Community discussions

MUM Europe 2020
 
seyyx4n2sc
just joined
Topic Author
Posts: 8
Joined: Tue Jul 10, 2018 9:50 am

Hotspot not redirecting to login page

Tue Jul 10, 2018 10:22 am

I read probably all the threads about this and still cannot figure out how to redirect. I use hotspot setup, follow many youtube, forum videos and it will not redirect.
Many are having problem with not redirecting HTTPS website but I can't even redirect HTTP website.

It is probably firewall issue, but these firewall are automatically added by Hotspot setup. I also have more firewall rules for load balancing + pppoe clients. However these are after the hotspot rule.

Browser behavior
  • If I manually type 192.168.0.1 it will bring me to login page
  • If I manually type google.com it will not bring me to login page
DNS behavior
  • If I ping google.com the ip get resolved but end up with request timeout
Configurations
/interface ethernet
set [ find default-name=ether1 ] comment="WAN1"
set [ find default-name=ether2 ] comment="WAN2"
set [ find default-name=ether3 ] comment=LAN
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out-1 password=x1 service-name=internet-x-1 user=x@y1
add disabled=no interface=ether2 name=pppoe-out-2 password=x2 service-name=internet-x-2 user=x@y2
/interface vlan
add comment="Admin VLAN" interface=ether3 name=vlan-10 vlan-id=10
add comment="Office VLAN" interface=ether3 name=vlan-20 vlan-id=20
add comment="DVR VLAN" interface=ether3 name=vlan-30 vlan-id=30
add comment="Server VLAN" interface=ether3 name=vlan-40 vlan-id=40
add comment="Restaurant VLAN" interface=ether3 name=vlan-50 vlan-id=50
add comment="Hotspot VLAN" interface=ether3 name=vlan-60 vlan-id=60
add comment="Guest VLAN" interface=ether3 name=vlan-70 vlan-id=70
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
add dns-name=test12341234.hotspot.com hotspot-address=192.168.0.1 login-by=http-chap name=hsprof1 \
    use-radius=yes
/ip hotspot user profile
set [ find default=yes ] transparent-proxy=yes
/ip pool
add name=pool-vlan-10 ranges=10.0.10.2-10.0.10.254
add name=pool-vlan-20 ranges=10.0.20.2-10.0.20.254
add name=pool-vlan-30 ranges=10.0.30.2-10.0.30.254
add name=pool-vlan-40 ranges=10.0.40.2-10.0.40.254
add name=pool-vlan-50 ranges=10.0.50.2-10.0.50.254
add name=pool-vlan-60 ranges=192.168.0.2-192.168.15.254
add name=pool-vlan-70 ranges=172.16.0.1-172.16.15.254
add name=hs-pool-15 ranges=192.168.0.3-192.168.15.254
/ip dhcp-server
add address-pool=pool-vlan-10 disabled=no interface=vlan-10 name=dhcp1
add address-pool=pool-vlan-20 disabled=no interface=vlan-20 name=dhcp2
add address-pool=pool-vlan-30 disabled=no interface=vlan-30 name=dhcp3
add address-pool=pool-vlan-40 disabled=no interface=vlan-40 name=dhcp4
add address-pool=pool-vlan-50 disabled=no interface=vlan-50 name=dhcp5
add address-pool=pool-vlan-60 disabled=no interface=vlan-60 name=dhcp6
add address-pool=pool-vlan-70 disabled=no interface=vlan-70 name=dhcp7
/ip hotspot
add address-pool=pool-vlan-60 disabled=no interface=vlan-60 name=hotspot1 profile=hsprof1
/ip address
add address=10.0.10.1/24 comment="Admin Subnet" interface=vlan-10 network=10.0.10.0
add address=10.0.20.1/24 comment="Office Subnet" interface=vlan-20 network=10.0.20.0
add address=10.0.30.1/24 comment="DVR Subnet" interface=vlan-30 network=10.0.30.0
add address=10.0.40.1/24 comment="Server Subnet" interface=vlan-40 network=10.0.40.0
add address=10.0.50.1/24 comment="Restaurant Subnet" interface=vlan-50 network=10.0.50.0
add address=192.168.0.1/20 comment="Hotspot Subnet" interface=vlan-60 network=192.168.0.0
add address=172.16.0.1/20 comment="Guest Subnet" interface=vlan-70 network=172.16.0.0
add address=192.168.0.2/20 comment="hotspot network" interface=vlan-60 network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.0.10.0/24 comment="Admin DHCP Server" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 gateway=\
    10.0.10.1
add address=10.0.20.0/24 comment="Office DHCP Server" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 gateway=\
    10.0.20.1
add address=10.0.30.0/24 comment="DVR DHCP Server" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 gateway=\
    10.0.30.1
add address=10.0.40.0/24 comment="Server DHCP Server" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 gateway=\
    10.0.40.1
add address=10.0.50.0/24 comment="Restaurant DHCP Server" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 \
    gateway=10.0.50.1
add address=172.16.0.0/20 comment="VMeet Guest DHCP Server" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 \
    gateway=172.16.0.1
add address=192.168.0.0/20 comment="Hotspot DHCP Server" dns-server=\
    192.168.0.1,1.1.1.1,8.8.8.8,8.8.4.4 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.0.10.0/24 list=LOCAL
add address=10.0.20.0/24 list=LOCAL
add address=10.0.30.0/24 list=LOCAL
add address=10.0.40.0/24 list=LOCAL
add address=10.0.50.0/24 list=LOCAL
add address=192.168.0.0/20 list=LOCAL
add address=172.16.0.0/20 list=LOCAL
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=LOCAL src-address-list=LOCAL
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out-1 \
    new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out-2 \
    new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local \
    hotspot="" new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address-list=LOCAL
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local \
    hotspot="" new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address-list=LOCAL
add action=mark-routing chain=prerouting connection-mark=WAN1_conn new-routing-mark=to_WAN1 \
    passthrough=yes src-address-list=LOCAL
add action=mark-routing chain=prerouting connection-mark=WAN2_conn new-routing-mark=to_WAN2 \
    passthrough=yes src-address-list=LOCAL
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 \
    passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 \
    passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=pre-hotspot dst-address-type=!local hotspot=auth
add action=masquerade chain=srcnat out-interface=pppoe-out-1
add action=masquerade chain=srcnat out-interface=pppoe-out-2
/ip hotspot user
add name=admin password="xxx"
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=yes !dst-address !dst-address-list dst-host=1.1.1.1 !dst-port !protocol !src-address !src-address-list
/ip proxy
set enabled=yes
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out-1 routing-mark=to_WAN1
add check-gateway=ping distance=2 gateway=pppoe-out-2 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=pppoe-out-2 routing-mark=to_WAN2
add check-gateway=ping distance=2 gateway=pppoe-out-1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=pppoe-out-1
add check-gateway=ping distance=2 gateway=pppoe-out-2
/ip service
set www-ssl disabled=no
/ip firewall nat print dynamic
Flags: X - disabled, I - invalid, D - dynamic 
 0  D chain=dstnat action=jump jump-target=hotspot hotspot=from-client 

 1  D chain=hotspot action=jump jump-target=pre-hotspot 

 2  D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53 

 3  D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53 

 4  D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80 

 5  D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443 

 6  D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth 

 7  D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth 

 8  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80 

 9  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128 

10  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Hotspot not redirecting to login page

Wed Jul 11, 2018 4:32 pm

Testing to google.com or any other site that redirects you to https:// will not work. You have to try accessing a http site that does not get redirected!

Unrelated to your issue, having a pool set under /ip hotspot address-pool other than =none sets a NAT helper intended for devices with a static IP set to be able to access the Hotspot. In most cases it causes more issues than it solves.
 
seyyx4n2sc
just joined
Topic Author
Posts: 8
Joined: Tue Jul 10, 2018 9:50 am

Re: Hotspot not redirecting to login page

Wed Jul 11, 2018 10:48 pm

Hi! sorry for being unclear :) I realize about HTTPS. But if you read the post again I say it is not even working for HTTP!
 
dcwifi
just joined
Posts: 23
Joined: Thu Jan 21, 2010 7:35 am

Re: Hotspot not redirecting to login page

Thu Jul 12, 2018 10:50 am

Can you try add "dst-address-type=!local" for these two rules under mangle:

add action=mark-routing chain=prerouting connection-mark=WAN1_conn new-routing-mark=to_WAN1 \
passthrough=yes src-address-list=LOCAL
add action=mark-routing chain=prerouting connection-mark=WAN2_conn new-routing-mark=to_WAN2 \
passthrough=yes src-address-list=LOCAL

btw, I will disable all the mangle rules first with just one default route to internet. If this work then issue with the mangle configuration.
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: Hotspot not redirecting to login page

Thu Jul 12, 2018 4:14 pm

In order to redirect HTTPS requests to the Hotspot login, it needs to know to redirect HTTPS. Right now the login is set to http-chap. There's no SSL cert assigned and nothing is showing port 443 active on the router for this. HTTPS requests will redirect to an HTTPS version of the login page and the Login option for HTTPS needs to be selected.

So you can either generate a self-signed cert on the Mikrotik for the Hotspot and all the users will be warned it's an invalid cert and they'll need to trust it. Or you can get a real cert, install it and they won't be warned.

Who is online

Users browsing this forum: MSN [Bot] and 19 guests