Hi Folks,

I'm pretty new to these routers and networking in general. But have worked my way through with some help of people in the know. We are based in Bali and run a coworking space, the internet is terrible here and unreliable so we need 3 internet connections with load balancing.

We have hit a major hurdle and its probably due to our lack of knowledge but we suspect its a bug in Mikrotek (Hopefully not)

当我们完全困惑为什么热点减免we turn on use-ip-firewall-for-vlan=yes. If we set use-ip-firewall-for-vlan=no our PCC load balancing does not work.

My setup is the following:

Hardware:
Mikrotek CCR1009-8G-1S v6.32.3
UniFi AP-AC-Pro & UniFi AP-AC Outdoor using Controller v4.76.
UniFI Toughswitch POE

WLANS (3 Internet Connections)

We have 3 SSID setup using VLAN:
Team (On Bridge 192.168.10.0)
Hotspot (VLAN20) -Obviously the hotspot
Members (VLAN30)

VLANs are correctly setup on the Unifi controllers and everyone is being assigned the correct DHCP. We have tested many different scenarios however when we enable the "use-ip-firewall-for-vlan=yes" it blocks the hotspot from loading the browser just hangs and no login box appears. If we type in the router IP normally it would load the hotspot in this case it just loads the routeros admin interface. Further weirdness, if we put a website in the wall garden ip list, we can get to this website. So the issue is the hotspot just doesn't display or its not fowarding the connection.

Not that its really relevant but we are using PCC for load balancing and this only works when we "use-ip-firewall-for-vlan=yes" the load balancing works perfectly, we thought this could be effecting loading the hotspot. So we reset the router with a fresh configuration (see configuration below) with just a simple route and tested it with out load balancing and the same thing happens. If we switch the rule to "use-ip-firewall-for-vlan=no" then bang the hotspot works perfectly!!!

What is happening? Do we need another rule setup?

# Example Configuration below:

/interface bridge
add arp=proxy-arp name=Bridge-Trunk
/interface ethernet
set [ find default-name=ether2 ] name=ISP-BIZNET rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] name=ISP-CBN rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether1 ] name=ISP-GECKO rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] name=POE-SWITCH rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether6 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether8 ] rx-flow-control=auto tx-flow-control=auto

/interface vlan
add interface=Bridge-Trunk l2mtu=1594 name=VLAN-HOTSPOT vlan-id=20
add interface=Bridge-Trunk l2mtu=1594 name=VLAN-MEMBERS vlan-id=30

/ip hotspot profile
add hotspot-address=192.168.20.1 name=hsprof2

/ip pool
add name=POOL-Team ranges=192.168.10.11-192.168.10.254
add name=POOL-Hotspot ranges=192.168.20.11-192.168.21.254
add name=POOL-Members ranges=192.168.30.21-192.168.31.254

/ip dhcp-server
add address-pool=POOL-Team disabled=no interface=Bridge-Trunk name="Dojo Team"
add address-pool=POOL-Hotspot disabled=no interface=VLAN-HOTSPOT name="Dojo Hotspot"
add address-pool=POOL-Members disabled=no interface=VLAN-MEMBERS name="Dojo Members"

/ip hotspot
add address-pool=POOL-Hotspot disabled=no interface=VLAN-HOTSPOT name=hotspot1 profile=hsprof2

/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no address-pool=POOL-Hotspot

/interface bridge port
add bridge=Bridge-Trunk interface=POE-SWITCH
add bridge=Bridge-Trunk interface=ether5
add bridge=Bridge-Trunk interface=ether6
add bridge=Bridge-Trunk interface=ether7
add bridge=Bridge-Trunk interface=ether8
add bridge=Bridge-Trunk interface=ether9

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip address
add address=192.168.10.1/24 comment="Bride Trunk" interface=Bridge-Trunk network=192.168.10.0
add address=xxx.xx.xx.xx/30 comment="Gecko ISP" interface=ISP-GECKO network=xxx.xx.xx.xx
add address=xxx.xx.xx.xx/27 comment="Biznet ISP" interface=ISP-BIZNET network=xxx.xx.xx.xx
add address=192.168.30.1/23 comment=Members interface=VLAN-MEMBERS network=192.168.30.0
add address=192.168.20.1/23 comment=Hotspot interface=VLAN-HOTSPOT network=192.168.20.0
add address=172.16.100.2/24 comment="CBN ISP" interface=ISP-CBN network=172.16.100.0

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/23 comment="hotspot network" dns-server=192.168.10.1 gateway=192.168.20.1
add address=192.168.30.0/23 dns-server=192.168.10.1 gateway=192.168.30.1

/ip dns
set allow-remote-requests=yes query-total-timeout=12s servers="xxx.xx.xx.xx,xxx.xx.xx.xx"

/ip firewall filterv,203.1
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
添加行动=化装链= srcnat out-interface =我SP-GECKO
添加行动=化装链= srcnat out-interface =我SP-BIZNET
添加行动=化装链= srcnat out-interface =我SP-CBN
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.20.0/23
/ip hotspot user
add name=admin

/ip route
add check-gateway=ping comment="Gecko Route Unmarked" distance=1 gateway= xxx.xx.xx.xx
add check-gateway=ping comment="Biznet Unmarked" distance=2 gateway=xxx.xx.xx.xx
add check-gateway=ping comment="CBN Unmarked" distance=3 gateway=xxx.xx.xx.xx

/ip upnp
set enabled=yes

/system clock
set time-zone-name=Asia/Pontianak

/system ntp client
set enabled=yes primary-ntp=180.211.88.211 secondary-ntp=203.34.118.4

Any help would be great! Thanks

Did you find a solution to this issue?