Introduction
The MikroTik HotSpot Gateway provides authentication for clients before access to public networks.
HotSpot Gateway features:
- different authentication methods of clients using a local client database on the router, or remote RADIUS server;
- users accounting in a local database on the router, or on remote RADIUS server;
- a walled-garden system, access to some web pages without authorization;
- login page modification, where you can put information about the company;
- automatic and transparent change any IP address of a client to a valid address;
- starting from v6.48 HotSpot can inform DHCP clients that they are behind a captive portal (RFC7710);
A hotspot can work reliably only when IPv4 is used. Hotspot relies on Firewall NAT rules which currently are not supported for IPv6.
Example
[admin@MikroTik] /ip hotspot> setup Select interface to run HotSpot on hotspot interface: ether3 Set HotSpot address for interface local address of network: 10.5.50.1/24 masquerade network: yes Set pool for HotSpot addresses address pool of network: 10.5.50.2-10.5.50.254 Select hotspot SSL certificate select certificate: none Select SMTP server ip address of smtp server: 0.0.0.0 Setup DNS configuration dns servers: 10.1.101.1 DNS name of local hotspot server dns name: myhotspot Create local hotspot user name of local hotspot user: admin password for the user: [admin@MikroTik] /ip hotspot>
Verify HotSpot configuration:
[admin@MikroTik] /ip hotspot> print Flags: X - disabled, I - invalid, S - HTTPS # NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT 0 hotspot1 ether3 hs-pool-3 hsprof1 5m [admin@MikroTik] /ip hotspot> [admin@MikroTik] /ip pool> print # NAME RANGES 0 hs-pool-3 10.5.50.2-10.5.50.254 [admin@MikroTik] /ip pool> /ip dhcp-server [admin@MikroTik] /ip dhcp-server> print Flags: X - disabled, I - invalid # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 dhcp1 ether3 hs-pool-3 1h [admin@MikroTik] /ip dhcp-server> /ip firewall nat [admin@MikroTik] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 X ;;; place hotspot rules here chain=unused-hs-chain action=passthrough 1 ;;; masquerade hotspot network chain=srcnat action=masquerade src-address=10.5.50.0/24 [admin@MikroTik] /ip firewall nat>
Parameters asked during the setup process
Parameter | Description |
---|---|
hotspot interface (string; Default: allow) | Interface name on which to run HotSpot. To run HotSpot on a bridge interface, make sure public interfaces are not included in the bridge ports. |
local address of network (IP; Default: 10.5.50.1/24) | HotSpot gateway address |
masquerade network (yes | no; Default: yes) | Whether to masquerade HotSpot network, when yes rule is added to /ip firewall nat with action=masquerade |
address pool of network (string; Default: yes) | Address pool for HotSpot network, which is used to change user IP address to a valid address. Useful if providing network access to mobile clients that are not willing to change their networking settings. |
select certificate (none | import-other-certificate; Default: ) | Choose SSL certificate, when HTTPS authorization method is required. |
ip address of smtp server (IP; Default: 0.0.0.0) | The IP address of the SMTP server, where to redirect HotSpot's network SMTP requests (25 TCP port) |
dns servers (IP; Default: 0.0.0.0) | DNS server addresses used for HotSpot clients, configuration taken from /ip dns menu of the HotSpot gateway |
dns name (string; Default: "") | the domain name of the HotSpot server, a full qualified domain name is required, for example, www.example.com |
name of local hotspot user (string; Default: "admin") | username of one automatically created HotSpot user, added to /ip hotspot user |
password for the user' (string; Default: ) | Password for automatically created HotSpot user |