Interface Setup

HotSpot Interface Setup

Submenu level: /ip hotspot

Description

HotSpot system is put on individual interfaces. You can run completely different HotSpot configurations on different interfaces

Property Description

addresses-per-mac (integer | unlimited; default: 2) - number of IP addresses allowed to be bind with any particular MAC address (it is a small chance to reduce denial of service attack based on taking over all free IP addresses)

unlimited - number of IP addresses per one MAC address is not limited

address-pool (name | none; default: none) - IP address pool name for performing one-to-one NAT. You can choose not to use the one-to-one NAT

none - do not perform one-to-one NAT for the clients of this HotSpot interface

HTTPS (read-only: flag) - whether the HTTPS service is actually running on the interface (i.e., it is set up in the server profile, and a valid certificate is imported in the router)idle-timeout (time | none; default: 00:05:00) - idle timeout (maximal period of inactivity) for unauthorized clients. It is used to detect, that client is not using outer networks (e.g. Internet), i.e., there is NO TRAFFIC coming from that client and going through the router. Reaching the timeout, user will be dropped of the host list, and the address used buy the user will be freed

none - do not timeout idle users

interface (name) - interface to run HotSpot onip-of-dns-name (read-only: IP address) - IP address of the HotSpot gateway's DNS name set in the HotSpot interface profilekeepalive-timeout (time | none; default: none) - keepalive timeout for unauthorized clients. Used to detect, that the computer of the client is alive and reachable. If check will fail during this period, user will be dropped of the host list, and the address used buy the user will be freed

none - do not timeout unreachable users

profile (name; default: default) - default HotSpot profile for the interface

Command Description

reset-html (name) - overwrite the existing HotSpot servlet with the original HTML files. It is used if you have changed the servlet and it is not working after that

Notes

addresses-per-mac property works only if address pool is defined. Also note that in case you are authenticating users connected through a router, than all the IP addresses will seem to have come from one MAC address.

Example

To add HotSpot system to the local interface, allowing the system to do one-to-one NAT for each client (addresses from the HS-real address pool will be used for the NAT):

[admin@MikroTik] ip hotspot> add interface=local address-pool=HS-real
[admin@MikroTik] ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
#   NAME                        INTERFACE    ADDRESS-POOL PROFILE IDLE-TIMEOUT
0   hs-local                    local        HS-real      default 00:05:00
[admin@MikroTik] ip hotspot>
     

HotSpot Server Profiles

Submenu level: /ip hotspot profile

Property Description

dns-name (text) - DNS name of the HotSpot server. This is the DNS name used as the name of the HotSpot server (i.e., it appears as the location of the login page). This name will automatically be added as a static DNS entry in the DNS cachehotspot-address (IP address; default: 0.0.0.0) - IP address for HotSpot servicehtml-directory (text; default: "") - name of the directory (accessible with FTP), which stores the HTML servlet pages (when changed, the default pages are automatically copied into specified directory if it does not exist already)http-cookie-lifetime (time; default: 3d) - validity time of HTTP cookieshttp-proxy (IP address; default: 0.0.0.0) - the address of the proxy server the HotSpot service will use as a proxy server for all those requests intercepted by Universal Proxy system and not defined in the /ip proxy direct list. If not specified, the address defined in parent-proxy parameter of /ip proxy. If that is absent too, the request will be resolved by the local proxylogin-by (multiple choice: cookie | http-chap | http-pap | https | mac | trial; default: cookie,http-chap) - which authentication methods to use

cookie - use HTTP cookies to authenticate, without asking user credentials. Other method will be used in case the client does not have cookie, or the stored username and password pair are not valid anymore since the last authentication. May only be used together with other HTTP authentication methods (HTTP-PAP, HTTP-CHAP or HTTPS), as in the other case there would be no way for the cookies to be generated in the first place
http-chap - use CHAP challenge-response method with MD5 hashing algorithm for hashing passwords. This way it is possible to avoid sending clear-text passwords over an insecure network. This is the default authentication method
http-pap - use plain-text authentication over the network. Please note that in case this method will be used, your user passwords will be exposed on the local networks, so it will be possible to intercept them
https - use encrypted SSL tunnel to transfer user communications with the HotSpot server. Note that in order this to work, a valid certificate must be imported into the router (see a separate manual on certificate management)
mac - try to use client's MAC address first as its username. If the matching MAC address exists in the local user database or on the RADIUS server, the client will be authenticated without asking to fill the login form
trial - does not require authentication for a certain amount of time

radius-accounting (yes | no; default: yes) - whether to send RADIUS server accounting information on each user once in a while (the "while" is defined in the radius-interim-update property)radius-default-domain (text; default: "") - default domain to use for RADIUS requests. It allows to select different RADIUS servers depending on HotSpot server profile, but may be handful for single RADIUS server as well.radius-interim-update (time | received; default: received) - how often to sent cumulative accounting reports.

0s - same as received
received - use whatever value received from the RADIUS server

rate-limit (text; default: "") - Rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as defaultsmtp-server (IP address; default: 0.0.0.0) - default SMTP server to be used to redirect unconditionally all user SMTP requests tosplit-user-domain (yes | no; default: no) - whether to split username from domain name when the username is given in "user@domain" or in "domain\user" formatssl-certificate (name | none; default: none) - name of the SSL certificate to use for HTTPS authentication. Not used for other authentication methodstrial-uptime (time/time; default: 30m/1d) - is used only when authentication method is trial. Specifies the amount of time the user identified by MAC address can use hotspot services without authentication and the time, that has to pass that the user is allowed to use hotspot services againtrial-user-profile (name; default: default) - is used only only when authentication method is trial. Specifies user profile, that trial users will useuse-radius (yes | no; default: no) - whether to use RADIUS to authenticate HotSpot users

Notes

If dns-name property is not specified, hotspot-address is used instead. If hotspot-address is also absent, then both are to be detected automatically.

In order to use RADIUS authentication, the /radius menu must be set up accordingly.

Trial authentication method should allways be used together with one of the other authentication methods.

Example

HotSpot User Profiles

Submenu level: /ip hotspot user profile

Description

Article moved to: HotSpot AAA section

HotSpot Users

Submenu level: /ip hotspot user

Description

Article moved to: HotSpot AAA section

HotSpot Active Users

Submenu level: /ip hotspot active

Description

Article moved to: HotSpot AAA section

HotSpot Cookies

Submenu level: /ip hotspot cookie

Description

Cookies can be used for authentication in the Hotspot service

Property Description

domain (read-only: text) - domain name (if split from username)expires-in (read-only: time) - how long the cookie is validmac-address (read-only: MAC address) - user's MAC addressuser (read-only: name) - username

Notes

There can be multiple cookies with the same MAC address. For example, there will be a separate cookie for each web browser on the same computer.

Cookies can expire - that's the way how it is supposed to be. Default validity time for cookies is 3 days (72 hours), but it can be changed for each individual HotSpot server profile, for example :

/ip hotspot profile set default http-cookie-lifetime=1d

Example

To get the list of valid cookies:

[admin@MikroTik] ip hotspot cookie> print
 # USER               DOMAIN            MAC-ADDRESS       EXPIRES-IN
 0 ex                                   01:23:45:67:89:AB 23h54m16s
[admin@MikroTik] ip hotspot cookie>
     

HTTP-level Walled Garden

Submenu level: /ip hotspot walled-garden

Description

Walled garden is a system which allows unauthorized use of some resources, but requires authorization to access other resources. This is useful, for example, to give access to some general information about HotSpot service provider or billing options.

This menu only manages Walled Garden for HTTP and HTTPS protocols. Other protocols can also be included in Walled Garden, but that is configured elsewhere (in /ip hotspot walled-garden ip; see the next section of this manual for details)

Property Description

action (allow | deny; default: allow) - action to undertake if a packet matches the rule:

allow - allow the access to the page without prior authorization
deny - the authorization is required to access this page

dst-address (IP address) - IP address of the destination web serverdst-host (wildcard; default: "") - domain name of the destination web server (this is a wildcard)dst-port (integer; default: "") - the TCP port a client has send the request tomethod (text) - HTTP method of the requestpath (text; default: "") - the path of the request (this is a wildcard)server (name) - name of the HotSpot server this rule applied tosrc-address (IP address) - IP address of the user sending the request

Notes

Wildcard properties (dst-host and dst-path) match a complete string (i.e., they will not match "example.com" if they are set to "example"). Available wildcards are '*' (match any number of any characters) and '?' (match any one character). Regular expressions are also accepted here, but if the property should be treated as a regular expression, it should start with a colon (':').

Small hits in using regular expressions:

• \\ symbol sequence is used to enter \ character in console
• \. pattern means . only (in regular expressions single dot in pattern means any symbol)
• to show that no symbols are allowed before the given pattern, we use ^ symbol at the beginning of the pattern
• to specify that no symbols are allowed after the given pattern, we use $ symbol at the end of the pattern

You can not use path property for HTTPS requests as router can not (and should not - that is what the HTTPS protocol was made for!) decrypt the request.

Example

To allow unauthorized requests to the www.example.com domain's /paynow.html page:

[admin@MikroTik] ip hotspot walled-garden> add path="/paynow.html" \
\... dst-host="www.example.com"
[admin@MikroTik] ip hotspot walled-garden> print
Flags: X - disabled, D - dynamic
0   dst-host="www.example.com" path="/paynow.html" action=allow
[admin@MikroTik] ip hotspot walled-garden>
    

IP-level Walled Garden

Submenu level: /ip hotspot walled-garden ip

Description

This menu is manages Walled Garden for generic IP requests. See the previous section for managing HTTP and HTTPS protocol specific properties (like the actual DNS name, HTTP method and path used in requests).

Property Description

action (accept | drop | reject; default: accept) - action to undertake if a packet matches the rule:

accept - allow the access to the page without prior authorization
drop - the authorization is required to access this page
reject - the authorization is required to access this page, in case the page will be accsessed withot authorization ICMP reject message host-unreachable will be generated

dst-address (IP address) - IP address of the destination web serverdst-host (text; default: "") - domain name of the destination web server (this is not a regular expression or a wildcard of any kind). The DNS name specified is resolved to a list of IP addresses when the rule is added, and all those IP addresses are useddst-port (integer; default: "") - the TCP or UDP port (protocol MUST be specified explicitly in the protocol property) a client has send the request toprotocol (integer | ddp egp encap ggp gre hmp icmp idpr-cmtp igmp ipencap ipip ipsec-ah ipsec-esp iso-tp4 ospf pup rdp rspf st tcp udp vmtp xns-idp xtp) - IP protocol nameserver (name) - name of the HotSpot server this rule applied tosrc-address (IP address) - IP address of the user sending the request