Community discussions

 
User avatar
dunga
Member Candidate
Member Candidate
Topic Author
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

YAHOO CHAT STILL WORKING AFTER HOTSPOT LOGOUT

Wed Jan 26, 2011 12:13 pm

Hello All,
I have witnessed some issues in my MT.I am using it as a Hotspot for my wireless and wired connections. When someone login to hotspot and the time exhausted, he cannot open any web site again but cant still chat. I want to know why such is happening and why must it be so.

I want a situation where as the ticket in hotspot exhausts, all connections will be closed including yahoo chat unless the person login again.


Your help will be appreciated.

Here is my firewall rules
[admin@SILVER] /ip firewall> export

#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="tcp connection limit" \
connection-limit=41,32 disabled=no protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="http mark" disabled=no \
dst-port=80 new-connection-mark=http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=http_conn \
disabled=no new-packet-mark=http_conn passthrough=no
add action=mark-connection chain=prerouting comment="p2p mark" disabled=no \
new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn \
disabled=no new-packet-mark=p2p_conn passthrough=no
add action=mark-connection chain=prerouting comment="smtp mark" disabled=no \
dst-port=25 new-connection-mark=smtp_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=smtp_conn \
disabled=no new-packet-mark=smtp_conn passthrough=no
add action=mark-connection chain=prerouting comment="pop mark" disabled=no \
dst-port=110 new-connection-mark=pop_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=pop_conn \
disabled=no new-packet-mark=pop_conn passthrough=no
add action=mark-connection chain=prerouting comment="other connections" \
disabled=no new-connection-mark=other_conn passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn \
disabled=no new-packet-mark=other_conn passthrough=no
add action=mark-connection chain=prerouting comment="sip mark" \
connection-type=sip disabled=no new-connection-mark=sip_conn passthrough=\
yes
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=sip_conn packet-mark=sip_conn passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
ether2
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=192.168.200.0/24
/ip firewall service-port
set ftp disabled=no ports=21
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: YAHOO CHAT STILL WORKING AFTER HOTSPOT LOGOUT

Wed Jan 26, 2011 4:37 pm

I have witnessed some issues in my MT.I am using it as a Hotspot for my wireless and wired connections. When someone login to hotspot and the time exhausted, he cannot open any web site again but cant still chat. I want to know why such is happening and why must it be so.
I'm not big expert in yahoo chat. However I assume, that message are posted in program somehow, but they are not delivered to the person, who should receive them. If you do not have any walled-garden or other exception rules.
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: YAHOO CHAT STILL WORKING AFTER HOTSPOT LOGOUT

Wed Jan 26, 2011 5:17 pm

My best guess is that this is because they have left Yahoo chat up, and it has an established connection in the router. Because it's an established connection, and not a new one, it will continue to work.
 
User avatar
dunga
Member Candidate
Member Candidate
Topic Author
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: YAHOO CHAT STILL WORKING AFTER HOTSPOT LOGOUT

Fri Jan 28, 2011 2:13 pm

How can this be stopped as it is making things difficult for us.I need it to be stopped.

Thanks
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: YAHOO CHAT STILL WORKING AFTER HOTSPOT LOGOUT

Fri Jan 28, 2011 4:02 pm

My best guess is that this is because they have left Yahoo chat up, and it has an established connection in the router. Because it's an established connection, and not a new one, it will continue to work.

If user clicked logout button, there should not be any established connections left.
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: YAHOO CHAT STILL WORKING AFTER HOTSPOT LOGOUT

Fri Jan 28, 2011 5:05 pm

dunga said it was after a hard timeout in the hotspot however and not them clicking on the logout button. I've seen the same thing happen when when you block a specific IP address in the filter, if they have any established connections in the connection tracking table, they can continue with those connections. Any new ones are blocked. You have to clear out those connections from the table in order to prevent those specific connections from continuing to pass traffic.

There's not really a clean way of doing it with a hard timeout. You can clear out the connections table, but by doing that you basically are going to break everyone's connection until the reestablish it. Not a big deal for normal web browsing, but if anyone has a VPN going or is streaming something that can cause problems for them.

You can script something that will clear out the connections for only certain IP addresses, that would be the best way of doing it, but I don't know of a reliable way of you getting or storing their specific IP address to be used in a script. You could attempt to grab all of the IP addresses from unauthorized users and clear out their connections, and run the script every so often, or upon a logout event. This is off the top of my head, but the script should look something like this:
:foreach ENTRY in=[/ip hotspot host find !authorized] do={
:local IP [/ip firewall address-list get number=$ENTRY address ];
/ip firewall connection remove [/ip firewall connection find src-address~"^$IP:"]
}

Who is online

Users browsing this forum: No registered users and 89 guests