The MikroTik HotSpot Gateway provides authentication for clients before access to public networks.

Hotspot (captive portal) - uses web-proxy and it is capable of using only the default routing table, at the moment. Making the PCC(per connection-classifier) not a valid method, due to the, multiple routing tables used.

HotSpot Gateway features:

  • different authentication methods of clients, using a local client database on the router, or remote RADIUS server;
  • users accounting in a local database on the router, or on remote RADIUS server;
  • a walled-garden system, access to some web pages without authorization;
  • login page modification, where you can put information about the company;
  • automatic and transparent change any IP address of a client to a valid address;
  • HotSpot can inform DHCP clients that they are behind a captive portal (RFC7710);

A hotspot can work reliably only when IPv4 is used. Hotspot relies on Firewall NAT rules which currently are not supported for IPv6.


[admin@MikroTik] /ip hotspot> setup 
Select interface to run HotSpot on 

hotspot interface: ether3
Set HotSpot address for interface 

local address of network:
masquerade network: yes
Set pool for HotSpot addresses 

address pool of network:
Select hotspot SSL certificate 

select certificate: none
Select SMTP server 

ip address of smtp server:
Setup DNS configuration 

dns servers:
DNS name of local hotspot server 

dns name: myhotspot
Create local hotspot user 

name of local hotspot user: admin
password for the user: 
[admin@MikroTik] /ip hotspot>

Verify HotSpot configuration:

[admin@MikroTik] /ip hotspot> print 
Flags: X - disabled, I - invalid, S - HTTPS 
0 hotspot1 ether3 hs-pool-3 hsprof1 5m 
[admin@MikroTik] /ip hotspot> 
[admin@MikroTik] /ip pool> print 
0 hs-pool-3 
[admin@MikroTik] /ip pool> /ip dhcp-server 
[admin@MikroTik] /ip dhcp-server> print 
Flags: X - disabled, I - invalid 
0 dhcp1 ether3 hs-pool-3 1h 
[admin@MikroTik] /ip dhcp-server> /ip firewall nat 
[admin@MikroTik] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough 

1 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address= 
[admin@MikroTik] /ip firewall nat> 

Parameters asked during the setup process

hotspot interface (string; Default: allow)Interface name on which to run HotSpot. To run HotSpot on a bridge interface, make sure public interfaces are not included in the bridge ports.
local address of network (IP; Default: gateway address
masquerade network (yes | no; Default: yes)Whether to masquerade HotSpot network, when yes rule is added to /ip firewall nat with action=masquerade
address pool of network (string; Default: yes)Address pool for HotSpot network, which is used to change user IP address to a valid address. Useful if providing network access to mobile clients that are not willing to change their networking settings.
select certificate (none | import-other-certificate; Default: )Choose SSL certificate, when HTTPS authorization method is required.
ip address of smtp server (IP; Default: IP address of the SMTP server, where to redirect HotSpot's network SMTP requests (25 TCP port)
dns servers (IP; Default: server addresses used for HotSpot clients, configuration taken from /ip dns menu of the HotSpot gateway
dns name (string; Default: "")the domain name of the HotSpot server, a full qualified domain name is required, for example,
name of local hotspot user (string; Default: "admin")username of one automatically created HotSpot user, added to /ip hotspot user
password for the user' (string; Default: )Password for automatically created HotSpot user

IP HotSpot


The menu is designed to manage the HotSpot servers of the router. It is possible to run HotSpot on Ethernet, wireless, VLAN, and bridge interfaces. One HotSpot server is allowed per interface. When HotSpot is configured on the bridge interface, set HotSpot interface as bridge interface, not as bridge port, do not add public interfaces to bridge ports. You can add HotSpot servers manually to the /ip/hotspot menu, but it is advised to run /ip/hotspot/setup, which adds all necessary settings.

name (text)HotSpot server's name or identifier
address-pool (name/none; default: none)address space used to change HotSpot client any IP address to a valid address. Useful for providing public network access to mobile clients that are not willing to change their networking settings
idle-timeout (time/none; default: 5mperiod of inactivity for unauthorized clients. When there is no traffic from this client (literally client computer should be switched off), once the timeout is reached, a user is dropped from the HotSpot host list, its used address becomes available
keepalive-timeout (time/none; default: none)Value of how long host can stay out of reach to be removed from the HotSpot
login-timeout (time/none; default: none)Period of time after which if a host hasn't been authorized itself with a system the host entry gets deleted from host table. Loop repeats until the host logs in the system. Enable if there are situations where a host cannot log in after being too long in the host table unauthorized.
interface (name of an interface)Interface to run HotSpot on
addresses-per-mac (integer/unlimited; default: 2)Number of IP addresses allowed to be bind with the MAC address, when multiple HotSpot clients connected with one MAC-address
profile (name; default: default)HotSpot server default HotSpot profile, which is located in /ip/hotspot/profile


keepalive-timeout (read-only; time)The exact value of the keepalive-timeout, that is applied to the user. Value shows how long the host can stay out of reach to be removed from the HotSpot

IP HotSpot Active


HotSpot active menu shows all clients authenticated in HotSpot, the menu is informational (read-only) it is not possible to change anything here.

server (read-only; name)HotSpot server name client is logged in
user (read-only; name)name of the HotSpot user
domain (read-only; text)the domain of the user (if split from the username), a parameter is used only with RADIUS authentication
address (read-only; IP address)The IP address of the HotSpot user
mac-address (read-only; MAC-address)MAC-address of the HotSpot user
login-by (read-only; multiple-choice: cookie / http-chap / http-pap / https / mac / mac-cookie / trial)the authentication method used by the HotSpot client
uptime (read-only; time)current session time of the user, it is showing how long the user has been logged in
idle-time (read-only; time)the amount of time the user has been idle
session-time-left (read-only; time)the exact value of session-time, that is applied for the user. Value shows how long user is allowed to be online to be logged off automatically by uptime reached
idle-timeout (read-only; time)the exact value of the user's idle-timeout
keepalive-timeout (read-only; time)the exact value of the keepalive-timeout, that is applied for the user. Value shows how long the host can stay out of reach to be removed from the HotSpot
limit-bytes-in (read-only; integer)value shows how many bytes received from the client, an option is active when the appropriate parameter is configured for HotSpot user
limit-bytes-out (read-only; integer) value shows how many bytes send to the client, an option is active when the appropriate parameter is configured for HotSpot user
limit-bytes-total (read-only; integer)value shows how many bytes total were send/received from the client, an option is active when the appropriate parameter is configured for HotSpot user

IP HotSpot Host


The host table lists all computers connected to the HotSpot server. The host table is informational and it is not possible to change any value there:

mac-address (read-only; MAC-address)HotSpot user MAC-address
address (read-only; IP address)HotSpot client original IP address
to-address (read-only; IP address)The new client address assigned by HotSpot might be the same as the original address
server (read-only; name)HotSpot server name client is connected to
bridge-port (read-only; name)"/interface bridge port" the client is connected to, value is unknown when HotSpot is not configured on the bridge
uptime (read-only; time)value shows how long the user is online (connected to the HotSpot)
idle-time (read-only; time)time user has been idle

idle-timeout (read-only; time) 

value of the client idle-timeout (unauthorized client)
keepalive-timeout (read-only; time)keepalive-timeout value of the unauthorized client
bytes-in (read-only; integer)amount of bytes received from an unauthorized client
packet-in (read-only; integer)amount of packets received from an unauthorized client
bytes-out (read-only; integer)amount of bytes sent to an unauthorized client
packet-out (read-only; integer) amount of packets sent to an unauthorized client

IP Binding


IP-Binding HotSpot menu allows to the setup of static One-to-One NAT translations, allows to bypass specific HotSpot clients without any authentication, and also allows to block specific hosts and subnets from the HotSpot network

address (IP Range; Default: "")The original IP address of the client
mac-address (MAC; Default: "")MAC address of the client
server (string | all; Default: "all")Name of the HotSpot server.
  • all - will be applied to all hotspot servers
to-address (IP; Default: "")New IP address of the client, translation occurs on the router (client does not know anything about the translation)
type (blocked | bypassed | regular; Default: "")Type of the IP-binding action
  • regular - performs One-to-One NAT according to the rule, translates the address to to-address
  • bypassed - performs the translation, but excludes client from login to the HotSpot
  • blocked - translation is not performed and packets from a host are dropped


The menu contains all cookies sent to the HotSpot clients, which are authorized by cookie method, all the entries are read-only.


domain (string)The domain name (if split from the username)
expires-in (time)How long the cookie is valid
mac-address (MAC)Client's MAC-address
user (string)HotSpot username

Using DHCP option to advertise HotSpot URL

Most devices, such as modern smartphones, do some kind of background checking to see if they are behind a captive portal. They do this by requesting a known webpage and comparing the contents of that page, to what they should be. If contents are different, the device assumes there is a login page and creates a popup with this login page.

This does not always happen, as this "known webpage" could be blocked, whitelisted, or not accessible in internal networks. To improve on this mechanism, RFC 7710 was created, allowing the HotSpot to inform all DHCP clients that they are behind a captive-portal device and that they will need to authenticate to get Internet access, regardless of what webpages they do or do not request.

This DHCP option field is enabled automatically, but only if the router has a DNS name configured and has a valid SSL certificate (so that the login page can be accessed over HTTPS). When these requirements are met, a special DHCP option will be sent, containing a link to https://<dns-name-of-hotspot>/api. This link contains information in JSON format, instructing the client device of the captive portal status, and the location of the login page.

Contents of https://<dns-name-of-hotspot>/api are as follows:

"captive": $(if logged-in == 'yes')false$(else)true$(endif),
"user-portal-url": "$(link-login-only)",
$(if session-timeout-secs != 0)
"seconds-remaining": $(session-timeout-secs),
$(if remain-bytes-total)
"bytes-remaining": $(remain-bytes-total),
"can-extend-session": true

Some devices require venue-info URL as well, so you are free to modify the api.json file to your liking, just like any other hotspot files. It is located in the router files menu. 


If you have set up Hotspot before RouterOS v7.3 when RFC 7710 was implemented, you will have to use "Reset HTML" function, or manually add/edit the api.json file to have the above contents, for Hotspot detection to work. 

  • No labels