MikroTik

Hi everyone,

I'm seeing a weird problem with a Hotspot setup: -

I'm using Hotspot with Mac authentication and a [freeradius] radius server and it's almost perfect.

BUT people can't get out on the web when they are logged in - and the reason seems to be a rogue NAT rules that's added by Hotspot. If I delete the rule the whole systems works perfectly. If the routerboard is powered off and on the rogue NAT rule re-appears and the system is knackered until I delete the rule again.

The "bad" rule in the NAT table is: -

Rule # 13: Chain: hs-auth, Action: redirect, To Ports: 64874

It seems to be a rule that does a redirect IF the customer IS logged in. I don't see why a redirect would be needed for logged-in users (obviously the re-directs for NOT logged in users are necessary for the captive portal).

Once that rule is removed everything is great (until the next reboot of course).

Does anyone have any idea how I can make this rule NOT come back after a reboot or any other way to fix this problem?

thanks very very much,

Derek

What hardware and OS version are you running?

Hi SurferTim,

Its a RB333 running ROS 3.11.

thanks for any help

Derek

V3.11 has known problems with the hotspot redirect and walled garden. To insure it is not a OS bug, I would recommend upgrading to V3.12 or V3.13. Or downgrade to 3.10.

I do have a RB333 running V3.11, but had to do some patches to get it to work. You might try disabling the hotspot transparent proxy.
/ip hotspot user profile set X transparent-proxy=no
X is the line number of the user profile. Unless you have added others, there should be just one.

Hi again,

I've upgraded to ROS v3.13. I see the "bad" rule is still there but I'm not at the location so I can't test (and I've erased the rule again).

What is the "transparent proxy" option in the user profile menu?

thanks very much for the help!

Derek

To follow-up: -

I upgraded routeros from 3.11 to 3.13 but the same problem is there (the "bad" NAT rule # 13 - hs-auth redirect).

The user tries to access an external website and does get authenticated (via MAC authentication with an external radius server - and the user is logged in and does appear in the Ip-->Hotspot->Active listing) *BUT* then they keep getting redirected back to the routerboard alogin.html page over and over again (it drives the users nuts).

When the NAT rule # 13 is removed the system works 100% but if the routerboard is powered off & on the rule comes back and so does the problem

Weird!

D

I checked a couple of my boxes, and I get no rule like that when I reboot. But I do not use mac authentication. I use http-chap as the only login-by.

I'm going to setup a test board again and see if that rule is there - I checked another Hotspot board today (Mac address but via the internal user manager and NOT an external [internet] radius server) and that rule # 13 IS there but it doesn't seem to be messing anything up!).

I wonder why there is a hs-auth redirect rule at all? (as opposed to a hs-not-auth rule).

If it comes to it I'll have to read up on scripting and see if I can somehow delete the rule just after power-up

Derek

Perhaps you have 'transparent-proxy' enabled at 'ip hotspot user profile', check as well for advertisement.

Hi Sergejs,

Yes - I had "transparent proxy" enabled. I've disabled it now and I'll test it later and see if this setting makes a difference.

What is "transparent proxy"? - I'm having trouble finding out anything about it.

thanks

D