Manual:IP/Hotspot: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(47 intermediate revisions by 5 users not shown)
Line 11: Line 11:
* automatic and transparent change any IP address of a client to a valid address;
* automatic and transparent change any IP address of a client to a valid address;


Hotspot can work reliably only when IPv4 is used. Hotspot relies on Firewall NAT rules which currently are not supported for IPv6.


==ip hotspot setup==
===Sub Categories===
The simplest way to setup HotSpot server on a router, by
/ip hotspot setup
Router will ask you the questions, when successfully finished default configuration will be added for HotSpot server. Once your run setup command, you will be asked for the particular questions,


* '''hotspot interface''' (name of the interface) : interface name to run HotSpot on. To run HotSpot on bridge interface, make sure public interfaces are not included to the bridge
{{ycgu-cooltable-3
* '''local address of network''' (IP address; default: ''10.5.50.1/24'') : HotSpot gateway address
|title-left='''List of reference sub-pages'''
* '''masquerade network''' (yes '''/''' no; default: ''yes'') : Whether to masquerade HotSpot network, when '''yes''' rule is added to ''/ip firewall nat'' with ''action=masquerade''
|title-center='''Case studies'''
* '''address pool of network''' (name) : Address pool for HotSpot network, which is used to change user IP address to a valid address. Useful for providing network access to mobile clients that are not willing to change their networking settings
|title-right='''List of examples'''
* '''select certificate''' (none '''/''' import-other-certificate) : choose SSL certificate, when HTTPS authorization method is required
|content-left=
* '''ip address of smtp server''' (IP address; default: ''0.0.0.0'') : IP address of the SMTP server, where to redirect HotSpot's network SMTP requests (25 TCP port)
<splist
* '''dns servers''' (IP address) : DNS server addresses used for HotSpot clients, configuration taken from ''/ip dns'' menu of the HotSpot gateway
showparent=yes
* '''dns name''' (name; default: ''blank'') : domain name of the HotSpot server, full quality domain name is required, for example www.example.com
/>
* '''name of local hotspot user''' (name; default: ''admin'') : username of one automatically created HotSpot user, added to ''/ip hotspot user''
* '''password for the user''' (name) : password for automatically created HotSpot user


==ip hotspot==
|content-center=
<DynamicPageList>
category = Hotspot
category = Manual
category = Case Studies
namespace = Manual
shownamespace = false
</DynamicPageList>
 
 
|content-right=
<DynamicPageList>
category = Manual
category = Hotspot
category = Examples
namespace = Manual
shownamespace = false
</DynamicPageList>
 
}}
 
==HotSpot Setup==
The simplest way to setup HotSpot server on a router is by '''<code>/ip hotspot setup</code>''' command.
Router will ask to enter parameters required to successfully set up HotSpot. When finished, default configuration will be added for HotSpot server.
 
<pre>
[admin@MikroTik] /ip hotspot> setup
Select interface to run HotSpot on
 
hotspot interface: ether3
Set HotSpot address for interface
 
local address of network: 10.5.50.1/24
masquerade network: yes
Set pool for HotSpot addresses
 
address pool of network: 10.5.50.2-10.5.50.254
Select hotspot SSL certificate


Menu is designed to manage HotSpot servers of the router. It is possible to run HotSpot on Ethernet, wireless, VLAN and bridge interfaces. One HotSpot server is allowed per interface. When HotSpot is configured on bridge interface, set HotSpot interface as ''bridge'' interface not as ''bridge port'', do not add public interfaces to bridge ports. You can add HotSpot servers manually to ''/ip hotspot'' menu, but it is advised to run ''/ip hotspot setup'', that adds all necessary settings.
select certificate: none
Select SMTP server  


* '''name''' (text) : HotSpot server's name or identifier
ip address of smtp server: 0.0.0.0
* '''address-pool''' (name '''/''' none; default: ''none'') : address space used to change HotSpot client ''any'' IP address to a valid address. Useful for providing public network access to mobile clients that are not willing to change their networking settings
Setup DNS configuration
* '''idle-timeout''' (time '''/''' none; default: ''5m'') : period of inactivity for unauthorized clients. When there is no traffic from this client (literally client computer should be switched off), once the timeout is reached, user is dropped from the HotSpot host list, its used address becomes available
* '''interface''' (name of interface) : interface to run HotSpot on
* '''addresses-per-mac''' (integer '''/''' unlimited; default: 2) :  number of IP addresses allowed to be bind with the MAC address, when multiple HotSpot clients connected with one MAC-address
* '''profile''' (name; default: ''default'') - HotSpot server default HotSpot profile, which is located in ''/ip hotspot profile''


==ip hotspot profile==
dns servers: 10.1.101.1
DNS name of local hotspot server


HotSpot profile used for common settings of the HotSpot server, which are applied for all users connected to HotSpot server. Profile allows to specify HotSpot server login options, whether to use RADIUS server for clients and much more.
dns name: myhotspot
Create local hotspot user


* '''name''' (text) :  HotSpot profile name or identifier
name of local hotspot user: admin
* '''dns-name''' (text) : DNS name of the HotSpot server, it appears as the location of the login page in the web browser. Fully qualified domain name is required, like www.myhotspot.com not www.hotspot  
password for the user:  
* '''hotspot-address''' (IP address; default: ''0.0.0.0'') : IP address for the HotSpot server ?!
[admin@MikroTik] /ip hotspot>
* '''html-directory''' (text; default: ''hotspot'') : HotSpot HTML pages are stored in the particular directory, for example login page, status page, etc. To change HotSpot login page, connect to the router with FTP and download ''hotspot'' folder contents. Basic HTML skills required to change HotSpot login page.
</pre>
* '''http-cookie-lifetime''' (time; default: ''3d'') : HTTP cookie validity time, the option is related to ''cookie'' HotSpot login method
* '''http-proxy''' (IP address; default: ''0.0.0.0'') : address of the proxy server for HotSpot service, when default value is used all request are resolved by the local ''/ip proxy''
* '''login-by''' (multiple choice: cookie '''/''' http-chap '''/''' http-pap '''/''' https '''/''' mac '''/''' mac '''/''' trial; default: http-chap, cookie) : used HotSpot authentication method
* cookie - may only be used with other HTTP authentication method. HTTP cookie is generated, when user authenticates in HotSpot for the first time. User is not asked for the login/password and authenticated automatically, until ''cookie-lifetime'' is active
* http-chap - login/password is required for the user to authenticate in HotSpot. CHAP challenge-response method with MD5 hashing algorithm is used for protecting passwords.
* http-pap -  login/password is required for user to authenticate in HotSpot. Username and password are sent over network in plain text.
* https - login/password is required for user to authenticate in HotSpot. Encrypted SSL tunnel transfers login/password between user and HotSpot server


What was created:
<pre>
[admin@MikroTik] /ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
#  NAME        INTERFACE      ADDRESS-POOL      PROFILE      IDLE-TIMEOUT
0  hotspot1    ether3          hs-pool-3          hsprof1      5m
[admin@MikroTik] /ip hotspot>
[admin@MikroTik] /ip pool> print
# NAME                                        RANGES                       
0 hs-pool-3                                  10.5.50.2-10.5.50.254         
[admin@MikroTik] /ip pool> /ip dhcp-server
[admin@MikroTik] /ip dhcp-server> print
Flags: X - disabled, I - invalid
#  NAME      INTERFACE    RELAY          ADDRESS-POOL    LEASE-TIME ADD-ARP
0  dhcp1    ether3                      hs-pool-3      1h       
[admin@MikroTik] /ip dhcp-server> /ip firewall nat
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
    chain=unused-hs-chain action=passthrough


1  ;;; masquerade hotspot network
    chain=srcnat action=masquerade src-address=10.5.50.0/24
[admin@MikroTik] /ip firewall nat>


* '''mac-auth-password''' (1..8) : 
</pre>
* '''nas-port-time''' (''SOMETHING/SOMETHING'') : 
* '''radius-accounting''' (''NUMBER/NUMBER'') : 
* '''radius-default-domain''' (''NUMBER/NUMBER'') : 
* '''radius-interim-update''' (''NUMBER/NUMBER'') : 
* '''radius-location-name ''' (''NUMBER/NUMBER'') : 
* '''smtp-server''' (''TIME/TIME'') : 
* '''split-user-domain''' () : 
* '''ssl-certificate''' () : 
* '''trial-uptime''' () : 
* '''trial-user-profile''' () : 
* '''use-radius''' () :


==ip hotspot user==
'''Parameters asked during setup process'''
Lorem Ipsum Dolor Sit Amet


{{Mr-arg-table-h
|prop=Parameter
|desc=Description
}}


{{Mr-arg-table
|arg=hotspot interface
|type=string
|default=allow
|desc=Interface name on which to run HotSpot. To run HotSpot on a bridge interface, make sure public interfaces are not included to the bridge ports.
}}


* '''name''' (Text) :
{{Mr-arg-table
* '''address''' (comma separated list of IP prefixes) :
|arg=local address of network
* '''comment''' (IP prefix) :
|type=IP
* '''email''' (Name of interface, or ''all'') :
|default=10.5.50.1/24
* '''limit-bytes-in''' (Name of , or ''none'') :
|desc=HotSpot gateway address
* '''limit-bytes-out''' (Comma separated list of) :
}}
* '''limit-bytes-total''' (One of ''both'', ''upload'', ''download'' or ''none'') :
* '''limit-uptime''' (1..8) :
* '''mac-address''' (''SOMETHING/SOMETHING'') :
* '''password''' (''NUMBER/NUMBER'') :
* '''profile''' (''NUMBER/NUMBER'') :
* '''routes''' (''NUMBER/NUMBER'') :
* '''server''' (''NUMBER/NUMBER'') :


==ip hotspot user profile==
Lorem Ipsum Dolor Sit Amet


{{Mr-arg-table
|arg=masquerade network
|type=yes {{!}} no
|default=yes
|desc=Whether to masquerade HotSpot network, when '''yes''' rule is added to ''/ip firewall nat'' with ''action=masquerade''
}}


{{Mr-arg-table
|arg=address pool of network
|type=string
|default=yes
|desc=Address pool for HotSpot network, which is used to change user IP address to a valid address. Useful if providing network access to mobile clients that are not willing to change their networking settings.
}}


* '''name''' (Text) :
{{Mr-arg-table
* '''address-pool''' (comma separated list of IP prefixes) :
|arg=select certificate
* '''advertise''' (IP prefix) :
|type=none {{!}} import-other-certificate
* '''advertise-interval''' (Name of interface, or ''all'') :
|default=
* '''advertise-timeout''' (Name of , or ''none'') :
|desc=Choose SSL certificate, when HTTPS authorization method is required.
* '''advertise-url''' (Comma separated list of) :
}}
* '''idle-timeout''' (One of ''both'', ''upload'', ''download'' or ''none'') :
* '''incoming-filter''' (1..8) :
* '''incoming-packet-mark''' (''SOMETHING/SOMETHING'') :
* '''keepalive-timeout''' (''NUMBER/NUMBER'') :
* '''on-login''' (''NUMBER/NUMBER'') :
* '''on-logout''' (''NUMBER/NUMBER'') :
* '''open-status-page''' (''NUMBER/NUMBER'') :
* '''outgoing-filter''' (''NUMBER/NUMBER'') :
* '''outgoing-packet-mark''' (''NUMBER/NUMBER'') :
* '''rate-limit''' (''NUMBER/NUMBER'') :
* '''session-timeout''' (''NUMBER/NUMBER'') :
* '''shared-users''' (''NUMBER/NUMBER'') :
* '''status-auto-refresh''' (''NUMBER/NUMBER'') :
* '''transparent-proxy''' (''NUMBER/NUMBER'') :


{{Mr-arg-table
|arg=ip address of smtp server
|type=IP
|default=0.0.0.0
|desc=IP address of the SMTP server, where to redirect HotSpot's network SMTP requests (25 TCP port)
}}


==ip hotspot active==
{{Mr-arg-table
Lorem Ipsum Dolor Sit Amet
|arg=dns servers
|type=IP
|default=0.0.0.0
|desc=DNS server addresses used for HotSpot clients, configuration taken from ''/ip dns'' menu of the HotSpot gateway
}}


{{Mr-arg-table
|arg=dns name
|type=string
|default=""
|desc=domain name of the HotSpot server, full quality domain name is required, for example www.example.com
}}


{{Mr-arg-table
|arg=name of local hotspot user
|type=string
|default="admin"
|desc=username of one automatically created HotSpot user, added to ''/ip hotspot user''
}}


* '''address''' (Text) :
{{Mr-arg-table-end
* '''blocked''' (comma separated list of IP prefixes) :
|arg=password for the user'
* '''bytes-in''' (IP prefix) :
|type=string
* '''bytes-out''' (Name of interface, or ''all'') :
|default=
* '''domain''' (Name of , or ''none'') :
|desc=Password for automatically created HotSpot user
* '''idle-time''' (Comma separated list of) :
}}
* '''idle-timeout''' (One of ''both'', ''upload'', ''download'' or ''none'') :
* '''keepalive-timeout''' (1..8) :
* '''incoming-packet-mark''' (''SOMETHING/SOMETHING'') :
* '''keepalive-timeout''' (''NUMBER/NUMBER'') :
* '''limit-bytes-in''' (''NUMBER/NUMBER'') :
* '''limit-bytes-out''' (''NUMBER/NUMBER'') :
* '''limit-bytes-total''' (''NUMBER/NUMBER'') :
* '''login-by''' (''NUMBER/NUMBER'') :
* '''mac-address''' (''NUMBER/NUMBER'') :
* '''packets-in''' (''NUMBER/NUMBER'') :
* '''packets-out''' (''NUMBER/NUMBER'') :
* '''radius''' (''NUMBER/NUMBER'') :
* '''server''' (''NUMBER/NUMBER'') :
* '''session-time-left''' (''NUMBER/NUMBER'') :
* '''uptime''' (''NUMBER/NUMBER'') :
* '''user''' (''NUMBER/NUMBER'') :


==ip hotspot==


Menu is designed to manage HotSpot servers of the router. It is possible to run HotSpot on Ethernet, wireless, VLAN and bridge interfaces. One HotSpot server is allowed per interface. When HotSpot is configured on bridge interface, set HotSpot interface as ''bridge'' interface not as ''bridge port'', do not add public interfaces to bridge ports. You can add HotSpot servers manually to ''/ip hotspot'' menu, but it is advised to run ''/ip hotspot setup'', that adds all necessary settings.


==ip hotspot host==
* '''name''' (text) : HotSpot server's name or identifier
Lorem Ipsum Dolor Sit Amet
* '''address-pool''' (name '''/''' none; default: ''none'') : address space used to change HotSpot client ''any'' IP address to a valid address. Useful for providing public network access to mobile clients that are not willing to change their networking settings
* '''idle-timeout''' (time '''/''' none; default: ''5m'') : period of inactivity for unauthorized clients. When there is no traffic from this client (literally client computer should be switched off), once the timeout is reached, user is dropped from the HotSpot host list, its used address becomes available
* '''keepalive-timeout''' (time '''/''' none; default: ''none'') : Value of how long host can stay out of reach to be removed from the HotSpot.
* '''login-timeout''' (time '''/''' none; default: ''none'') : period of time after which if host hasn't been authorized it self with system the host entry gets deleted from host table. Loop repeats until host logs in the system. Enable if there are situations where host cannot login after being to long in host table unauthorized.
* '''interface''' (name of interface) : interface to run HotSpot on
* '''addresses-per-mac''' (integer '''/''' unlimited; default: 2) :  number of IP addresses allowed to be bind with the MAC address, when multiple HotSpot clients connected with one MAC-address
* '''profile''' (name; default: ''default'') - HotSpot server default HotSpot profile, which is located in ''/ip hotspot profile''


keepalive-timeout (read-only; time) : the exact value of the keepalive-timeout, that is applied for user. Value shows how long host can stay out of reach to be removed from the HotSpot


==ip hotspot active==
HotSpot active menu shows all clients authenticated in HotSpot, menu is informational it is not possible to change anything here.


* '''address''' (Text) :  
* '''server''' (read-only; name) : HotSpot server name client is logged in
* '''authorized''' (comma separated list of IP prefixes) :  
* '''user''' (read-only; name) : name of the HotSpot user
* '''bridge-port''' (Comma separated list of) :
* '''domain''' (read-only; text) : domain of the user (if split from username), parameter is used only with RADIUS authentication
* '''bytes-in''' (IP prefix) :  
* '''address''' (read-only; IP address) : IP address of the HotSpot user
* '''bytes-out''' (Name of interface, or ''all'') :  
* '''mac-address''' (read-only; MAC-address) : MAC-address of the HotSpot user
* '''found-by''' (Name of , or ''none'') :
* '''login-by''' (read-only; multiple choice: cookie '''/''' http-chap '''/''' http-pap '''/''' https '''/''' mac '''/''' mac-cookie '''/''' trial) : authentication method used by HotSpot client
* '''host-dead-time''' (Comma separated list of) :
* '''uptime''' (read-only; time) : current session time of the user, it is showing how long user has been logged in
* '''idle-time''' (One of ''both'', ''upload'', ''download'' or ''none'') :
* '''idle-time''' (read-only; time) : the amount of time user has been idle
* '''idle-timeout''' (1..8) :  
* '''session-time-left''' (read-only; time) : the exact value of session-time, that is applied for user. Value shows how long user is allowed to be online to be logged of automatically by '''uptime''' reached
* '''keeaplive-timeout''' (''SOMETHING/SOMETHING'') :  
* '''idle-timeout''' (read-only; time) : the exact value of the user's idle-timeout
* '''keepalive-timeout''' (''NUMBER/NUMBER'') :  
* '''keepalive-timeout''' (read-only; time) : the exact value of the keepalive-timeout, that is applied for user. Value shows how long host can stay out of reach to be removed from the HotSpot
* '''mac-address''' (''NUMBER/NUMBER'') :  
* '''limit-bytes-in''' (read-only; integer) : value shows how many bytes received from the client, option is active when the appropriate parameter is configured for HotSpot user
* '''packet-in''' (''NUMBER/NUMBER'') :
* '''limit-bytes-out''' (read-only; integer) : value shows how many bytes send to the client, option is active when the appropriate parameter is configured for HotSpot user
* '''packet-out''' (''NUMBER/NUMBER'') :  
* '''limit-bytes-total''' (read-only; integer) : value shows how many bytes total were send/received from client, option is active when the appropriate parameter is configured for HotSpot user
* '''login-by''' (''NUMBER/NUMBER'') :
* '''mac-address''' (''NUMBER/NUMBER'') :  
* '''packets-in''' (''NUMBER/NUMBER'') :  
* '''packets-out''' (''NUMBER/NUMBER'') :  
* '''server''' (''NUMBER/NUMBER'') :
* '''static''' (''NUMBER/NUMBER'') :
* '''to-address''' (''NUMBER/NUMBER'') :  
* '''uptime''' (''NUMBER/NUMBER'') :


address  copy-from  mac-address  server     type 
==ip hotspot host==
comment  disabled  place-before  to-address
Host table lists all computers connected to the HotSpot server. Host table is informational and it is not possible to change any value there


* '''mac-address''' (read-only; MAC-address) : HotSpot user MAC-address
* '''address''' (read-only; IP address) : HotSpot client original IP address
* '''to-address''' (read-only; IP address) : New client address assigned by HotSpot, it might be the same as original '''address'''
* '''server''' (read-only; name) : HotSpot server name client is connected to
* '''bridge-port''' (read-only; name) : /interface bridge port client connected to, value is unknown when HotSpot is not configured on the bridge
* '''uptime''' (read-only; time) : value shows how long user is online (connected to the HotSpot)
* '''idle-time''' (read-only; time) : time user has been idle
* '''idle-timeout''' (read-only; time) : value of the client idle-timeout (unauthorized client)
* '''keeaplive-timeout''' (read-only; time) : keepalive-timeout value of the unauthorized client
* '''bytes-in''' (read-only; integer) : amount of bytes received from unauthorized client
* '''packet-in''' (read-only; integer) : amount of packets received from unauthorized client
* '''bytes-out''' (read-only; integer) : amount of bytes send to unauthorized client
* '''packet-out''' (read-only; integer) : amount of packets send to unauthorized client


==ip hotspot ip-binding==
==IP Bindings==
Lorem Ipsum Dolor Sit Amet


<p id="shbox">
<b>Sub-menu:</b> <code>/ip hotspot ip-binding</code><br />
</p>
<br />


IP-Binding HotSpot menu allows to setup static One-to-One NAT translations, allows to bypass specific HotSpot clients without any authentication, and also allows to block specific hosts and subnets from HotSpot network


* '''address''' (Text) :
* '''mac-address''' (comma separated list of IP prefixes) :
* '''server''' (IP prefix) :
* '''to-address''' (Name of interface, or ''all'') :
* '''type''' (Name of , or ''none'') :


{{Mr-arg-table-h
|prop=Property
|desc=Description
}}


==ip hotspot walled-garden==
{{Mr-arg-table
Lorem Ipsum Dolor Sit Amet
|arg=address
|type=IP Range
|default=""
|desc=The original IP address of the client
}}


{{Mr-arg-table
|arg=mac-address
|type=MAC
|default=""
|desc=MAC address of the client
}}


{{Mr-arg-table
|arg=server
|type=string {{!}} all
|default="all"
|desc=Name of the HotSpot server.
* '''all''' - will be applied to all hotspot servers
}}


* '''action''' (Text) :
{{Mr-arg-table
* '''dst-host''' (comma separated list of IP prefixes) :
|arg=to-address
* '''dst-port''' (IP prefix) :
|type=IP
* '''method''' (Name of interface, or ''all'') :
|default=""
* '''path''' (Name of , or ''none'') :
|desc=New IP address of the client, translation occurs on the router (client does not know anything about the translation)
* '''server''' (Name of , or ''none'') :
}}
* '''src-address''' (Name of , or ''none'') :


action   copy-from  dst-address dst-port      protocol  src-address 
{{Mr-arg-table-end
comment  disabled  dst-host     place-before  server
|arg=type
|type=blocked {{!}} bypassed {{!}} regular
|default=""
|desc=Type of the IP-binding action
* '''regular''' - performs One-to-One NAT according to the rule, translates '''address''' to '''to-address'''
* '''bypassed''' - performs the translation, but excludes client from login to the HotSpot
* '''blocked''' - translation is not performed and packets from host are dropped
}}


==Cookies==


==ip hotspot walled-garden ip==
<p id="shbox">
Lorem Ipsum Dolor Sit Amet
<b>Sub-menu:</b> <code>/ip hotspot cookie</code><br />
</p>
<br />


Menu contains all cookies sent to the HotSpot clients, which are authorized by cookie method, all the entries are read-only.




* '''action''' (Text) :
{{Mr-arg-table-h
* '''dst-address''' (comma separated list of IP prefixes) :
|prop=Property
* '''dst-host''' (comma separated list of IP prefixes) :
|desc=Description
* '''dst-port''' (IP prefix) :
}}
* '''protocol''' (Name of interface, or ''all'') :
* '''server''' (Name of , or ''none'') :
* '''src-address''' (Name of , or ''none'') :


{{Mr-arg-ro-table
|arg=domain
|type=string
|desc=Domain name (if split from username)
}}


{{Mr-arg-ro-table
|arg=expires-in
|type=time
|desc=How long the cookie is valid
}}


==ip hotspot cookie==
{{Mr-arg-ro-table
Lorem Ipsum Dolor Sit Amet
|arg=mac-address
|type=MAC
|desc=Client's MAC-address
}}


{{Mr-arg-ro-table-end
|arg=user
|type=string
|desc=HotSpot username
}}




* '''domain''' (Text) :
{{cont}}
* '''expires-in''' (comma separated list of IP prefixes) :
* '''mac-address''' (comma separated list of IP prefixes) :
* '''user''' (IP prefix) :


[[Category:Manual]]
[[Category:Manual|Hotspot]]
[[Category:Unfinished]]
[[Category:Hotspot|H]]
[[Category:AAA|Hotspot]]

Revision as of 07:16, 15 August 2017

HotSpot

The MikroTik HotSpot Gateway provides authentication for clients before access to public networks .

HotSpot Gateway features:

  • different authentication methods of clients using local client database on the router, or remote RADIUS server;
  • users accounting in local database on the router, or on remote RADIUS server;
  • walled-garden system, access to some web pages without authorization;
  • login page modification, where you can put information about the company;
  • automatic and transparent change any IP address of a client to a valid address;

Hotspot can work reliably only when IPv4 is used. Hotspot relies on Firewall NAT rules which currently are not supported for IPv6.

Sub Categories

List of reference sub-pages

Case studies

List of examples

HotSpot Setup

The simplest way to setup HotSpot server on a router is by /ip hotspot setup command. Router will ask to enter parameters required to successfully set up HotSpot. When finished, default configuration will be added for HotSpot server.

[admin@MikroTik] /ip hotspot> setup 
Select interface to run HotSpot on 

hotspot interface: ether3
Set HotSpot address for interface 

local address of network: 10.5.50.1/24
masquerade network: yes
Set pool for HotSpot addresses 

address pool of network: 10.5.50.2-10.5.50.254
Select hotspot SSL certificate 

select certificate: none
Select SMTP server 

ip address of smtp server: 0.0.0.0
Setup DNS configuration 

dns servers: 10.1.101.1
DNS name of local hotspot server 

dns name: myhotspot
Create local hotspot user 

name of local hotspot user: admin
password for the user: 
[admin@MikroTik] /ip hotspot>

What was created:

[admin@MikroTik] /ip hotspot> print 
Flags: X - disabled, I - invalid, S - HTTPS 
 #   NAME        INTERFACE       ADDRESS-POOL       PROFILE       IDLE-TIMEOUT
 0   hotspot1    ether3          hs-pool-3          hsprof1       5m 
[admin@MikroTik] /ip hotspot> 
[admin@MikroTik] /ip pool> print 
 # NAME                                        RANGES                         
 0 hs-pool-3                                   10.5.50.2-10.5.50.254          
[admin@MikroTik] /ip pool> /ip dhcp-server 
[admin@MikroTik] /ip dhcp-server> print 
Flags: X - disabled, I - invalid 
 #   NAME      INTERFACE    RELAY           ADDRESS-POOL    LEASE-TIME ADD-ARP
 0   dhcp1     ether3                       hs-pool-3       1h        
[admin@MikroTik] /ip dhcp-server> /ip firewall nat 
[admin@MikroTik] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   ;;; masquerade hotspot network
     chain=srcnat action=masquerade src-address=10.5.50.0/24 
[admin@MikroTik] /ip firewall nat> 

Parameters asked during setup process

Parameter Description
hotspot interface (string; Default: allow) Interface name on which to run HotSpot. To run HotSpot on a bridge interface, make sure public interfaces are not included to the bridge ports.
local address of network (IP; Default: 10.5.50.1/24) HotSpot gateway address
masquerade network (yes | no; Default: yes) Whether to masquerade HotSpot network, when yes rule is added to /ip firewall nat with action=masquerade
address pool of network (string; Default: yes) Address pool for HotSpot network, which is used to change user IP address to a valid address. Useful if providing network access to mobile clients that are not willing to change their networking settings.
select certificate (none | import-other-certificate; Default: ) Choose SSL certificate, when HTTPS authorization method is required.
ip address of smtp server (IP; Default: 0.0.0.0) IP address of the SMTP server, where to redirect HotSpot's network SMTP requests (25 TCP port)
dns servers (IP; Default: 0.0.0.0) DNS server addresses used for HotSpot clients, configuration taken from /ip dns menu of the HotSpot gateway
dns name (string; Default: "") domain name of the HotSpot server, full quality domain name is required, for example www.example.com
name of local hotspot user (string; Default: "admin") username of one automatically created HotSpot user, added to /ip hotspot user
password for the user' (string; Default: ) Password for automatically created HotSpot user

ip hotspot

Menu is designed to manage HotSpot servers of the router. It is possible to run HotSpot on Ethernet, wireless, VLAN and bridge interfaces. One HotSpot server is allowed per interface. When HotSpot is configured on bridge interface, set HotSpot interface as bridge interface not as bridge port, do not add public interfaces to bridge ports. You can add HotSpot servers manually to /ip hotspot menu, but it is advised to run /ip hotspot setup, that adds all necessary settings.

  • name (text) : HotSpot server's name or identifier
  • address-pool (name / none; default: none) : address space used to change HotSpot client any IP address to a valid address. Useful for providing public network access to mobile clients that are not willing to change their networking settings
  • idle-timeout (time / none; default: 5m) : period of inactivity for unauthorized clients. When there is no traffic from this client (literally client computer should be switched off), once the timeout is reached, user is dropped from the HotSpot host list, its used address becomes available
  • keepalive-timeout (time / none; default: none) : Value of how long host can stay out of reach to be removed from the HotSpot.
  • login-timeout (time / none; default: none) : period of time after which if host hasn't been authorized it self with system the host entry gets deleted from host table. Loop repeats until host logs in the system. Enable if there are situations where host cannot login after being to long in host table unauthorized.
  • interface (name of interface) : interface to run HotSpot on
  • addresses-per-mac (integer / unlimited; default: 2) : number of IP addresses allowed to be bind with the MAC address, when multiple HotSpot clients connected with one MAC-address
  • profile (name; default: default) - HotSpot server default HotSpot profile, which is located in /ip hotspot profile

keepalive-timeout (read-only; time) : the exact value of the keepalive-timeout, that is applied for user. Value shows how long host can stay out of reach to be removed from the HotSpot

ip hotspot active

HotSpot active menu shows all clients authenticated in HotSpot, menu is informational it is not possible to change anything here.

  • server (read-only; name) : HotSpot server name client is logged in
  • user (read-only; name) : name of the HotSpot user
  • domain (read-only; text) : domain of the user (if split from username), parameter is used only with RADIUS authentication
  • address (read-only; IP address) : IP address of the HotSpot user
  • mac-address (read-only; MAC-address) : MAC-address of the HotSpot user
  • login-by (read-only; multiple choice: cookie / http-chap / http-pap / https / mac / mac-cookie / trial) : authentication method used by HotSpot client
  • uptime (read-only; time) : current session time of the user, it is showing how long user has been logged in
  • idle-time (read-only; time) : the amount of time user has been idle
  • session-time-left (read-only; time) : the exact value of session-time, that is applied for user. Value shows how long user is allowed to be online to be logged of automatically by uptime reached
  • idle-timeout (read-only; time) : the exact value of the user's idle-timeout
  • keepalive-timeout (read-only; time) : the exact value of the keepalive-timeout, that is applied for user. Value shows how long host can stay out of reach to be removed from the HotSpot
  • limit-bytes-in (read-only; integer) : value shows how many bytes received from the client, option is active when the appropriate parameter is configured for HotSpot user
  • limit-bytes-out (read-only; integer) : value shows how many bytes send to the client, option is active when the appropriate parameter is configured for HotSpot user
  • limit-bytes-total (read-only; integer) : value shows how many bytes total were send/received from client, option is active when the appropriate parameter is configured for HotSpot user

ip hotspot host

Host table lists all computers connected to the HotSpot server. Host table is informational and it is not possible to change any value there

  • mac-address (read-only; MAC-address) : HotSpot user MAC-address
  • address (read-only; IP address) : HotSpot client original IP address
  • to-address (read-only; IP address) : New client address assigned by HotSpot, it might be the same as original address
  • server (read-only; name) : HotSpot server name client is connected to
  • bridge-port (read-only; name) : /interface bridge port client connected to, value is unknown when HotSpot is not configured on the bridge
  • uptime (read-only; time) : value shows how long user is online (connected to the HotSpot)
  • idle-time (read-only; time) : time user has been idle
  • idle-timeout (read-only; time) : value of the client idle-timeout (unauthorized client)
  • keeaplive-timeout (read-only; time) : keepalive-timeout value of the unauthorized client
  • bytes-in (read-only; integer) : amount of bytes received from unauthorized client
  • packet-in (read-only; integer) : amount of packets received from unauthorized client
  • bytes-out (read-only; integer) : amount of bytes send to unauthorized client
  • packet-out (read-only; integer) : amount of packets send to unauthorized client

IP Bindings

Sub-menu: /ip hotspot ip-binding


IP-Binding HotSpot menu allows to setup static One-to-One NAT translations, allows to bypass specific HotSpot clients without any authentication, and also allows to block specific hosts and subnets from HotSpot network


Property Description
address (IP Range; Default: "") The original IP address of the client
mac-address (MAC; Default: "") MAC address of the client
server (string | all; Default: "all") Name of the HotSpot server.
  • all - will be applied to all hotspot servers
to-address (IP; Default: "") New IP address of the client, translation occurs on the router (client does not know anything about the translation)
type (blocked | bypassed | regular; Default: "") Type of the IP-binding action
  • regular - performs One-to-One NAT according to the rule, translates address to to-address
  • bypassed - performs the translation, but excludes client from login to the HotSpot
  • blocked - translation is not performed and packets from host are dropped

Cookies

Sub-menu: /ip hotspot cookie


Menu contains all cookies sent to the HotSpot clients, which are authorized by cookie method, all the entries are read-only.


Property Description
domain (string) Domain name (if split from username)
expires-in (time) How long the cookie is valid
mac-address (MAC) Client's MAC-address
user (string) HotSpot username


[ Top | Back to Content ]