Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Problem with Hotspot - very slow website browsing

Post Reply
 
Neferith
newbie
Topic Author
Posts: 25
Joined: Thu Mar 30, 2017 9:05 am

Problem with Hotspot - very slow website browsing

Mon Apr 03, 2017 2:52 pm

Hi All,

I have problem with setting a Hotspot. I have 2 WLAN networks - OFFICE for normal users and VISITORS as hotspot. My OFFICE network works well, but VISITORS is not. When user authenticates, internet works extremely slow. I'm able to ping servers in internet, but website browsing works terribly slow. I appreciate any suggestions.

My whole router config:
Code: Select all
# apr/03/2017 09:33:40 by RouterOS 6.38.5
# software id = D7VB-R9MW
#
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=channel1
add band=2ghz-b/g/n frequency=2437 name=channel2
add band=2ghz-b/g/n frequency=2462 name=channel3
/interface bridge
add admin-mac=4C:5E:0C:C0:AB:33 auto-mac=no name=bridge-vlan1
add admin-mac=4C:5E:0C:C0:AB:33 auto-mac=no name=bridge-vlan10
add admin-mac=4C:5E:0C:C0:AB:33 auto-mac=no name=bridge-vlan20
add admin-mac=4C:5E:0C:C0:AB:33 auto-mac=no name=bridge-vlan30
add admin-mac=4C:5E:0C:C0:AB:33 auto-mac=no name=bridge-vlan100
/interface ethernet
set [ find default-name=ether3 ] mac-address=4C:5E:0C:C0:AB:34 name=\
    ether3-master
set [ find default-name=ether4 ] mac-address=4C:5E:0C:C0:AB:35 master-port=\
    ether3-master
set [ find default-name=ether5 ] mac-address=4C:5E:0C:C0:AB:36
set [ find default-name=ether6 ] mac-address=4C:5E:0C:C0:AB:37 name=\
    ether6-master
set [ find default-name=ether7 ] mac-address=4C:5E:0C:C0:AB:38 master-port=\
    ether6-master
set [ find default-name=ether8 ] mac-address=4C:5E:0C:C0:AB:39 master-port=\
    ether6-master
set [ find default-name=ether9 ] mac-address=4C:5E:0C:C0:AB:3A master-port=\
    ether6-master
set [ find default-name=ether10 ] mac-address=4C:5E:0C:C0:AB:3B master-port=\
    ether6-master
set [ find default-name=sfp1 ] mac-address=4C:5E:0C:C0:AB:31
set [ find default-name=ether1 ] mac-address=4C:5E:0C:C0:AB:32 name=wan1
set [ find default-name=ether2 ] mac-address=4C:5E:0C:C0:AB:33 name=wan2
/ip neighbor discovery
set wan1 discover=no
/interface vlan
add interface=ether5 name=ether5-int-vlan1 vlan-id=1
add interface=ether5 name=ether5-int-vlan10 vlan-id=10
add interface=ether5 name=ether5-int-vlan100 vlan-id=100
add interface=ether5 name=ether5-int-vlan20 vlan-id=20
add interface=ether5 name=ether5-int-vlan30 vlan-id=30
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=OFFICE passphrase=################
add name=VISITORS
/caps-man configuration
add channel.band=2ghz-b/g/n channel.width=20 country=poland datapath.bridge=\
    bridge-vlan20 mode=ap name=OFFICE rx-chains=0 security=OFFICE ssid=OFFICE \
    tx-chains=0
add channel.band=2ghz-b/g/n channel.width=20 country=poland datapath.bridge=\
    bridge-vlan30 guard-interval=any mode=ap name=VISITIORS rx-chains=0 \
    security=VISITORS ssid=VISITORS tx-chains=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.domain.com hotspot-address=10.1.30.1 \
    login-by=http-chap
add dns-name=hotspot.domain.com hotspot-address=10.1.30.1 login-by=http-chap \
    name=hsprof1
/ip pool
add name=pool-vlan1 ranges=192.168.1.100-192.168.1.200
add name=pool-vlan20 ranges=10.1.20.100-10.1.20.200
add name=pool-vlan30 ranges=10.1.30.100-10.1.30.200
add name=pool-vlan10 ranges=10.1.10.100-10.1.10.200
add name=pool-vlan100 ranges=10.1.100.100-10.1.100.200
add name=pool-RA-VPN ranges=10.1.99.100-10.1.99.200
/ip dhcp-server
add address-pool=pool-vlan1 disabled=no interface=bridge-vlan1 lease-time=8h \
    name=dhcp-vlan1
add address-pool=pool-vlan10 disabled=no interface=bridge-vlan10 lease-time=\
    8h name=dhcp-vlan10
add address-pool=pool-vlan20 disabled=no interface=bridge-vlan20 lease-time=\
    8h name=dhcp-vlan20
add address-pool=pool-vlan30 disabled=no interface=bridge-vlan30 lease-time=\
    8h name=dhcp-vlan30
add address-pool=pool-vlan100 disabled=no interface=bridge-vlan100 \
    lease-time=8h name=dhcp-vlan100
/ip hotspot
add address-pool=pool-vlan30 disabled=no interface=bridge-vlan30 name=\
    hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=pool-vlan30 mac-cookie-timeout=1d \
    session-timeout=4h shared-users=50
/ppp profile
add dns-server=192.168.1.63 local-address=10.1.99.1 name="RA VPN" \
    remote-address=pool-RA-VPN use-encryption=yes
add name=VPN-domain use-encryption=yes
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=OFFICE name-format=\
    identity slave-configurations=VISITIORS
/interface bridge port
add bridge=bridge-vlan10 interface=ether6-master
add bridge=bridge-vlan1 interface=ether3-master
add bridge=bridge-vlan1 interface=ether5-int-vlan1
add bridge=bridge-vlan10 interface=ether5-int-vlan10
add bridge=bridge-vlan100 interface=ether5-int-vlan100
add bridge=bridge-vlan20 interface=ether5-int-vlan20
/interface pptp-server server
set authentication=mschap2 default-profile="RA VPN" enabled=yes
/ip address
add address=192.168.1.100/24 interface=bridge-vlan1 network=192.168.1.0
add address=10.1.10.1/24 interface=bridge-vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=bridge-vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=bridge-vlan30 network=10.1.30.0
add address=10.1.100.1/24 interface=bridge-vlan100 network=10.1.100.0
add address=192.168.4.253/24 interface=wan2 network=192.168.4.0
add address=XX.YY.ZZ.14/24 interface=wan1 network=XX.YY.ZZ.0
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=192.168.1.64,192.168.1.66,8.8.4.4 domain=\
    domain.com gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 dns-server=192.168.1.64,192.168.1.66,8.8.4.4 domain=\
    domain.com gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 dns-server=8.8.4.4,8.8.8.8 domain=domain.com gateway=\
    10.1.30.1 netmask=24
add address=10.1.100.0/24 dns-server=192.168.1.64,192.168.1.66 domain=\
    domain.com gateway=10.1.100.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.64,192.168.1.66,8.8.4.4 \
    domain=domain.com gateway=192.168.1.100 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=input disabled=yes dst-address=10.0.0.0/8 src-address=\
    10.1.30.0/24
add action=drop chain=forward disabled=yes dst-address=10.0.0.0/8 \
    src-address=10.1.30.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="PPTP VPN allow" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="Zarz\B9dzanie WINBOXem" dst-port=8291 \
    protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=wan1
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=wan1
/ip firewall nat
add action=accept chain=srcnat comment="No NAT for site to site traffic" \
    dst-address=10.2.0.0/16 src-address=10.1.0.0/16
add action=masquerade chain=srcnat disabled=yes log=yes src-address=\
    10.0.0.0/8
add action=masquerade chain=srcnat comment=ISP1 out-interface=wan1
add action=masquerade chain=srcnat comment=ISP2 out-interface=wan2
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=yes src-address=10.1.30.0/24
add action=dst-nat chain=dstnat comment="RDP dla PRO01 WAN1" dst-address=\
    XX.YY.ZZ.14 dst-port=53364 protocol=tcp to-addresses=192.168.1.64 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="Kamery WAN1" dst-address=\
    XX.YY.ZZ.14 dst-port=2013 protocol=tcp to-addresses=192.168.1.250 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Kamery WAN1" dst-address=\
    XX.YY.ZZ.14 dst-port=80 protocol=tcp to-addresses=192.168.1.250 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Kamery WAN1" dst-address=\
    XX.YY.ZZ.14 dst-port=2000 protocol=tcp to-addresses=192.168.1.250 \
    to-ports=2000
add action=dst-nat chain=dstnat comment="Kamery WAN1" dst-address=\
    XX.YY.ZZ.14 dst-port=9014 protocol=tcp to-addresses=192.168.1.250 \
    to-ports=2000
add action=dst-nat chain=dstnat comment="FTP WAN1" dst-address=XX.YY.ZZ.14 \
    dst-port=21 protocol=tcp to-addresses=192.168.1.134 to-ports=21
add action=dst-nat chain=dstnat comment="VNC WAN1" disabled=yes dst-address=\
    XX.YY.ZZ.14 dst-port=59103 protocol=tcp to-addresses=192.168.1.103 \
    to-ports=5900
add action=dst-nat chain=dstnat comment="\?\? RDP - WAN1" disabled=yes \
    dst-address=XX.YY.ZZ.14 dst-port=3369 protocol=tcp to-addresses=\
    192.168.1.69 to-ports=3389
add action=dst-nat chain=dstnat comment="\?\? RDP - WAN1" disabled=yes \
    dst-address=XX.YY.ZZ.14 dst-port=3365 protocol=tcp to-addresses=\
    192.168.1.65 to-ports=3389
add action=dst-nat chain=dstnat comment="\?\? RDP - WAN1" disabled=yes \
    dst-address=XX.YY.ZZ.14 dst-port=3367 protocol=tcp to-addresses=\
    192.168.1.67 to-ports=3389
add action=dst-nat chain=dstnat comment="\?\? RDP - WAN1" disabled=yes \
    dst-address=XX.YY.ZZ.14 dst-port=59102 protocol=tcp to-addresses=\
    192.168.1.102 to-ports=3389
add action=dst-nat chain=dstnat comment="\?\? RDP - WAN1" disabled=yes \
    dst-address=XX.YY.ZZ.14 dst-port=53102 protocol=tcp to-addresses=\
    192.168.1.102 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP dla PRO01 WAN2" dst-address=\
    XX.YY.ZZ.WW dst-port=53364 protocol=tcp to-addresses=192.168.1.64 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="RDP dla PRO02 WAN1" dst-address=\
    XX.YY.ZZ.14 dst-port=53366 protocol=tcp to-addresses=192.168.1.66 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="RDP dla PRO02 WAN2" dst-address=\
    XX.YY.ZZ.WW dst-port=53366 protocol=tcp to-addresses=192.168.1.66 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="RDP dla PRO03 WAN1" dst-address=\
    XX.YY.ZZ.14 dst-port=53368 protocol=tcp to-addresses=192.168.1.68 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="RDP dla PRO03 WAN2" dst-address=\
    XX.YY.ZZ.WW dst-port=53368 protocol=tcp to-addresses=192.168.1.68 \
    to-ports=3389
/ip hotspot user
add name=visitor password=XXXXXXXXXXX
/ip route
add comment=ISP1 distance=1 gateway=XX.YY.ZZ.1
add comment=ISP2 distance=2 gateway=192.168.4.1
add comment="Force this HOST1 via ISP1" distance=1 dst-address=8.8.8.8/32 \
    gateway=XX.YY.ZZ.1
add comment="Force this HOST1 via ISP1 blackhole" distance=1 dst-address=\
    8.8.8.8/32 type=blackhole
add comment="Force this HOST2 via ISP1" distance=1 dst-address=\
    208.67.222.123/32 gateway=XX.YY.ZZ.1
add comment="Force this HOST2 via ISP1 blackhole" distance=1 dst-address=\
    208.67.222.123/32 type=blackhole
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add local-address=172.16.100.1 name=VPN-domain password=########## \
    profile=VPN-domain remote-address=172.16.100.2 routes=\
    "10.2.0.0/16 172.16.100.2 1" service=pptp
add name=admin password=########### profile="RA VPN"
/radius
add address=192.168.1.66 secret=############# src-address=192.168.1.100 \
    timeout=100ms
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=domain-ZBN-R01
/system logging
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=echo topics=critical

/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge-vlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge-vlan1
Thanks in advance!
BR/Bartosz
Top
 
coldspot
just joined
Posts: 5
Joined: Fri Aug 18, 2017 6:33 pm

Re: Problem with Hotspot - very slow website browsing

Tue Jul 31, 2018 5:59 pm

Same problem. Can experts help?
Top
 
vargacs
just joined
Posts: 4
Joined: Sun Aug 30, 2015 7:36 pm

Re: Problem with Hotspot - very slow website browsing

Sat Sep 01, 2018 8:11 pm

Hello,

I have the same problem!
But it is strange, when I torching the vlan interface, the internet speed is up to normal (limited to 10mbit/s). When I stop torching, the speed is reduce to 0.001 mbti/s again.

Somebody can help to FIX this strange problem?

I did hardreset, but the result is always the same.

Regards,
Csabi
Top
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: Problem with Hotspot - very slow website browsing

Sat Sep 01, 2018 8:50 pm

I don’t really know if t is related, but I had the same issues on a mipsbe (962) device. Now on arm (1100ahx4) and it works fine. What hardware are all of you using? What is the result of profiling under load?

For the record, I only have the rules in the firewall needed for hotspot. Firewalling is done elswhere.
Top
 
User avatar
LinuxEngineer
just joined
Posts: 10
Joined: Fri Apr 22, 2016 11:46 am
Location: United Kingdom
Contact:
Contact LinuxEngineer

Re: Problem with Hotspot - very slow website browsing

Thu Aug 15, 2019 1:17 pm

My solution posted can be found here:

https://superuser.com/questions/1471612 ... t-unusable
Top
Post Reply
  4. RouterOS
  5. Beginner Basics