Users Not Being Directed to the Hotspot Login Screen

PCNetworks · Tue Jun 26, 2018 7:36 pm

I recently re-modified the 'hotspot' html documents .. in advance of the modifications I have just completed, unauthorized users were successfully redirected to the login screen..
After the html doc updates and FTP'ing the files to the router hotspot dir, unauthorized users are no longer redirected to the login screen (short of typing in the hotspot IP address which then displays the login screen and does allow successful logons - but is nonetheless incorrect -.)

I have reverified the layout of the code in each html doc.
I have re-uploaded the default html docs to the router and still the same result - no login screen display -
I have reset the router configuration four times and reconfigured the hotspot ... I used the auto configuration as exhibited here: https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot ; as I have also followed this example: https://mikrotik.com/documentation/manu ... ht90237610 (which I prefer configuration-wise).

Has anyone encountered this same problem? Or maybe you see my error(s), I would appreciate any suggestions.

# jan/02/1970 15:09:01 by RouterOS 6.42.3
# software id = 046D-LZ6N
#
# model = 333
# serial number = 179801C18694
/interface wireless
set [ find default-name=wlan1 ] antenna-mode=ant-b country="united states" disabled=no mode=ap-bridge radio-name=5ghz-hs-interface ssid="wubble"
set [ find default-name=wlan2 ] antenna-mode=ant-b country="united states" disabled=no mode=ap-bridge radio-name=2ghz-hs-interface ssid="gubble"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=192.188.254.254 login-by=cookie,http-chap,trial name=hs-server-profile-2ghz
/ip pool
add comment=pre-auth-pool-2ghz name=pool0 ranges=192.188.254.10-192.188.254.252
add comment=post-auth-pool-2ghz name=pool1 ranges=172.168.254.10-192.168.254.252
/ip dhcp-server
add add-arp=yes address-pool=pool0 disabled=no interface=wlan2 lease-time=14s name=hs-dhcp-server-2ghz src-address=192.188.254.254
/ip hotspot
add address-pool=pool1 disabled=no idle-timeout=none interface=wlan2 name=hs-server-2ghz profile=hs-server-profile-2ghz
/ip address
add address=192.168.254.2/24 comment=wan interface=ether1 network=192.168.254.0
add address=192.188.254.254/24 comment=pre-auth-network-2ghz interface=wlan2 network=192.188.254.0
add address=172.168.254.254/24 comment=post-auth-network-2ghz interface=wlan2 network=172.168.254.0
/ip dhcp-server network
add address=192.188.254.254/32 dns-server=8.8.8.8,192.168.254.2 gateway=192.168.254.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=hs-pre-auth comment="limit unauthorized hotspot clients" disabled=yes
add action=jump chain=forward comment="limit access for unauthorized hotspot clients" disabled=yes jump-target=hs-pre-auth src-address=192.188.254.0/24
add action=accept chain=hs-input comment="accept requests for hotspot servlet (port 80)" disabled=yes protocol=tcp src-address=192.188.254.0/24
add action=accept chain=hs-input comment="accept requests for hotspot servlet (port 443)" disabled=yes dst-port=443 protocol=tcp src-address=192.188.254.0/24
add action=accept chain=hs-input comment="accept requests from local dhcp server" disabled=yes dst-port=67 protocol=udp src-address=192.188.254.0/24
add action=jump chain=hs-input comment="limit access for unauthorized hotspot clients" disabled=yes jump-target=hs-pre-auth
add action=return chain=hs-pre-auth comment="allow ping requests" disabled=yes protocol=icmp
add action=return chain=hs-pre-auth comment="allow dns requests" disabled=yes dst-port=53 protocol=udp
add action=reject chain=hs-pre-auth comment="reject access for unauthorized hotspot clients" disabled=yes reject-with=icmp-network-unreachable
add action=accept chain=hotspot comment="account authorized hotspot clients" disabled=yes
add action=jump chain=forward comment="account traffic for authorized hotspot clients" disabled=yes jump-target=hotspot
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=masquerade chain=srcnat comment="masquerade hotspot pre-auth network" src-address=192.188.254.0/24
add action=redirect chain=dstnat comment="redirect pre-auth hotspot clients to hotspot service (port 80)" dst-port=80 protocol=tcp src-address=\
    192.188.254.0/24 to-ports=80
add action=redirect chain=dstnat comment="redirect pre-auth hotspot clients to hotspot service (port 443)" dst-port=443 protocol=tcp src-address=\
    192.188.254.0/24 to-ports=80
/ip hotspot user
add name=ganja password=1234
/ip hotspot walled-garden
add comment="place hotspot rules here"
/ip hotspot walled-garden ip
add action=accept disabled=no !dst-address !dst-address-list !dst-port !protocol server=hs-server-2ghz !src-address !src-address-list
/ip route
add distance=1 gateway=192.168.254.254
add distance=1 dst-address=192.168.254.13/32 gateway=ether1
add distance=1 dst-address=192.168.254.254/32 gateway=ether1
/system identity
set name=nas-1
/system routerboard settings
set cpu-frequency=333MHz

Thanks

2frogs · Tue Jun 26, 2018 8:36 pm

There are several errors!

192.188.254.254 instead of 192.168.254.254..

No DNS under IP>DNS, all DNS request get redirected to the Mikrotik.

DHCP lease-time needs to be in a number of hours or some devices (Apple) will not work.

Set ip-pool=none in IP>Hotspot, devices will get IP Address from DHCP Server.

That should get you started.

PCNetworks · Tue Jun 26, 2018 11:06 pm

There are several errors!

192.188.254.254 instead of 192.168.254.254..

No DNS under IP>DNS, all DNS request get redirected to the Mikrotik.

DHCP lease-time needs to be in a number of hours or some devices (Apple) will not work.

Set ip-pool=none in IP>Hotspot, devices will get IP Address from DHCP Server.

That should get you started.

Thank you for the informative reply 2frogs.

I changed the DCHP Server network from the 192.168.254x --> 192.188.254x (late nights worked negatively against my vision)
added the dns numbers 8.8.8.8, 192.188.254.254 (I incorrectly assumed that the auto hotspot configuration would set those)
the DHCP lease time has been set to 12H
and in the hotspot I disabled the DHCP.

Unfortunately, I still get the identical results [><], no log-in screen and the device browser works for a long while before returning "server not found"


# jan/02/1970 18:58:15 by RouterOS 6.42.3
# software id = 046D-LZ6N
#
# model = 333
# serial number = 179801C18694
/interface wireless
set [ find default-name=wlan1 ] antenna-mode=ant-b country="united states" disabled=no mode=ap-bridge radio-name=5ghz-hs-interface ssid="wubble"
set [ find default-name=wlan2 ] antenna-mode=ant-b country="united states" disabled=no mode=ap-bridge radio-name=2ghz-hs-interface ssid="gubble"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=192.188.254.254 login-by=cookie,http-chap,trial name=hs-server-profile-2ghz
/ip hotspot
add disabled=no idle-timeout=none interface=wlan2 name=hs-server-2ghz profile=hs-server-profile-2ghz
/ip pool
add comment=pre-auth-pool-2ghz name=pool0 ranges=192.188.254.10-192.188.254.252
add comment=post-auth-pool-2ghz name=pool1 ranges=172.168.254.10-192.168.254.252
/ip dhcp-server
add add-arp=yes address-pool=pool0 disabled=no interface=wlan2 lease-time=12h name=hs-dhcp-server-2ghz src-address=192.188.254.254
/ip address
add address=192.168.254.2/24 comment=wan interface=ether1 network=192.168.254.0
add address=192.188.254.254/24 comment=pre-auth-network-2ghz interface=wlan2 network=192.188.254.0
add address=172.168.254.254/24 comment=post-auth-network-2ghz interface=wlan2 network=172.168.254.0
/ip dhcp-server network
add address=192.188.254.254/32 dns-server=8.8.8.8,192.188.254.254 gateway=192.188.254.254 netmask=24 ntp-server=128.138.140.44,128.138.141.172
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.188.254.254
/ip dns static
add address=192.188.254.254 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=accept chain=hs-pre-auth comment="limit unauthorized hotspot clients"
add action=jump chain=forward comment="limit access for unauthorized hotspot clients" jump-target=hs-pre-auth src-address=192.188.254.0/24
add action=accept chain=input comment="accept requests for hotspot servlet (port 80)" protocol=tcp src-address=192.188.254.0/24
add action=accept chain=input comment="accept requests for hotspot servlet (port 443)" dst-port=443 protocol=tcp src-address=192.188.254.0/24
add action=accept chain=input comment="accept requests from local dhcp server" dst-port=67 protocol=udp src-address=192.188.254.0/24
add action=jump chain=input comment="limit access for unauthorized hotspot clients" jump-target=hs-pre-auth
add action=return chain=hs-pre-auth comment="allow ping requests" protocol=icmp
add action=return chain=hs-pre-auth comment="allow dns requests" dst-port=53 protocol=udp
add action=reject chain=hs-pre-auth comment="reject access for unauthorized hotspot clients" reject-with=icmp-network-unreachable
add action=accept chain=hotspot comment="account authorized hotspot clients"
add action=jump chain=forward comment="account traffic for authorized hotspot clients" jump-target=hotspot
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=masquerade chain=srcnat comment="masquerade hotspot pre-auth network" src-address=192.188.254.0/24
add action=redirect chain=dstnat comment="redirect pre-auth hotspot clients to hotspot service (port 80)" dst-port=80 protocol=tcp src-address=\
    192.188.254.0/24 to-ports=80
add action=redirect chain=dstnat comment="redirect pre-auth hotspot clients to hotspot service (port 443)" dst-port=443 protocol=tcp src-address=\
    192.188.254.0/24 to-ports=443
/ip hotspot user
add name=ptaylor password=1234
/ip hotspot walled-garden
add comment="place hotspot rules here"
/ip hotspot walled-garden ip
add action=accept disabled=no !dst-address !dst-address-list !dst-port !protocol server=hs-server-2ghz !src-address !src-address-list
/ip route
add distance=1 gateway=192.168.254.254
add distance=1 dst-address=192.168.254.13/32 gateway=ether1
add distance=1 dst-address=192.168.254.254/32 gateway=ether1
/ip service
set www port=8080
set www-ssl disabled=no
/system identity
set name=nas-1
/system routerboard settings
set cpu-frequency=333MHz

Thank you

2frogs · Tue Jun 26, 2018 11:27 pm

Can the Mikrotik resolve DNS properly? Access internet?

Use /tools trace-route and see if it trace to google.com with “use dns” checked.

PCNetworks · Wed Jun 27, 2018 1:12 am

Can the Mikrotik resolve DNS properly? Access internet?

Use /tools trace-route and see if it trace to google.com with “use dns” checked.

Thank you 2frogs.

Yes, the router sees the Internet _ _ _ I am able to trace-route using DNS to google.com (however there are 2 time-outs near the end).

Likewise, the mt manual page loads while inside of the router gui.

DHCP server return to client device:

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Qualcomm Atheros AR9485 Wireless Network Adapter
   Physical Address. . . . . . . . . : 28-C2-DD-91-C5-D9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b596:c198:1e11:e682%17(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.188.254.251(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Lease Obtained. . . . . . . . . . : Monday, June 25, 2018 8:41:10 PM
   Lease Expires . . . . . . . . . . : Wednesday, June 27, 2018 2:47:56 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.188.254.254
   DHCPv6 IAID . . . . . . . . . . . : 136889053
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-7C-25-49-30-5A-3A-87-75-EB
   DNS Servers . . . . . . . . . . . : 192.188.254.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

From client device if a ping is sent to -> 192.188.254.254 yields no returns

Thank you 2 frogs

R1CH · Thu Jun 28, 2018 2:58 pm

Haven't used hotspot before, but this certainly doesn't look right:

/ip dhcp-server network
add address=192.188.254.254/32

   IPv4 Address. . . . . . . . . . . : 192.188.254.251(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255

You probably want a /24 network at least?

PCNetworks · Thu Jun 28, 2018 10:31 pm

Haven't used hotspot before, but this certainly doesn't look right:
Code: Select all
/ip dhcp-server network
add address=192.188.254.254/32
Code: Select all
   IPv4 Address. . . . . . . . . . . : 192.188.254.251(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
You probably want a /24 network at least?

Just this morning I elected to replace the routerboard entirely _ _ _ problem solved!

Much thanks to 2frogs and yourself for taking the time to help.
Have a great day.

Keep your shiny side UP!
Life is 10% what happens and 90% how you respond to it happening.

Users Not Being Directed to the Hotspot Login Screen

Users Not Being Directed to the Hotspot Login Screen

Re: Users Not Being Directed to the Hotspot Login Screen

Re: Users Not Being Directed to the Hotspot Login Screen

Re: Users Not Being Directed to the Hotspot Login Screen

Re: Users Not Being Directed to the Hotspot Login Screen

Re: Users Not Being Directed to the Hotspot Login Screen

Re: Users Not Being Directed to the Hotspot Login Screen