Mikrotik HotSpot: setup, step-by-step instructions with a description, tips and tricks

According to many users, setting up Mikrotik HotSpot is best suited for ad hoc situations where the provider can control how the client configured their computers. It is useful in conference rooms, hotels, cafes, restaurants and other public places. One of the great advantages of using an access point is that HotSpot does not require any client software, drivers, or dialers. One of the drawbacks of using the Mikrotik HotSpot setting is the preliminary requirement for the client to open his browser to enter the system.

First Page Setup

The user can log in to Mikrotik HotSpot and configure the Walled Garden, for this they find HotSpot / login and transfer it to the desktop.

After that, open it using any html editor, for example, FRONTPAGE for editing HTML pages, and configure it according to your own needs. At the same time, the installer should have some preliminary knowledge on editing html sites. He can insert his logo, advertising and much more on this page. After the work is completed, transfer the file back to the place where it was downloaded using the drag and drop function.

For beginners, when setting up WiFi HotSpot to Mikrotik, it is recommended not to change the default variables, but simply add your logo and text. This way you can create your own, fully customized page.

If you need to redirect the user to the selected site, after successful login, change the variable in the hotspot /login.html document on the router and $ (link-orig) to the URL of the website that you want to get after logging in. There are two links that need to be replaced, they look as follows.

Now, after logging in, the user is automatically redirected to the provider’s individual page.

CLI Version Installation Example

This example is provided to understand how to configure Mikrotik HotSpot using the DHCP command interface to assign IP addresses to users, for example, from a 172.16.0.1-172.16.0.255 IP pool. In practice, these data will be changed by the provider based on their actual data.

In the example, the parameters are added:

1. Two speed limit profiles are 256k and 512k.
2. New user password zaib = test with profile 512k and user "test" with a limit of 256k.
3. DSL route - IP 192.168.2.2 router.
4. Two interface cards - Ether1 LAN = 172.16.0.1, WAN = 192.168.2.1, connected to the DSL router.

The Mikrotik HotSpot setup script starts below.

Further continued.

The completion of the script.

In the base HOTSPOT they type:

goto client pc.

After downloading, the client will automatically receive an IP address from the HotSpot dhcp server, it will be able to open a browser and any website. The installer will see a HotSpot Login login page asking for credentials.

You can also make configuration changes through the graphical interface.

URL Access Permission

When setting up WiFi HotSpot on Mikrotik, sometimes it is necessary to allow access to certain URLs for unauthenticated users, for example, for the radius web server, and it is necessary for the client to access it without access to the access point, in this case add your IP address.

HotSpot users cannot communicate with each other over a local network or over the PROXY-ARP protocol. If the tuner is faced with a broadcast problem, it removes the address pool from it to disable universal NAT.

Using a Hotspot server without logging in using the https Mikrotik HotSpot redirect protocol may cause the client to fail to redirect to the authentication page if the requested page uses this protocol. HTTPS login must be enabled to avoid this scenario.

Hotspot HTTP entry point provides:

1. Additional security using SSL key encryption.
2. Ability to redirect clients from HTTPS URLs.
3. Using an SSL certificate to enable the https Mikrotik HotSpot redirect on the Hotspot server.

You can use a signed certificate from a trusted certification authority (CA) as well as a self-signed certificate to use HTTP login without displaying an SSL warning in the client’s browser.

Client Authentication Bypass

These actions allow you to bypass the access point by MAC address:

/ ip hotspot ip-binding add mac-address = xx: xx: xx: xx: xx: xx type = bypassed.

They change xx: xx: xx: xx: xx: xx with the user's MAC address, for this you can use the IP address and login functions or cookies introduced in the new version to start the system automatically.

Function designations:

1. S - static, if there is a lease, like static DHCP, the server assigns the same IP every time the device requests entry. This is in "/ IP dhcp-server lease" using make-static.
2. H - DHCP.
3. D is dynamic.
4. A - if clients connect to the access point, they are displayed on the Hosts tab, but so far their entry is not allowed. After logging in, they are displayed on the Active tab and now become authorized.
5. P - bypassed> Go to IP> Access Point> IP Bindings and add a new element.
6. X - disabled, not active.
7. A - active, in use.
8. C - connected, the host route is directly connected.
9. S - static, manually added route R - RIP, obtained from the routing information protocol.
10. B - BGP received from the boundary gateway protocol.
11. O - obtained from the open shortest path of the first protocol.
12. M is a lightweight protocol derived from a mesh.
13. B - Blackhole route, packets silently discarded.
14. U - unavailable, drops packets and sends ICMP messages.
15. P - Denies, discards the packet and sends a denied ICMP message.

By default, there is no password for the user, which is dangerous for further work. To change the password, log into the system, enter the administrator ID and password. Make sure the password is set:

/ tool user-manager customer print

and pay attention to the number of administrator identifiers.

Next, change the password:

/ tool user-manager customer set password = zaib1234 numbers = 0

Access Point Setup

This solution requires an operational account on the HotSpot website. Before starting, reboot the router. If the tuner sees the message “Default Configuration”, click “Delete Configuration”. Now you have to configure your Mikrotik router using Winbox.

Winbox is a graphical user interface for configuring the Mikrotik Router operating system, it can be downloaded from https Mikrotik HotSpot.

Procedure:

1. First you need to determine the first port for connecting to the global network so that the router connects to the Internet through another router with DHCP. In winbox, click “IP”> “DHCP Client” and “Add DHCP Client” to ether1 port.
2. Add the HotSpot service to wlan. Click "IP"> "HotSpot" and the "Configure Access Point" window, select wlan1 as the interface. You can accept the default values, but do not select a certificate.
3. Leave the IP as it is (10.5.50.x). If this IP address is changed, the LOGIN and LOGOUT links will not work on the login page.
4. The router must be hosted in ap bridge mode.
5. Press the interface by double-clicking wlan1, then “Mode” and select ap bridge, make sure that the frequency is set to 2.4 b / G.
6. You must add a radius as an authentication and accounting server.
7. In IP> HotSpot> Profiles profiles, select the Mikrotik HotSpot radius settings profile and click on the tab, checking the allowed radius.
8. Then click on the login tab and deselect cookies, https, http pap and chap.
9. It is necessary to determine the radius server, click "Radius" and the "+" sign.
10. Click “Services”> “Point”, then the radius address: radius.hotspotsystem.com, “Password”: hotsys123. Set the checkbox next to the access point and timeout values ​​up to 3000.
11. Add a secondary radius server.
12. Click on “Radius” and the “+” sign, then “Services”> “Point”. Check the box next to the access point. Change the timeout value to 3000.
13. Prohibit sites and servers for unauthenticated users. In the IP> HotSpot> Walled Garden section, click on the + sign and add one by one to the Dst host, setting up the Mikrotik HotSpot radius.

Time synchronization

For normal operation of the device, you will also need to synchronize the time of the router with the server.

Procedure:

1. Click System> NTP Client.
2. Primary and secondary NTP servers are introduced. To find these servers, go to pool.ntp.org and select the location continent on the right side of the page.
3. Set in System> Clock: TimeZoneName: manual and TimeZone: 00:00.

It must be remembered that you cannot set your time zone, because the router must show the time in GMT.

Change the NASID of the router. Configuring NASID in Mikrotik is under System> Identity. The default is MikroTik, prescribed as follows:

OPERATORUSERNAME_LOCATIONNUMBER

Hot Spot Setting

In order to configure https Mikrotik HotSpot, click on the file names to download login.zip, which contains two files. In the side menu, go to the "Files" section and find them in the directory. Next, unzip the downloaded files and drag them into your directory in the Winbox program and move the cursor to the HotSpot directory. If you need to use FTP, you can install it on the Mikrotik router using adminID and password and replace the file in the HotSpot directory.

To work, you will also need to set the IP address of the login / logout URL in the Control Center. To do this, go to the Control Center with the user name and password of the operator and open "Management"> "Locations". Click on the location, then “Change data and settings”. In the settings of the Mikrotik HotSpot page, change the URL of the internal login / logout to Mikrotik. For correct operation, make sure that the option “Show login window on the main page” is checked.

Increase the limit of shared users in their profile in the submenu: / ip hotspot user profile, or go to IP> access point> user profiles> default> shared users. Change the number of shared users by 5.

Mikrotik Remote Radius Configuration

The following is a brief description of how to configure Mikrotik to work with the remote Radius and Captive Portal using the official Winbox tool. To enable the remote accessible portal for Mikrotik, the HTML file in the HotSpot directory must be replaced with the new configuration file.

Mikrotik Remote Radius Configuration:

1. In the Radius group, click the Add button.
2. Enable or disable the hotspot service.
3. Determine the IP address of the radius server.
4. Radius Shared Secret will set the server radius password.
5. The RADIUS protocol does not transmit passwords in the clear form of NAS and RADIUS with PAP protocol. The password will be used in conjunction with the MD5 hash algorithm to obfuscate passwords.
6. The UDP port number for authentication to use radius authentication, default is No1812.
7. The timeout for the remote radius is set to 3000 ms.
8. In the subsection “IP” → “Hotspots” select “Servers” and click “Configure Hot Spot”.
9. Ethernet Hotspot for listening. In a typical wireless configuration, this should be configured for the radio interface.
10. The local address of the network address of the external data network. Used to distribute dynamic IP addresses for clients and configure routing. By setting the value to 192.168.182.1/24, clients will accept addresses starting from 192.168.182.2 through 192.168.182.254. The address 192.168.182.255 will be the broadcast IP address.
11. A pool of IP addresses assigned to clients. By default, the IP pool is calculated starting from the previous setting.
12. The selection of the certificate used for the data is not installed.
13. The IP address of the SMTP server, the SMTP server, is set to 0.0.0.0.
14. DNS DNS server address, set 8.8.8.8 (free Google DNS)
15. In the “IP” → “Hotspots” section, select the “Server Profiles” tab and set the profile name, HotSpot IP access point, HTML directories containing the Captive Portal HTML file.
16. Login by type of support, install HTTP PAP.
17. Use RADIUS - check the use box.
18. MAC format set XX: XX: XX: XX: XX: XX
19. Install Wireless-802.11.

Install and configure VPN

Using a VPN is a great way to protect privacy and keep information secure when a user is online. The easiest way to set up a VPN for Windows is to use a process that takes only three steps.

Before setting up HotSpot shield:

1. Download software.
2. Right-click on the installer file and select "Run as administrator".
3. Follow the instructions to complete the installation.

As long as the user has HotSpot Shield connected, which can be configured to work automatically, it will be protected and the software will automatically update as needed.

Windows 7 users can also configure the VPN service manually through the integrated Microsoft Agile VPN client. Before setting up HotSpot shield free vpn yourself, do the following:

1. First you need to make sure that there is VPN account information, including username, password and domain name and IP address of the server.
2. To set up a VPN, Windows 7 users should open the Start menu and then use the search bar to search for VPNs.
3. Select “Configure Virtual Private Network (VPN) Connection”.
4. Enter the domain name and IP address of the server and click "Next".
5. Enter username and password.
6. Choose a connection option now or close the window.
7. When you need to manually connect to the VPN, click the network icon in the lower right corner of the screen, then select your VPN, enter the login information if they are not already installed, and click "Connect."

Using Hotspot VPN Gateways

After setting up a VPN, you can access the Internet from anywhere, even to unprotected public Wi-Fi, without worrying that someone can see or steal personal data, since all information will be completely encrypted. A good VPN never registers user data and its activity on the Internet or IP address. The client will be able to hide his IP address and replace it with another one, which will allow him to access sites that are blocked.

VPN security tools detect and block millions of malicious phishing and spam sites so that they do not infect mobile devices or client computers.

A user with software, hardware and networks that support HotSpot Shield will enjoy a faster and more stable VPN service from any device with Internet access.

For someone who is just starting a new business or just wants to share an Internet connection using HotSpot Mikrotik servers, installing this equipment will bring big dividends. The great thing about Mikrotik is that the feature installed out of the box is awesome. Each customer can do more than the standard version of the router offers.

Of course, Mikrotik is not easy to learn. The user must be sufficiently advanced in their networking skills to understand all the wisdom. However, since Mikrotik has a larger support community, it will not be difficult to borrow experience from advanced adjusters.