Manual:IP/Hotspot
HotSpot
The MikroTik HotSpot Gateway provides authentication for clients before access to public networks .
HotSpot Gateway features:
- different authentication methods of clients using local client database on the router, or remote RADIUS server;
- users accounting in local database on the router, or on remote RADIUS server;
- walled-garden system, access to some web pages without authorization;
- login page modification, where you can put information about the company;
- automatic and transparent change any IP address of a client to a valid address;
ip hotspot setup
The simplest way to setup HotSpot server on a router, by
/ip hotspot setup
Router will ask you the questions, when successfully finished default configuration will be added for HotSpot server. Once your run setup command, you will be asked for the particular questions,
- hotspot interface (name of the interface) : interface name to run HotSpot on. To run HotSpot on bridge interface, make sure public interfaces are not included to the bridge
- local address of network (IP address; default: 10.5.50.1/24) : HotSpot gateway address
- masquerade network (yes / no; default: yes) : Whether to masquerade HotSpot network, when yes rule is added to /ip firewall nat with action=masquerade
- address pool of network (name) : Address pool for HotSpot network, which is used to change user IP address to a valid address. Useful for providing network access to mobile clients that are not willing to change their networking settings
- select certificate (none / import-other-certificate) : choose SSL certificate, when HTTPS authorization method is required
- ip address of smtp server (IP address; default: 0.0.0.0) : IP address of the SMTP server, where to redirect HotSpot's network SMTP requests (25 TCP port)
- dns servers (IP address) : DNS server addresses used for HotSpot clients, configuration taken from /ip dns menu of the HotSpot gateway
- dns name (name; default: blank) : domain name of the HotSpot server, full quality domain name is required, for example www.example.com
- name of local hotspot user (name; default: admin) : username of one automatically created HotSpot user, added to /ip hotspot user
- password for the user (name) : password for automatically created HotSpot user
ip hotspot
Menu is designed to manage HotSpot servers of the router. It is possible to run HotSpot on Ethernet, wireless, VLAN and bridge interfaces. One HotSpot server is allowed per interface. When HotSpot is configured on bridge interface, set HotSpot interface as bridge interface not as bridge port, do not add public interfaces to bridge ports. You can add HotSpot servers manually to /ip hotspot menu, but it is advised to run /ip hotspot setup, that adds all necessary settings.
- name (text) : HotSpot server's name or identifier
- address-pool (name / none; default: none) : address space used to change HotSpot client any IP address to a valid address. Useful for providing public network access to mobile clients that are not willing to change their networking settings
- idle-timeout (time / none; default: 5m) : period of inactivity for unauthorized clients. When there is no traffic from this client (literally client computer should be switched off), once the timeout is reached, user is dropped from the HotSpot host list, its used address becomes available
- interface (name of interface) : interface to run HotSpot on
- addresses-per-mac (integer / unlimited; default: 2) : number of IP addresses allowed to be bind with the MAC address, when multiple HotSpot clients connected with one MAC-address
- profile (name; default: default) - HotSpot server default HotSpot profile, which is located in /ip hotspot profile
ip hotspot profile
HotSpot profile used for common settings of the HotSpot server, which are applied for all users connected to HotSpot server. Profile allows to specify HotSpot server login options, whether to use RADIUS server for clients and much more.
- name (text) : HotSpot profile name or identifier
- dns-name (text) : DNS name of the HotSpot server, it appears as the location of the login page in the web browser. Fully qualified domain name is required, like www.myhotspot.com not www.hotspot
- hotspot-address (IP address; default: 0.0.0.0) : IP address for the HotSpot server ?!
- html-directory (text; default: hotspot) : HotSpot HTML pages are stored in the particular directory, for example login page, status page, etc. To change HotSpot login page, connect to the router with FTP and download hotspot folder contents. Basic HTML skills required to change HotSpot login page.
- http-cookie-lifetime (time; default: 3d) : HTTP cookie validity time, the option is related to cookie HotSpot login method
- http-proxy (IP address; default: 0.0.0.0) : address of the proxy server for HotSpot service, when default value is used all request are resolved by the local /ip proxy
- login-by (multiple choice: cookie / http-chap / http-pap / https / mac / mac / trial; default: http-chap, cookie) : used HotSpot authentication method
- cookie - may only be used with other HTTP authentication method. HTTP cookie is generated, when user authenticates in HotSpot for the first time. User is not asked for the login/password and authenticated automatically, until cookie-lifetime is active
- http-chap - login/password is required for the user to authenticate in HotSpot. CHAP challenge-response method with MD5 hashing algorithm is used for protecting passwords.
- http-pap - login/password is required for user to authenticate in HotSpot. Username and password are sent over network in plain text.
- https - login/password is required for user to authenticate in HotSpot. Client login/password exchange between client and server is encrypted with SSL tunnel
- mac - client is authenticated without asking login form. Client MAC-address is added to /ip hotspot user database, client is authenticated as soon as connected to the HotSpot
- trial - client is allowed to use internet without HotSpot login for the specified amount of time
- mac-auth-password (text) : used together with MAC authentication, field used to specify password for the users to be authenticated by their MAC addresses. The following option is required, when specific RADIUS server rejects authentication for the clients with blank password
- nas-port-time (text; default: wireless-802.11) : NAS-Port-Type value to be sent to RADIUS server, NAS-Port-Type values are described in the RFC. This optional value attribute indicates the type of the physical port of the HotSpot server. Option is used with RADIUS server only
which is authenticating the user
- radius-accounting (yes / no; default: yes) : send RADIUS server accounting information on each user, when yes is used
- radius-default-domain (text) : default domain to use for RADIUS requests. Allows to use separate RADIUS server per /ip hotspot profile
- radius-interim-update (time / received) : how often to send accounting updates. When received is configured, interim-time is used from RADIUS server
- radius-location-name (text) : RADIUS-Location-Id to be sent to RADIUS server. To identify location of the HotSpot server during the communication with RADIUS server. Value is optional and used together with RADIUS server
- smtp-server (IP address; default: 0.0.0.0) : SMTP server address to be used to redirect HotSpot users SMTP requests
- split-user-domain (yes / no; default: no) : Split username from domain name when the username is given in "user@domain" or in "domain\user" format from RADIUS server
- ssl-certificate (name / none; default: none) : name of the SSL certificate on the router to use only for HTTPS authentication
- trial-uptime (time / time; default: 30m / 1d) : used only with trial authentication method. First time specifies, how long trial user identified by MAC address can use access to public networks without HotSpot authentication. Second time specifies amount of time, that has to pass that user is allowed to use trial again
- trial-user-profile (name; default: default) : specifies ip hotspot user profile for trial users
- use-radius (yes / no; default: no) : whether to use RADIUS server of authorization and accounting. When yes RADIUS server should be added to radius menu, firstly local ip hotspot user database is used, only then information is sent to RADIUS server
ip hotspot user
Lorem Ipsum Dolor Sit Amet
- name (Text) :
- address (comma separated list of IP prefixes) :
- comment (IP prefix) :
- email (Name of interface, or all) :
- limit-bytes-in (Name of , or none) :
- limit-bytes-out (Comma separated list of) :
- limit-bytes-total (One of both, upload, download or none) :
- limit-uptime (1..8) :
- mac-address (SOMETHING/SOMETHING) :
- password (NUMBER/NUMBER) :
- profile (NUMBER/NUMBER) :
- routes (NUMBER/NUMBER) :
- server (NUMBER/NUMBER) :
ip hotspot user profile
Lorem Ipsum Dolor Sit Amet
- name (Text) :
- address-pool (comma separated list of IP prefixes) :
- advertise (IP prefix) :
- advertise-interval (Name of interface, or all) :
- advertise-timeout (Name of , or none) :
- advertise-url (Comma separated list of) :
- idle-timeout (One of both, upload, download or none) :
- incoming-filter (1..8) :
- incoming-packet-mark (SOMETHING/SOMETHING) :
- keepalive-timeout (NUMBER/NUMBER) :
- on-login (NUMBER/NUMBER) :
- on-logout (NUMBER/NUMBER) :
- open-status-page (NUMBER/NUMBER) :
- outgoing-filter (NUMBER/NUMBER) :
- outgoing-packet-mark (NUMBER/NUMBER) :
- rate-limit (NUMBER/NUMBER) :
- session-timeout (NUMBER/NUMBER) :
- shared-users (NUMBER/NUMBER) :
- status-auto-refresh (NUMBER/NUMBER) :
- transparent-proxy (NUMBER/NUMBER) :
ip hotspot active
Lorem Ipsum Dolor Sit Amet
- address (Text) :
- blocked (comma separated list of IP prefixes) :
- bytes-in (IP prefix) :
- bytes-out (Name of interface, or all) :
- domain (Name of , or none) :
- idle-time (Comma separated list of) :
- idle-timeout (One of both, upload, download or none) :
- keepalive-timeout (1..8) :
- incoming-packet-mark (SOMETHING/SOMETHING) :
- keepalive-timeout (NUMBER/NUMBER) :
- limit-bytes-in (NUMBER/NUMBER) :
- limit-bytes-out (NUMBER/NUMBER) :
- limit-bytes-total (NUMBER/NUMBER) :
- login-by (NUMBER/NUMBER) :
- mac-address (NUMBER/NUMBER) :
- packets-in (NUMBER/NUMBER) :
- packets-out (NUMBER/NUMBER) :
- radius (NUMBER/NUMBER) :
- server (NUMBER/NUMBER) :
- session-time-left (NUMBER/NUMBER) :
- uptime (NUMBER/NUMBER) :
- user (NUMBER/NUMBER) :
ip hotspot host
Lorem Ipsum Dolor Sit Amet
- address (Text) :
- authorized (comma separated list of IP prefixes) :
- bridge-port (Comma separated list of) :
- bytes-in (IP prefix) :
- bytes-out (Name of interface, or all) :
- found-by (Name of , or none) :
- host-dead-time (Comma separated list of) :
- idle-time (One of both, upload, download or none) :
- idle-timeout (1..8) :
- keeaplive-timeout (SOMETHING/SOMETHING) :
- keepalive-timeout (NUMBER/NUMBER) :
- mac-address (NUMBER/NUMBER) :
- packet-in (NUMBER/NUMBER) :
- packet-out (NUMBER/NUMBER) :
- login-by (NUMBER/NUMBER) :
- mac-address (NUMBER/NUMBER) :
- packets-in (NUMBER/NUMBER) :
- packets-out (NUMBER/NUMBER) :
- server (NUMBER/NUMBER) :
- static (NUMBER/NUMBER) :
- to-address (NUMBER/NUMBER) :
- uptime (NUMBER/NUMBER) :
address copy-from mac-address server type comment disabled place-before to-address
ip hotspot ip-binding
Lorem Ipsum Dolor Sit Amet
- address (Text) :
- mac-address (comma separated list of IP prefixes) :
- server (IP prefix) :
- to-address (Name of interface, or all) :
- type (Name of , or none) :
ip hotspot walled-garden
Lorem Ipsum Dolor Sit Amet
- action (Text) :
- dst-host (comma separated list of IP prefixes) :
- dst-port (IP prefix) :
- method (Name of interface, or all) :
- path (Name of , or none) :
- server (Name of , or none) :
- src-address (Name of , or none) :
action copy-from dst-address dst-port protocol src-address comment disabled dst-host place-before server
ip hotspot walled-garden ip
Lorem Ipsum Dolor Sit Amet
- action (Text) :
- dst-address (comma separated list of IP prefixes) :
- dst-host (comma separated list of IP prefixes) :
- dst-port (IP prefix) :
- protocol (Name of interface, or all) :
- server (Name of , or none) :
- src-address (Name of , or none) :
ip hotspot cookie
Lorem Ipsum Dolor Sit Amet
- domain (Text) :
- expires-in (comma separated list of IP prefixes) :
- mac-address (comma separated list of IP prefixes) :
- user (IP prefix) :