Manual:IP/Hotspot

From MikroTik Wiki
< Manual:IP
Revision as of 11:11, 7 October 2010 by Marisb (talk | contribs)
Jump to navigation Jump to search

HotSpot

The MikroTik HotSpot Gateway provides authentication for clients before access to public networks .

HotSpot Gateway features:

  • different authentication methods of clients using local client database on the router, or remote RADIUS server;
  • users accounting in local database on the router, or on remote RADIUS server;
  • walled-garden system, access to some web pages without authorization;
  • login page modification, where you can put information about the company;
  • automatic and transparent change any IP address of a client to a valid address;


Sub Categories

List of reference sub-pages

Case studies

List of examples

ip hotspot setup

The simplest way to setup HotSpot server on a router, by

/ip hotspot setup 

Router will ask you the questions, when successfully finished default configuration will be added for HotSpot server. Once your run setup command, you will be asked for the particular questions,

  • hotspot interface (name of the interface) : interface name to run HotSpot on. To run HotSpot on bridge interface, make sure public interfaces are not included to the bridge
  • local address of network (IP address; default: 10.5.50.1/24) : HotSpot gateway address
  • masquerade network (yes / no; default: yes) : Whether to masquerade HotSpot network, when yes rule is added to /ip firewall nat with action=masquerade
  • address pool of network (name) : Address pool for HotSpot network, which is used to change user IP address to a valid address. Useful for providing network access to mobile clients that are not willing to change their networking settings
  • select certificate (none / import-other-certificate) : choose SSL certificate, when HTTPS authorization method is required
  • ip address of smtp server (IP address; default: 0.0.0.0) : IP address of the SMTP server, where to redirect HotSpot's network SMTP requests (25 TCP port)
  • dns servers (IP address) : DNS server addresses used for HotSpot clients, configuration taken from /ip dns menu of the HotSpot gateway
  • dns name (name; default: blank) : domain name of the HotSpot server, full quality domain name is required, for example www.example.com
  • name of local hotspot user (name; default: admin) : username of one automatically created HotSpot user, added to /ip hotspot user
  • password for the user (name) : password for automatically created HotSpot user

ip hotspot

Menu is designed to manage HotSpot servers of the router. It is possible to run HotSpot on Ethernet, wireless, VLAN and bridge interfaces. One HotSpot server is allowed per interface. When HotSpot is configured on bridge interface, set HotSpot interface as bridge interface not as bridge port, do not add public interfaces to bridge ports. You can add HotSpot servers manually to /ip hotspot menu, but it is advised to run /ip hotspot setup, that adds all necessary settings.

  • name (text) : HotSpot server's name or identifier
  • address-pool (name / none; default: none) : address space used to change HotSpot client any IP address to a valid address. Useful for providing public network access to mobile clients that are not willing to change their networking settings
  • idle-timeout (time / none; default: 5m) : period of inactivity for unauthorized clients. When there is no traffic from this client (literally client computer should be switched off), once the timeout is reached, user is dropped from the HotSpot host list, its used address becomes available
  • interface (name of interface) : interface to run HotSpot on
  • addresses-per-mac (integer / unlimited; default: 2) : number of IP addresses allowed to be bind with the MAC address, when multiple HotSpot clients connected with one MAC-address
  • profile (name; default: default) - HotSpot server default HotSpot profile, which is located in /ip hotspot profile

ip hotspot user

HotSpot users is menu, where client user/password information is actually added, additional configuration options for HotSpot users are configured here as well.

  • name (name) : user name, HotSpot login page username, when MAC-address authentication is used name is configured as client's MAC-address
  • address (IP address; default: 0.0.0.0) : IP address, when specified client will get the address from the HotSpot one-to-one NAT translations. Address does not restrict HotSpot login only from this address
  • comment (text) : comment, additional information for HotSpot user, it might be used for scripts to change parameters for specific clients
  • email (text) : HotSpot client e-mail, informational value for the HotSpot user
  • limit-bytes-in (integer; default: "0") : maximal amount of bytes can be received from user, user is disconnected from HotSpot after limit is reached
  • limit-bytes-out (integer; default: "0") : maximal amount of bytes can be transmitted from user, user is disconnected from HotSpot after limit is reached
  • limit-bytes-total (integer; default: "0") : (limit-bytes-in+limit-bytes-out), user is disconnected from HotSpot after limit is reached
  • limit-uptime (time; default: "0s") : uptime limit for the HotSpot client, user is disconnected from HotSpot as soon as uptime is reached
  • mac-address (MAC-address; default: "00:00:00:00:00:00") : MAC-address, client is allowed to login only from the MAC-address, when value is not 00:00:00:00:00:00
  • password (text) : user password
  • profile (name; default; "default") : user profile, it is configured in /ip hotspot user profile
  • routes (text) : routes added to HotSpot gateway, when client is connected. The route format "'dst-address gateway metric'" (for example, "192.168.1.0/24 192.168.0.1 1")
  • server ('name / all; default: all) : HotSpot server name user is allowed to login

ip hotspot user profile

User profile menu is used for common HotSpot client settings. Profiles are like User groups with the same set of settings, rate-limit, filter chain name, etc.

  • name (text) : user profile name for identification
  • address-pool (name / none; default: none) : IP pool name which the users will be given IP from. When user has improper network settings configuration on the computer, HotSpot server makes translation and assigns correct IP address from the pool instead of incorrect one
  • advertise (yes / no; default: no) : to enable forced advertisement popups. After certain interval specific web-page is being displayed for HotSpot users. Advertisement page might be blocked by browsers popup blockers
  • advertise-interval (multiple choice: time; default: 30m,10m) : set of interval between showing advertisement popup. After the list is done, the last value is used for all further advertisements, 10 minutes
  • advertise-timeout (time / immediately never; default: 1m) : how long to wait for advertisement to be shown, before blocking network access for HotSpot client. Connection to Internet is not allowed, when advertisement is not shown
  • advertise-url (multiple choice: text; default: http://www.mikrotik.com/, http://www.routerboard.com/) : list of URLs to show for advertisement popups. When the last item reached, next time the first is shown
  • idle-timeout (time / none; default: none) : maximal period of inactivity for authorized HotSpot clients. Timer is counting, when there is no traffic coming from that client and going through the router, for example computer is switched off. User is logged out, dropped of the host list, the address used by the user is freed, when timeout is reached
  • incoming-filter (name) : name of the firewall chain applied to incoming packets from the users of this profile, jump rule is required from built-in chain (input, forward, output) to chain=hotspot
  • incoming-packet-mark (name) : packet mark put on incoming packets from every user of this profile
  • keepalive-timeout (NUMBER/NUMBER) : keepalive timeout for authorized HotSpot clients. Used to detect, that the computer of the client is alive and reachable. User is logged out, when timeout value is reached
  • on-login (text; default "") : script name to be executed, when user logs in to the HotSpot from the particular profile
  • on-logout (text; default "") : script name to be executed, when user logs out from the HotSpot
  • open-status-page (always / http-login; default: always) : option to show status page for user authenticated with mac login method. For example to show advertisement on status page (alogin.html)
    • http-login - open status page only for HTTP login (includes cookie and HTTPS)
    • always - open HTTP status page in case of mac login as well
  • outgoing-filter (') : name of the firewall chain applied to outgoing packets from the users of this profile, jump rule is required from built-in chain (input, forward, output) to chain=hotspot
  • outgoing-packet-mark (name) : packet mark put on outgoing packets from every user of this profile
  • rate-limit (text; default: "") : dynamic queue simple is created for user, once it logs in to the HotSpot. Rate-limitation is configured in form [rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]]. For example to set 1M download, 512k upload for the client, rate-limit=512k/1M
  • session-timeout (time; default 0s) : allowed session time for client. After this time, the user is logged out unconditionally
  • shared-users (integer; default: 1) - allowed number of simultaneously logged in users with the same HotSpot username
  • status-auto-refresh (time / none; default: none) - HotSpot status page autorefresh interval
  • transparent-proxy (yes / no; default: yes) - to use transparent HTTP proxy for the authorized users of this profile

ip hotspot active

HotSpot active menu shows all clients authenticated in HotSpot, menu is informational it is not possible to change anything here.

  • server (read-only; name) : HotSpot server name client is logged in
  • user (read-only; name) : name of the HotSpot user
  • domain (read-only; text) : domain of the user (if split from username), parameter is used only with RADIUS authentication
  • address (read-only; IP address) : IP address of the HotSpot user
  • mac-address (read-only; MAC-address) : MAC-address of the HotSpot user
  • login-by (read-only; multiple choice: cookie / http-chap / http-pap / https / mac / mac / trial) : authentication method used by HotSpot client
  • uptime (read-only; time) : current session time of the user, it is showing how long user has been logged in
  • idle-time (read-only; time) : the amount of time user has been idle
  • session-time-left (read-only; time) : the exact value of session-time, that is applied for user. Value shows how long user is allowed to be online to be logged of automatically by uptime reached
  • idle-timeout (read-only; time) : the exact value of the user's idle-timeout
  • keepalive-timeout (read-only; time) : the exact value of the keepalive-timeout, that is applied for user. Value shows how long host can stay out of reach to be removed from the HotSpot
  • limit-bytes-in (read-only; integer) : value shows how many bytes received from the client, option is active when the appropriate parameter is configured for HotSpot user
  • limit-bytes-out (read-only; integer) : value shows how many bytes send to the client, option is active when the appropriate parameter is configured for HotSpot user
  • limit-bytes-total (read-only; integer) : value shows how many bytes total were send/received from client, option is active when the appropriate parameter is configured for HotSpot user

ip hotspot host

Host table lists all computers connected to the HotSpot server. Host table is informational and it is not possible to change any value there

  • mac-address (read-only; MAC-address) : HotSpot user MAC-address
  • address (read-only; IP address) : HotSpot client original IP address
  • to-address (read-only; IP address) : New client address assigned by HotSpot, it might be the same as original address
  • server (read-only; name) : HotSpot server name client is connected to
  • bridge-port (read-only; name) : /interface bridge port client connected to, value is unknown when HotSpot is not configured on the bridge
  • uptime (read-only; time) : value shows how long user is online (connected to the HotSpot)
  • idle-time (read-only; time) : time user has been idle
  • idle-timeout (read-only; time) : value of the client idle-timeout (unauthorized client)
  • keeaplive-timeout (read-only; time) : keepalive-timeout value of the unauthorized client
  • bytes-in (read-only; integer) : amount of bytes received from unauthorized client
  • packet-in (read-only; integer) : amount of packets received from unauthorized client
  • bytes-out (read-only; integer) : amount of bytes send to unauthorized client
  • packet-out (read-only; integer) : amount of packets send to unauthorized client

ip hotspot ip-binding

IP-Binding HotSpot menu allows to setup static One-to-One NAT translations, allows to bypass specific HotSpot clients without any authentication, and also allows to block specific hosts and subnets from HotSpot network

  • mac-address (MAC address; default "") : MAC address of the client
  • address (IP address / netmask; default "") : the original IP address of the client
  • to-address (IP address; default "") : new IP address of the client, translation occurs on the router (client does not know anything about the translation)
  • server (name /' all; default: "all") : name of the HotSpot server
  • type (regular / bypassed / blocked) : type of the IP-binding action
    • regular - performs One-to-One NAT according to the rule, translates address to to-address
    • bypassed - performs the translation, but excludes client from login to the HotSpot
    • blocked - translation is not performed and packets from host are dropped

ip hotspot walled-garden

HTTP walled-garden, menu allows to set authentication bypass for HTTP and HTTPs resources

  • action (allow / deny; default: "allow") : action to perform, when packet matches the rule
    • allow - allow access to the web-page without authorization
    • deny - the authorization is required to access the web-page
  • server (name) : name of the HotSpot server, rule is applied to
  • src-address (IP address) : source address of the user, usually IP address of the HotSpot client
  • dst-address (IP address) : destination IP address, IP address of the WEB-server
  • method (text) : HTTP method of the request
  • dst-host (wildcard; default: "") : domain name of the destination web-server
  • dst-port (integer; default: "") : TCP port number, client sends request to
  • path (text; default: "") : the path of the request, path comes after http://dst_host/

ip hotspot walled-garden ip

Walled-garden menu for the IP requests (Winbox, SSH, Telnet, SIP, etc.)

  • action (accept / drop / reject; default: accept) : action to perform, when packet matches the rule
    • accept - allow access to the resource without authorization
    • deny - the authorization is required to access the resource
    • reject - the authorization is required to access the resource, ICMP reject message will be sent to client, when packet will match the rule
  • server (name) : name of the HotSpot server, rule is applied to
  • src-address (IP address) : source address of the user, usually IP address of the HotSpot client
  • dst-address (IP address) : destination IP address, IP address of the WEB-server
  • protocol (integer, protocol name) : IP protocol name
  • dst-port (integer; default: "") : TCP port number, client sends request to
  • dst-host (wildcard; default: "") : domain name of the destination web-server

ip hotspot cookie

Menu contains all cookies sent to the HotSpot clients, who are authorized by cookie method, all the values are read-only.

  • domain (read-only; text) : domain name (if split from username)
  • expires-in (read-only; time) : how long the cookie is valid
  • mac-address (read-only; MAC address) : client's MAC-address
  • user (read-only-name) : HotSpot username