Got an issue which has got me completely stumped. We've setup a MikroTik hotspot, with an Ubiquiti UniFi providing wireless connectivity (UniFi is essentially bridging VLANs 50 and 60 to the clients).
No matter what I try, I cannot get a login page to show up - even when typing 10.0.0.1 I can't get it to show. I've tried NAT rules and walled garden IPs, no no avail. We're using Trial settings for all users too, as it's an open hotspot.
If I disable the hotspot, then the clients can browse to the internet. Also with the hotspot active, the users can reach external websites listed in the walled garden. The clients also can't ping 10.0.0.1. DNS appears to be working, as if the clients try to ping glorit.stratanet.co.nz then it tries to point them to 10.0.0.1.
This hotspot was setup with a copy/paste of config from one of our working hotspots, then I've changed IPs etc to suit.
Export of config below (many values removed for security):
# aug/07/2018 14:41:17 by RouterOS 6.42.5
# software id = LHQY-WDU0
#
# model = 960PGS
# serial number = (removed)
/interface bridge
add fast-forward=no name=bridge-unifi
add fast-forward=no name=bridge-wan
/interface ethernet
set [ find default-name=ether1 ] name=ether1_management
set [ find default-name=ether2 ] name=ether2_nbm5_in_from_is poe-out=\
forced-on
set [ find default-name=ether3 ] name=ether3_omni poe-out=forced-on
set [ find default-name=ether5 ] name=ether5_unifi
/interface gre
add allow-fast-path=no clamp-tcp-mss=no dscp=0 keepalive=10s,3 local-address=\
(wan ip) mtu=1476 name=gre-tun-to-strata-albany remote-address=\
(server ip)
/interface vlan
add interface=ether5_unifi name=vlan50-unifi vlan-id=50
add interface=ether5_unifi name=vlan60-unifi-admin vlan-id=60
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=torrent-www regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|enter\
tane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitu\
nity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|\
fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demono\
id|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittox\
ic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btb\
ot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add dns-name=glorit.stratanet.co.nz hotspot-address=10.0.0.1 html-directory=\
flash/hotspot login-by=cookie,http-chap,https,http-pap,trial name=hsprof1 \
smtp-server=(removed) trial-uptime-limit=1d
add dns-name=gloritadmin.stratanet.co.nz hotspot-address=10.0.1.1 \
html-directory=flash/hotspot login-by=\
cookie,http-chap,https,http-pap,trial name=hsprof2 smtp-server=\
(removed) trial-uptime-limit=1d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool_clients ranges=10.0.0.30-10.0.0.254
add name=dhcp_pool_admin ranges=10.0.1.30-10.0.1.254
add name=dhcp-management-pool ranges=(management pool)
/ip dhcp-server
add address-pool=dhcp_pool_clients authoritative=after-2sec-delay disabled=no \
interface=vlan50-unifi lease-script=Lease_Counter lease-time=5m name=\
dhcp-clients
add address-pool=dhcp_pool_admin authoritative=after-2sec-delay disabled=no \
interface=vlan60-unifi-admin lease-time=5m name=dhcp-admin
add address-pool=dhcp-management-pool disabled=no interface=bridge-unifi \
name=dhcp-management
/ip hotspot
add address-pool=dhcp_pool_clients disabled=no interface=vlan50-unifi name=\
guest-hotspot profile=hsprof1
add address-pool=dhcp_pool_admin disabled=no interface=vlan60-unifi-admin \
name=admin-hotspot profile=hsprof2
/ip hotspot user profile
set [ find default=yes ] address-pool=dhcp_pool_admin keepalive-timeout=1h \
on-login=Login_Counter transparent-proxy=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=(removed)
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-wan hw=no interface=ether1_management
add bridge=bridge-wan hw=no interface=ether2_nbm5_in_from_is
add bridge=bridge-wan hw=no interface=ether3_omni
add bridge=bridge-unifi hw=no interface=ether4
add bridge=bridge-unifi interface=ether5_unifi
/interface pptp-server server
set authentication=pap,chap
/ip address
add address=(wan ip) comment="Management IP" interface=bridge-wan \
network=(wan subnet)
add address=10.0.0.1/24 comment=Clients interface=vlan50-unifi network=\
10.0.0.0
add address=10.0.1.1/24 comment=Admin interface=vlan60-unifi-admin network=\
10.0.1.0
add address=10.255.254.26/30 interface=gre-tun-to-strata-albany network=\
10.255.254.24
add address=(management lan ip) comment="UniFi LAN" interface=bridge-unifi \
network=(management lan subnet)
/ip dhcp-server lease
add address=(unifi lan ip) client-id=1:0:27:22:ce:60:59 comment="Hall UniFi" \
mac-address=00:27:22:CE:60:59 server=dhcp-management
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 netmask=24
add address=10.0.1.0/24 dns-server=10.0.1.1 gateway=10.0.1.1 netmask=24
add address=(management range) gateway=(management lan ip)
/ip dns
set allow-remote-requests=yes servers=(our dns server)
/ip firewall filter
add action=accept chain=hs-input disabled=yes dst-address=10.0.0.1 protocol=\
icmp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input comment="DNS Block inbound TCP" dst-port=53 \
in-interface=bridge-wan protocol=tcp
add action=drop chain=input comment="DNS Block inbound UDP" dst-port=53 \
in-interface=bridge-wan protocol=udp
add action=drop chain=forward comment="Block Bit Torrents" layer7-protocol=\
torrent-www
add action=drop chain=forward comment="Torrent DNS Drop " dst-port=53 \
layer7-protocol=torrent-dns protocol=udp
add action=drop chain=forward dst-port=22 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade disabled=yes \
out-interface=bridge-wan
add action=masquerade chain=srcnat comment=UniFi out-interface=bridge-wan \
src-address=(management subnet)
add action=masquerade chain=srcnat comment="Hotspot 1" disabled=yes \
out-interface=bridge-wan src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="Hotspot 2" disabled=yes \
out-interface=bridge-wan src-address=10.0.1.0/24
add action=dst-nat chain=dstnat comment=UniFi disabled=yes dst-address=\
(unifi server ip) in-interface=gre-tun-to-strata-albany protocol=tcp \
to-addresses=(unifi server ip) to-ports=1-10000
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=Clients out-interface=bridge-wan \
src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="Admin Clients" disabled=yes \
out-interface=bridge-wan src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=yes src-address=10.0.0.0/24
/ip hotspot user
add name=admin password=(removed)
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept comment=StrataNet disabled=no !dst-address dst-host=\
www.stratanet.co.nz !dst-port !protocol !src-address
add action=accept comment=StrataNet disabled=yes !dst-address \
!dst-address-list !dst-port !protocol src-address=10.0.0.198 \
!src-address-list
add action=accept comment=glorit.stratanet.co.nz disabled=no !dst-address \
!dst-address-list dst-host=glorit.stratanet.co.nz !dst-port !protocol \
!src-address !src-address-list
add action=accept comment="WAN IP" disabled=yes dst-address=(wan ip) \
!dst-address-list !dst-port !protocol !src-address !src-address-list
/ip proxy
set cache-path=web-proxy1
/ip route
add comment=Gateway distance=1 gateway=(wan gateway)
add comment="Route for UniFi Server" distance=1 dst-address=(unifi server ip) \
gateway=10.255.254.25
/ip service
set telnet address="(removed for security)"
set ftp address="(removed for security)" disabled=yes
set www disabled=yes
set ssh address=(removed for security)
set api disabled=yes
set winbox address="(removed for security)"
set api-ssl disabled=yes
/ppp aaa
set interim-update=1m use-circuit-id-in-nas-port-id=yes use-radius=yes
/radius
add address=(radius server ip) secret=(removed for security) service=ppp src-address=(wan ip)
/radius incoming
set accept=yes
/snmp
set contact=(removed) enabled=yes trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland
/system clock manual
set time-zone=+12:00
/system identity
set name=Glorit_Hall
/system logging
add topics=e-mail,debug
/system ntp client
set enabled=yes primary-ntp=202.78.240.38 secondary-ntp=202.89.49.65
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=1d name=Reset_Counters on-event=Global_Counter_Reset policy=\
ftp,read,write,test start-date=feb/13/2016 start-time=00:00:01
add interval=1d name=Data_Reset on-event=Data_Cap_Reset policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
mar/25/2014 start-time=00:00:01
add disabled=yes interval=5m name=Data_Cap_Check on-event=Data_Cap policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
mar/25/2014 start-time=01:15:19
/system script
add name=Login_Counter owner=Strata policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":global\
\_counter;\r\
\n:set counter (\$counter + 1);\r\
\nglobal systemTime [/system clock get time];\r\
\nglobal systemDate [/system clock get date]; \r\
\n:log info \"Number of hotspot logins to date: \$counter - - Date: \$syst\
emDate Time: \$systemTime\";\r\
\n"
add name=Lease_Counter owner=Strata policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":global\
\_leasecounter;\r\
\n:set leasecounter (\$leasecounter + 1);\r\
\nglobal systemTime [/system clock get time];\r\
\nglobal systemDate [/system clock get date];\r\
\n:log info \"Number of client DHCP leases to date: \$leasecounter - - Dat\
e: \$systemDate Time: \$systemTime\";\r\
\n"
add name=Global_Counter_Reset owner=Strata policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":global\
\_counter\r\
\n:global leasecounter\r\
\n\r\
\n/tool e-mail send to=\"(removed)\" subject=\"Counter Glori\
t hotspot statistics for \$[/system clock get date]\" body=\"Statistics fo\
r month until \$[/system clock get date]:\r\
\n\r\
\n\r\
\nNumber of clients logged in to hotspot service: \$counter\r\
\n\r\
\nNumber of devices connected: \$leasecounter\r\
\n\r\
\nSystem uptime: \$[/system resource get uptime]\r\
\n\r\
\n\r\
\n\r\
\n--------------------\r\
\n\r\
\nThis is an automated e-mail generated by electronic means. Please do not\
\_reply to this e-mail address as it is not monitored. For assistance, ple\
ase e-mail (removed) or call the StrataNet office on (removed).\"\r\
\n\r\
\n:set counter (0);\r\
\n:set leasecounter (0);\r\
\n\r\
\nglobal systemTime [/system clock get time];\r\
\nglobal systemDate [/system clock get date];\r\
\n:log info \"Login counter reset to: \$counter - - Lease counter reset to\
: \$leasecounter - - Date: \$systemDate Time: \$systemTime\";\r\
\n"
add name=Data_Cap owner=Strata policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#Downlo\
ad limit in MB\r\
\n:local downquotamb \"512\"\r\
\n\r\
\n### Do not modify anything below this line ###\r\
\n:local downquota [\$downquotamb * 512]\r\
\n:local datacounter\r\
\n:local datadown\r\
\n:local username\r\
\n:local macaddress\r\
\n:foreach datacounter in=[/ip hotspot active find ] do={\r\
\n:set datadown [/ip hotspot active get \$datacounter bytes-out]\r\
\n:if (\$datadown>\$downquota) do={\r\
\n:set username [/ip hotspot active get \$datacounter user]\r\
\n:set macaddress [/ip hotspot active get \$datacounter mac-address]\r\
\n/ip hotspot user remove [/ip hotspot user find where name=\$username]\r\
\n/ip hotspot user add name=\$username limit-bytes-out=\$downquota mac-add\
ress=\$macaddress\r\
\n/ip hotspot active remove \$datacounter\r\
\n:log info \"Logged out \$username - Reached download quota\"\r\
\n}}"
add name=Data_Cap_Reset owner=Strata policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":foreac\
h datacounter in=[/ip hotspot user find] do={/ip hotspot user remove \\\$d\
atacounter}\r\
\n:log info \"Data caps reset\""
/tool e-mail
set address=(removed) from=(removed) password=\
(removed) port=587 start-tls=yes user=(removed)
/tool graphing interface
add interface=vlan50-unifi
add interface=vlan60-unifi-admin
add interface=ether3_omni
add interface=ether4
/tool graphing resource
add
Any ideas what's going on?
Cheers!