Well, with authorize.net, just like with PayPal Website Payments Pro, the buyer does not have to leave your own payment pages. Therefore your own site with SSL will most likely have always the same IP address and can be added to the Walled Garden IP List.I have the same challenge with authorize.net, so paying more is not always the best thing to do. You might want to wait a day or so to see what the MT team says.
ADD: As I suspected...with a little experimentation...using nslookup on http://www.paypal.com returns 4 servers. Every time you repeat the nslookup, the order of the servers change. Your odds are only one in four that the top server is the one you are using.
And wouldn't it be nice to do a "/ip hotspot walled-garden ip print all" and see the ip addresses that are being used (bypassed) for each domain name in the walled garden?
:resolve www.paypal.com;
:global paypalips [/ip dns cache find name=www.paypal.com];
:global oldips [/ip hotspot walled-garden ip find dst-host=www.paypal.com];
:local thisip none;
:foreach x in=$oldips do={
/ip hotspot walled-garden ip remove $x;
}
:foreach i in=$paypalips do={
:set thisip [/ip dns cache get $i address];
/ip hotspot walled-garden ip add dst-host=www.paypal.com dst-address=$thisip;
}
Now that is interesting. I'll have to play with that. If this is the "hack" for dns cache short TTLs, then that would probably be more efficient.(snip) Edit: On second thought, you might be able to use the straight script as it is with address lists. Then create a pre-hotspot rule in NAT that says any traffic going to the IPs in the address list action=accept. This way, they're not even handled by the hotspot at all.
This might actually save a lot on cpu load as well, as the hotspot isn't doing so much work.
And I got more or less always the same 4-8 PayPal addresses. I tested this in 4 different countries.
Don't know what the whole domain name is, but looks like onlinewellnessassociation.com. Try https://onlinewellnessassociation.com and that is what is needed in "/ip hotspot walled-garden". It must match exactly unless you use wildcards or regular expressions in the walled-garden.DNS cache:
4 onlinewell... 67.228.27.22 3h50m33s
:global ppobjip [:resolve www.paypalobjects.com];
:local paypalobject [/ip hotspot walled-garden ip find dst-host=www.paypalobjects.com];
:local thisip none;
:local noip true;
:foreach i in=$paypalobject do={
:set thisip [/ip hotspot walled-garden ip get $i dst-address];
:if ( $thisip = $ppobjip ) do={
:set noip false;
}
}
:if ($noip) do={
:log info "paypalobj script adding $ppobjip";
/ip hotspot walled-garden ip add dst-host=www.paypalobjects.com dst-address=$ppobjip;
}
onlinewellnessassociation.com
www.onlinewellnessassociation.com
www.paypal.com
www.paypalobjects.com
paypal.112.2o7.net
e120.g.akamaiedge.net
:local today [/system clock get date];
:local old [/ip hotspot walled-garden ip find dst-host=www.paypalobjects.com];
:local thisrem none;
:local thisip none;
:foreach i in=$old do={
:set thisrem [/ip hotspot walled-garden ip get $i comment];
:if ($thisrem != $today) do={
/ip hotspot walled-garden ip remove $i;
}
}
:resolve www.paypal.com;
:global paypalips [/ip dns cache find name=www.paypal.com];
:global oldips [/ip hotspot walled-garden ip find dst-host=www.paypal.com];
:foreach x in=$oldips do={
/ip hotspot walled-garden ip remove $x;
}
:foreach i in=$paypalips do={
:set thisip [/ip dns cache get $i address];
/ip hotspot walled-garden ip add dst-host=www.paypal.com dst-address=$thisip;
}
:global ppobjip [:resolve www.paypalobjects.com];
:local paypalobject [/ip hotspot walled-garden ip find dst-host=www.paypalobjects.com];
:local thisip none;
:local noip true;
:foreach i in=$paypalobject do={
:set thisip [/ip hotspot walled-garden ip get $i dst-address];
:if ( $thisip = $ppobjip ) do={
:set noip false;
/ip hotspot walled-garden ip set $i comment=[/system clock get date];
}
}
:if ($noip) do={
:log info "paypalobj script adding $ppobjip";
/ip hotspot walled-garden ip add dst-host=www.paypalobjects.com dst-address=$ppobjip comment=[/system clock get date];
}
Wow, Thanks Tim,OK! Now it works with no duplicate dynamic entries, thanks to Maris at support. You can't use "dst-host" and "dst-address" in the same entry in "/ip hotspot walled-garden ip". In V5.x, you will not be able to use both in the same entry. The scripts are in the wiki if you want to give it a try. Using these scripts, I have no fails to PayPal through the walled garden.
http://wiki.mikrotik.com/wiki/PayPal_wi ... den_bypass
And how many internet-savvy users (like me, and probably you) won't pay at all after that? They reason that if you can't even collect their money without a problem, why should they trust the rest of your services? Bad news! And nothing spreads faster than bad news in a resort vacation community. Well, except maybe "something for free".(snip) Who knows how many people just give up and walk away. (snip)
Excellent point. I' know I wouldn't think the operation (Hotspot) was very professional if they couldn't manage the payments.And how many internet-savvy users (like me, and probably you) won't pay at all after that? They reason that if you can't even collect their money without a problem, why should they trust the rest of your services? Bad news! And nothing spreads faster than bad news in a resort vacation community. Well, except maybe "something for free".(snip) Who knows how many people just give up and walk away. (snip)
Actually, she couldn't complete the payment at PayPal, because she too, had waited longer than 5 minutes before clicking the "submit" button on the payment page. A couple minutes of hacking and a few minutes finding her purse and credit card, then filling in the form, and now she can't get through the walled garden to post the form to complete the payment.Interestingly, a woman called the other day to tell me she couldn't get past the PayPal site.
Hello Tim,
Thank you very much for your huge job and big efforts.
We have an idea to improve current walled-garden. It could be, that walled-garden
addresses are not removed from the list, but new ones are added by TTL to the
allowed table.
We will see how it will be possible to implement.
Regards,
Sergejs
I can't use the beta V5.0rc4. Can someone verify this?Hello Tim,
Currently it is done in the describe way.
IP addresses are not removed from allowed /ip dns, but only new ones are added,
when client make requests.
However, Paypal is the special case.
Could you try the rules for Paypal at v5.0rc4,
/ ip hotspot walled-garden add dst-host=":^www\\.paypal\\.com\$" dst-port=443
action=allow
/ ip hotspot walled-garden add dst-host=":^paypal\\.com\$" dst-port=443
action=allow
/ ip hotspot walled-garden add dst-host=":^content\\.paypalobjects\\.com\$" dst-
port=443 action=allow
/ ip hotspot walled-garden add dst-host=*.akamaiedge.net action=allow
/ ip hotspot walled-garden add dst-host=paypal.112.2O7.net
Regards,
Sergejs
/ip hotspot walled-garden
add dst-host=www.paypal.com action=allow
add dst-host=www.paypalobjects.com action=allow
add dst-host=*.akamaiedge.net action=allow
:local nametoresolve "www.paypal.com";
:local maxdnsres 10;
:local today [/system clock get date];
:local dnsdata none;
:local dnstype none;
:local dnsname none;
:local logprefix "ppupdate";
:local paypalresolve;
:local indexdns 0;
:local old;
:local oldips;
:local thisrem;
:local paypalips;
### Remove old ppobj IPs from the walled garden ip list
:set old [/ip hotspot walled-garden ip find comment~"ppobj*"];
:foreach i in=$old do={
:set thisrem [/ip hotspot walled-garden ip get $i comment];
:if ($thisrem != ("ppobj $today")) do={
/ip hotspot walled-garden ip remove $i;
}
}
### Remove old paypal IPs from walled garden ip list
:set oldips [/ip hotspot walled-garden ip find comment="paypal"];
:foreach x in=$oldips do={
/ip hotspot walled-garden ip remove $x;
}
### Add current IPs to walled garden ip list
:set paypalresolve [:resolve www.paypal.com];
:log info "$logprefix: Returned from :resolve '$nametoresolve': '$paypalresolve'";
:set indexdns 0;
:while ($indexdns < $maxdnsres and $nametoresolve != "") do={
:log info "$logprefix Looking for '$nametoresolve' in dns cache indexdns=$indexdns";
:set paypalips [/ip dns cache all find name="$nametoresolve"];
:foreach i in=$paypalips do={
:set dnsdata [/ip dns cache all get $i data];
:set dnstype [/ip dns cache all get $i type];
:set dnsname [/ip dns cache all get $i name];
:log info "$logprefix: dns cache for '$dnsname': type=$dnstype data=$dnsdata";
if ($dnstype = "A") do={
:log info "$logprefix: Adding '$dnsdata' to walled garden ip list";
/ip hotspot walled-garden ip add comment="paypal" dst-address=$dnsdata;
}
if ($dnstype = "CNAME") do={
:set nametoresolve $dnsdata;
} else={
:set nametoresolve "";
}
}
:set indexdns ($indexdns + 1);
}
MT has said a few times they're not putting any effort into UM at this time. Go figure.Do we still really need this script - have Mikrotik not fixed the way that the walled garden works yet?
Typically, i don't have remote access to the one site thats runnings this script and now needs updating ;-(
richedav, since we installed ppupdate/paypal scripts at the beginning of this year we have had around 20 purchases on a weekend, 2 weekends ago we had only 2, one on saturday and another one on sunday and we had several phone calls of clients who couldn't see paypal page.Do we still really need this script - have Mikrotik not fixed the way that the walled garden works yet?
Typically, i don't have remote access to the one site thats runnings this script and now needs updating ;-(
How do you figure that? It is the DNS cache that determines if the client can go through the walled garden. The client does a DNS resolve, and the ip is put in the dns cache. The client browser does not do any more dns resolves during the transaction. The remaining communication is done with the ip the client received from the first dns resolve. If the ip entry in the DNS cache is there only 20 seconds, that is not enough time to complete a payment form.Using a regular expression avoids having anything to do with DNS.
Is this the same problem? The problem encountered in this thread applies only to unauthorized clients (not logged in) attempting to access some https sites through the walled garden, not authorized clients (logged in) having problems.Is there a solution to the SSL problem? I'm on version 5.9 and clients have trouble accessing any https websites over the hotspot. Is there a solution for this problem?
:global ListName paypal_address_list :global Servers {"www.paypal.com"; "www.paypalobjects.com"; "paypalobjects.com"; "paypal.com"} /system script run dnsToAddressList- finally, just follow Generic Walled Garden in HTTPS chapter using address-list instead of address (src-address=>src-address-list, dst-address=>dst-address-list) and select "paypal_address_list" for these address-lists.