Hotspot no longer working-- "Connection refused"

jnh · Wed Jun 28, 2006 5:10 pm

Hello,

I had a hotspot running for a month or so with no problems, using a RB532 and RouterOS 2.9.20. Since last week, though, following a reboot, the captive-portal HTTP redirection is no longer working.

Clients still receive a valid (private) IP address from the Routerboard's DHCP server, and DNS lookups work, but on attempting to reach any web site the browser gives "Connection Refused", or "Page cannot be displayed" (tcpdump on a laptop client running Linux shows an RST packet coming back in response to any port-80 connection). Not even designated walled-garden sites can be reached. Entering the hotspot's IP address manually in the browser does bring up the login page, though, but other URLs aren't redirected as they should be.

If I go to /ip hotspot and "set 0 disabled=yes", everything works fine-- no issues surfing or accessing other Internet services, but of course the AP is wide open then, with no captive-portal splash screen or login process.

Any ideas? Nothing was changed under /ip hotspot since it was last working... I did make some routing changes prior to the reboot, moving the uplink from Ether1 to Ether2, adding some static routes and an IPIP tunnel, etc., but nothing that should have affected the hotspot. Other traffic passing through the same RB532 is still OK.

Going through the /ip hotspot setup dialog again doesn't help... same problem every time.

Are there any known Hotspot issues in 2.9.20 that might be fixed in a newer RouterOS?

Here's an (export) dump of relevant configuration areas:

# jun/28/2006 11:01:12 by RouterOS 2.9.20
# software id = 4I8R-3TT
#
/ ip hotspot 
add name="hotspot1" interface=wlan1 address-pool=hs-pool-4 profile=hsprof2 \
    idle-timeout=5m keepalive-timeout=none addresses-per-mac=2 disabled=no 
/ ip hotspot service-port 
set ftp ports=21 disabled=no 
/ ip hotspot profile 
set default name="default" hotspot-address=10.65.64.1 \
    dns-name="hotspot1.____.com" html-directory=hotspot rate-limit="" \
    http-proxy=0.0.0.0:0 smtp-server=__________ login-by=cookie,http-pap \
    http-cookie-lifetime=3d split-user-domain=no use-radius=no 
add name="hsprof2" hotspot-address=10.65.64.1 dns-name="hotspot1.____.com" \
    html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
    smtp-server=__________ login-by=cookie,http-pap http-cookie-lifetime=3d \
    split-user-domain=no use-radius=no 
/ ip hotspot user 
add name="hsadmin" password="_________" profile=hsuserprf1 comment="" \
    disabled=no 
add name="guest" password="" profile=hsuserprf1 comment="" disabled=no 
/ ip hotspot user profile 
set default name="default" idle-timeout=none keepalive-timeout=2m \
    status-autorefresh=1m shared-users=50 transparent-proxy=no 
add name="hsuserprf1" idle-timeout=none keepalive-timeout=2m \
    status-autorefresh=1m shared-users=1 transparent-proxy=yes \
    open-status-page=always advertise=no 
/ ip hotspot walled-garden 
add dst-host=________ path=* action=allow comment="" disabled=no 
add dst-host=_________ path=* action=allow comment="" disabled=no 
add dst-host=________ action=allow comment="" disabled=no 
add dst-host=______ path=* action=allow comment="" disabled=no

# jun/28/2006 11:06:46 by RouterOS 2.9.20
# software id = 4I8R-3TT
#
/ ip firewall nat 
add chain=srcnat src-address=10.65.64.0/24 action=masquerade \
    comment="masquerade hotspot network" disabled=no 
/ ip firewall connection tracking 
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
    udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
    tcp-syncookie=no 
/ ip firewall filter 
/ ip firewall service-port 
set ftp ports=21 disabled=no 
set tftp ports=69 disabled=no 
set irc ports=6667 disabled=no 
set h323 disabled=yes 
set quake3 disabled=no 
set mms disabled=no 
set gre disabled=yes 
set pptp disabled=yes

jnh · Wed Jun 28, 2006 7:15 pm

Looking at the dynamic NAT rules inserted by MT's Hotspot service, it looks like HTTP requests from unauthenticated users are supposed to be redirected to local TCP port 64874 on the Routerboard... since the problem started, though, I've noticed that nothing's listening for connections on that port. Hence the Connection Refused / Page Cannot be Displayed / RST packet sent back to clients.

telnet'ing to ports 64872 (DNS redirect target), or 64873 (HTTP post-auth proxy) from the outside does establish a connection, and I remember being able to reach 64874 in the same way, back when the hotspot was working.

So, some servlet process that should be running on the RB532 apparently isn't. Any way to check on this ('ps' listing equivalent), or restart the errant process? Just rebooting, or toggling the Hotspot from disabled=yes to disabled=no doesn't help.

Here are the dynamic firewall rules I'm referring to:


[admin@cp-mt3] ip firewall nat> print dynamic                                
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=dstnat hotspot=from-client action=jump jump-target=hotspot 

 1 D chain=hotspot action=jump jump-target=pre-hotspot 

 2 D chain=hotspot protocol=udp dst-port=53 action=redirect to-ports=64872 

 3 D chain=hotspot protocol=tcp dst-port=53 action=redirect to-ports=64872 

 4 D chain=hotspot protocol=tcp dst-port=80 hotspot=local-dst action=redirect 
     to-ports=64873 

 5 D chain=hotspot protocol=tcp dst-port=443 hotspot=local-dst action=redirect 
     to-ports=64875 

 6 D chain=hotspot protocol=tcp hotspot=!auth action=jump jump-target=hs-unauth 

 7 D chain=hotspot protocol=tcp hotspot=auth action=jump jump-target=hs-auth 

 8 D chain=hs-unauth protocol=tcp dst-port=80 action=redirect to-ports=64874 

 9 D chain=hs-unauth protocol=tcp dst-port=3128 action=redirect to-ports=64874 

10 D chain=hs-unauth protocol=tcp dst-port=8080 action=redirect to-ports=64874 

11 D chain=hs-unauth protocol=tcp dst-port=443 action=redirect to-ports=64875 

12 D chain=hs-unauth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp 

13 D chain=hs-auth protocol=tcp hotspot=http action=redirect to-ports=64874 

14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp 

15 D chain=hs-smtp in-interface=wlan1 action=dst-nat to-addresses=xx.xx.xx.xx 
     to-ports=25

jarosoup · Wed Jun 28, 2006 7:35 pm

Sounds like a DNS problem. Double check that your DNS is functioning properly. Also, try setting dns-name="hotspot1.____.com" to blank.

jnh · Wed Jun 28, 2006 7:49 pm

Sounds like a DNS problem. Double check that your DNS is functioning properly. Also, try setting dns-name="hotspot1.____.com" to blank.

Thanks, but DNS does appear to be working correctly. Tests using "nslookup", "host" etc. from a Linux hotspot client always resolve names to the correct IP address... problems only appear when the client subsequently tries an HTTP port-80 connection to a remote IP. Rather than redirecting this to its login page, the MT router just sends back an RST, refusing the connection.

I think this might be related to the lack of any servlet listening on port 64874, the redirection target (per dynamic NAT rules posted above), but don't know how to fix this.

Blanking out the hotspot dns-name doesn't help either

BulleriNET · Thu Jun 29, 2006 12:38 am

though winbox can you ping to a url like yahoo.com
l

jnh · Thu Jun 29, 2006 3:41 am

though winbox can you ping to a url like yahoo.com
l

Don't have Winbox installed, but DNS lookups from the RouterOS command line (/ping someserver.com) do work as expected.

Even from a Hotspot client, the name lookup always succeeds, returning a correct IP address... it's the subsequent HTTP redirection that's broken. Browsing directly to an IP doesn't work either.

The same RB532 is passing through a lot of other (non-hotspot) traffic without any DNS or routing trouble. The only thing I can find amiss on it is the missing servlet that should be answering connections on port 64874.

jarosoup · Thu Jun 29, 2006 3:56 am

Since you've changed a few thing before this happened, I think some of your changes have broken your hotspot. Typically the only time a hotspot will break is if you change around your interfaces, mess with IP addresses, firewall rules, or broken DNS. I don't think it's possible to break just the redirect proxy. Are you sure your hotspot is still assigned to the correct interface? Are you sure you haven't changed the hotspot html directory or the login.html pages themselves?

If I were you. I'd run "/ip hotspot export file=hotspot-backup", download that file so you can look at the settings along with any custom html directory you've made, disable and delete the current hotspot (and the old html directories) and start over with /ip hotspot setup. It's not pretty, but it will take less than 10 minutes to restore it...shouldn't be a big deal if it's already broken

jnh · Thu Jun 29, 2006 11:56 pm

Since you've changed a few thing before this happened, I think some of your changes have broken your hotspot. Typically the only time a hotspot will break is if you change around your interfaces, mess with IP addresses, firewall rules, or broken DNS. I don't think it's possible to break just the redirect proxy. Are you sure your hotspot is still assigned to the correct interface? Are you sure you haven't changed the hotspot html directory or the login.html pages themselves?

If I were you. I'd run "/ip hotspot export file=hotspot-backup", download that file so you can look at the settings along with any custom html directory you've made, disable and delete the current hotspot (and the old html directories) and start over with /ip hotspot setup. It's not pretty, but it will take less than 10 minutes to restore it...shouldn't be a big deal if it's already broken

Well, i just tried that, deleting everything under /ip hotspot (except for 'profile default' and 'user profile default', which it wouldn't let me delete), and going through /ip hotspot setup again.

It didn't help, though. Still the same issue-- DNS lookups work, but HTTP is redirected to that 64874 port on the RB532, where no servlet is listening (telnet'ing to this port gives the same "connection refused" that Web browser clients see).

Again, once I set the hotspot to "disabled=yes", routing and masquerading from clients behind the wireless interface works great... aside from being wide-open with no login page, of course. I'm posting this from behind the RB532's wlan1 right now...

Oh, tried upgrading from 2.9.20 -> 2.9.26 also, but that didn't help. No better, no worse

Fri Jun 30, 2006 9:21 am

looks like there is problem with webproxy, please send supout.rif file to support as soon as possible

jmariuse · Wed Feb 06, 2008 10:25 am

Hello.
Did you find any solution to this? I am experiencing the exact same problem

> /system resource print
uptime: 10h59m27s
version: "2.9.38"
free-memory: 11564kB
total-memory: 30440kB
cpu: "MIPS 4Kc V0.10"
cpu-frequency: 399MHz
cpu-load: 16
free-hdd-space: 91872kB
total-hdd-space: 126976kB
write-sect-since-reboot: 4762
write-sect-total: 383463
bad-blocks: 1

Hotspot no longer working-- "Connection refused"

Hotspot no longer working-- "Connection refused"

No servlet listening on Port 64874...

ping to yahoo.com

Re: ping to yahoo.com

Tried clearing & re-entering hotspot config-- still no l

Re: Hotspot no longer working-- "Connection refused"