Bug spotting – PPPoE and Hotspot

Came across an interesting (yet to be verified) bug today.

The info:

RouterOS v4.10 running on x86 server

Site runs both a hotspot and PPPoE server on the same interface.

Users can decide to login via the captive portal (which most do) or for those who understand and wish to use a pppoe connection, they have the option to use that instead, as it comes with a public IP.

The problem:

Support call came in saying that a user was unable to access www.google.com (which for the sake of this example we’ll say resolves to 192.0.2.1). I checked and confirmed I could indeed ping and trace to the address and put it down to a user issue, but left the ticket open to have one of our on-site techs give a try.

— later on–

Onsite tech indicated he to had become unable to access www.google.com via the pppoe login option and after getting a first hop response from the gateway the connection simply timed out.

The cause:

I’ll save you from having to hear about everything I tested and tried over the next hour however the actual cause was rather interesting.

The “hosts list” on the hotspot, had old entries from someone with an improperly configured IP address (in this case 192.0.2.1) which had tried to access the login page sometime in the past couple of days and was being held there. This meant that for users connected behind the pppoe interfaces, traffic to 192.0.2.1 was trying to go to that host RATHER than going out the correct default route.

Why? No idea.

The solution:

When the hotspot was setup (we’d reinstalled the machine just recently) it appears someone had forgotten to set the ‘idle-timeout’ value on the hotspot user-profile. This meant all these hosts were being held and the table was getting larger and larger (there were other incorrect addresses in there too).

Better solution: Provided by Mikrotik support
You have an option to allow only specific subnet to reach the HotSpot network.
Add the to ip-binding, specify subnets you would like to allow and set type=regular.
Block any other unneeded subnet by type=blocked.

Eg:

/ip hotspot ip-binding
add address=10.10.40.0/21 comment="Accept (not bypass) anything in the LAN range" disabled=no
add address=0.0.0.0/0 comment="block all else" disabled=no type=blocked

Side note: We don’t use the address-pool option on the hotspots as this causes LAN traffic to pass back (and be counted by) the router which we don’t want (as we let our users have unlimited LAN access to each other) so I’m at quite a loss as to why this routing pattern would occur.

Advertisement

8 thoughts on “Bug spotting – PPPoE and Hotspot

  1. Uhmm… This make me think of a similar issue I have on some of my nodes, but PPPoE is not used in anyone but one. So I think your problem is not related at all with PPPoE but it affects to it because of how hotspot is supposed to work.

    I detailed my problem at mikrotik’s forum without much success: http://forum.mikrotik.com/viewtopic.php?f=2&t=44995

  2. If you’re not worried about traffic passing back to the router you can enable the “address-pool” option to essentially perform 1-to-1 nat on any user regardless of them having a correct/incorrect address.
    The issue this was causing for me is, even when address-pool is not enabled it’s trying to route traffic from the pppoe users to those IP’s as if they’re local (even thou it routes correctly from the Mikrotik itself).

  3. Hi admin,
    We are a small IT company in kenya and we have several unique scenarios that we would like help with Mikrotik.You seem like you are in a position to help us.How can we get in touch with you directly meybe through mail and give details?
    regards,
    Martin.

  4. Hello,
    There’s nothing additional needed, simply create your pppoe server on the same interface as the hotspot.
    Be aware you will need to secure any switches in the network to stop anyone else from presenting a pppoe server and stealing usernames/passwords.

  5. Hi

    I have this annoying problem with Mikrotik Hotspot. Can you help me. My request is simple. With other Router that has embedded hotspot/captive portal feature, the hardware automatically check if the traffic is originating from internal traffic and going to internal traffic, then user will not need to access hotspot. The case is different with mikrotik.

    I use Mikrotik RB1100AHx2. I set hotspot for my office users who resides at ip 192.168.1.0/24. I have a web server at 192.168.1.2. Mikrotik is 192.168.1.1

    IP4 config gateway points to 192.168.1.1, dns to 8.8.8.8 and 8.8.4.4.

    For some reason, when user from ip 192.168.1.12 trying to access to another internal PC or to my webserver at 192.168.1.2, it will always require them to enter hotspot login. The only solution so far is to enter IP Binding. Bu that will defeat the purpose of having a hotspot.

    Is there any solution to this? Almost all my devices including my wifi printer is not working. I tried also entering Walled Garden list with only setting dest host to 192.168.1.0/24. Everyting else is not set in hoping it will allow all server and all sources. Still no luck.

    Can you please help me?

    Thank you

  6. Hi Cinlungendra,

    In your hotspot server change the “address-pool” item to none. This will stop the MikroTik universal proxy from collecting all hotspot client traffic.

    Let us know how you go!

    Kind Regards,
    Andrew

  7. Hi

    I have hotspot and pppoe server running on same interface. Both work properly for some time. But after few hours, users are not able to get ping from gateway (hotspot IP) also not getting login page. Can’t see their entries in hosts either. The moment I stop and restart the hotspot server, everything is back to normal. No issues to pppoe users at all.

    I can see more than double hosts entries in hotspot than actual connected users.

    Anticipating response from your side.

    Thanks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.