspicions are correct, of course).
Why not drop DNS to everything except where you need it ? What is unclear in those emails ?

And your opinion, sir, is certainly better than mine. Just an update, fair is fair and all that, 2 minutes after this post I received a reply from mikrotik, with a workable solution. And about 2 hours after this post I received another reply to my second ticket. Amazing

Sorry, but in my opinion the first response contains everything you need to know, to resolve your issue (if your suspicions are correct, of course).
Why not drop DNS to everything except where you need it ? What is unclear in those emails ?

Why not drop DNS to everything except where you need it ?
Please show me the best way to accomplish this, this is what I need you know.

You said you received a workable solution, was it something else, if you are asking it again?

You said you received a workable solution, was it something else, if you are asking it again?

The solution i received was to drop all DNS traffic, which is workable. But your solution would be better, if I can allow DNS only where I need it that would be great. I need DNS only to resolve the hotspot portal address, it, hotspot.com resolves to 192.168.88.1

The solution MIkrotik support gave me is this:

/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=53 hotspot=!auth
add chain=input action=drop protocol=udp dst-port=53 hotspot=!auth


That drops ALL DNS, so unauthorized clients cannot resolve hotspot.com

Then allow dns requests for hotspot.com (put the filter rule before the blocking ones): Not ideal, but it works.

Edit: Probably add hotspot=!auth too. And maybe jumping to another chain for all hotspot=!auth would be best.

I suggest to do not put any personal information like name of the replier in a posting on a public forum. Mikrotik can always ask what your ticket number is, to look into any communication if need.

Why not drop DNS to everything except where you need it ?

Thank you to the previous poster for the workaround, since he said it is not ideal. I am eager to know what your solution was. Please post it for our benefit

Then allow dns requests for hotspot.com (put the filter rule before the blocking ones):

Code: Select all

/ip firewall layer7-protocol
add name="dns hotspot.com" regexp="\\x07hotspot\\x03com.\\x01"
/ip firewall filter
add action=accept chain=input dst-port=53 layer7-protocol="dns hotspot.com" protocol=udp

Not ideal, but it works.

Edit: Probably add hotspot=!auth too. And maybe jumping to another chain for all hotspot=!auth would be best.

Thank you very much.
But this solution does not work.


Basically I need rock solid blocking, because the default mikrotik hotspot security is being compromised

You know, "does not work" is not very useful reply. You wrote that drop rules from support worked, except they dropped all dns. If you add mine before them, it will allow queries for specific hostname. So some possible exlanations are that you deleted rules from support and only used mine (wrong, everything would be allowed then), or perhaps the required hostname is not literally "hotspot.com" and you did not adjust the regexp correctly, etc... But the response needs more details than just "does not work".

I had thought that the solution received from Mikrotik was workable, but it is not, as it drops connections from the router itself too. So now, the router cannot resolve DNS or ping or anything.

Thats exactly it, you said:

If you add mine before them, it will allow queries for specific hostname

But it does not do this. [I adjusted it to myisp.com of course]

You did something, but it's only you who knows exactly what. Nobody here can see it. Even the best of us can make mistakes, typos sneak in unnoticed, things like that. And it's sometimes hard to see such own mistakes, it's proven fact. Some people export their configs, post them here for others to see, and often with very good results.