Hotspot

manual:ip/hotspot 1
manual:ip/hotspot
hotspot
the mikrotik hotspot gateway provides authentication for clients before access to public networks .
hotspot gateway features:
• different authentication methods of clients using local client database on the router, or remote radius server
• users accounting in local database on the router, or on remote radius server
• walled-garden system, access to some web pages without authorization
• login page modification, where you can put information about the company
• automatic and transparent change any ip address of a client to a valid address
sub categories
list of reference sub-pages case studies list of examples

hotspot setup
the simplest way to setup hotspot server on a router is by /ip hotspot setup command. router will ask to
enter parameters required to successfully set up hotspot. when finished, default configuration will be added for
hotspot server.
[admin@mikrotik] /ip hotspot> setup
select interface to run hotspot on
hotspot interface: ether3
set hotspot address for interface
local address of network: 10.5.50.1/24
masquerade network: yes
set pool for hotspot addresses
address pool of network: 10.5.50.2-10.5.50.254
select hotspot ssl certificate
select certificate: none
select smtp server
ip address of smtp server: 0.0.0.0
setup dns configuration
dns servers: 10.1.101.1
dns name of local hotspot server
dns name: myhotspot
create local hotspot user
manual:ip/hotspot 2
name of local hotspot user: admin
password for the user:
[admin@mikrotik] /ip hotspot>
what was created:
[admin@mikrotik] /ip hotspot> print
flags: x - disabled, i - invalid, s - https
# name interface address-pool profile idle-timeout
0 hotspot1 ether3 hs-pool-3 hsprof1 5m
[admin@mikrotik] /ip hotspot>
[admin@mikrotik] /ip pool> print
# name ranges
0 hs-pool-3 10.5.50.2-10.5.50.254
[admin@mikrotik] /ip pool> /ip dhcp-server
[admin@mikrotik] /ip dhcp-server> print
flags: x - disabled, i - invalid
# name interface relay address-pool lease-time add-arp
0 dhcp1 ether3 hs-pool-3 1h
[admin@mikrotik] /ip dhcp-server> /ip firewall nat
[admin@mikrotik] /ip firewall nat> print
flags: x - disabled, i - invalid, d - dynamic
0 x place hotspot rules here
chain=unused-hs-chain action=passthrough
1 masquerade hotspot network
chain=srcnat action=masquerade src-address=10.5.50.0/24
[admin@mikrotik] /ip firewall nat>
parameters asked during setup process
parameter description
hotspot interface (string default:
allow)
interface name on which to run hotspot. to run hotspot on a bridge interface, make sure public
interfaces are not included to the bridge ports.
local address of network (ip
default: 10.5.50.1/24)
hotspot gateway address
masquerade network (yes | no
default: yes)
whether to masquerade hotspot network, when yes rule is added to /ip firewall nat with
action=masquerade
address pool of network (string
default: yes)
address pool for hotspot network, which is used to change user ip address to a valid address. useful
if providing network access to mobile clients that are not willing to change their networking settings.
select certificate (none |
import-other-certificate default: )
choose ssl certificate, when https authorization method is required.
ip address of smtp server (ip
default: 0.0.0.0)
ip address of the smtp server, where to redirect hotspot s network smtp requests (25 tcp port)
dns servers (ip default: 0.0.0.0) dns server addresses used for hotspot clients, configuration taken from /ip dns menu of the hotspot
gateway
dns name (string default: "") domain name of the hotspot server, full quality domain name is required, for example
www.example.com
manual:ip/hotspot 3
name of local hotspot user
(string default: "admin")
username of one automatically created hotspot user, added to /ip hotspot user
password for the user (string
default: )
password for automatically created hotspot user
ip hotspot
menu is designed to manage hotspot servers of the router. it is possible to run hotspot on ethernet, wireless,
vlan and bridge interfaces. one hotspot server is allowed per interface. when hotspot is configured on bridge
interface, set hotspot interface as bridge interface not as bridge port, do not add public interfaces to bridge ports.
you can add hotspot servers manually to /ip hotspot menu, but it is advised to run /ip hotspot setup, that adds all
necessary settings.
• name (text) : hotspot server s name or identifier
• address-pool (name / none default: none) : address space used to change hotspot client any ip address to a valid
address. useful for providing public network access to mobile clients that are not willing to change their
networking settings
• idle-timeout (time / none default: 5m) : period of inactivity for unauthorized clients. when there is no traffic
from this client (literally client computer should be switched off), once the timeout is reached, user is dropingped
from the hotspot host list, its used address becomes available
• interface (name of interface) : interface to run hotspot on
• addresses-per-mac (integer / unlimited default: 2) : number of ip addresses allowed to be bind with the mac
address, when multiple hotspot clients connected with one mac-address
• profile (name default: default) - hotspot server default hotspot profile, which is located in /ip hotspot profile
ip hotspot active
hotspot active menu shows all clients authenticated in hotspot, menu is informational it is not possible to change
anything here.
• server (read-only name) : hotspot server name client is logged in
• user (read-only name) : name of the hotspot user
• domain (read-only text) : domain of the user (if split from username), parameter is used only with radius
authentication
• address (read-only ip address) : ip address of the hotspot user
• mac-address (read-only mac-address) : mac-address of the hotspot user
• login-by (read-only multiple choice: cookie / http-chap / http-pap / https / mac / mac / trial) : authentication
method used by hotspot client
• uptime (read-only time) : current session time of the user, it is showing how long user has been logged in
• idle-time (read-only time) : the amount of time user has been idle
• session-time-left (read-only time) : the exact value of session-time, that is applied for user. value shows how
long user is allowed to be online to be logged of automatically by uptime reached
• idle-timeout (read-only time) : the exact value of the user s idle-timeout
• keepalive-timeout (read-only time) : the exact value of the keepalive-timeout, that is applied for user. value
shows how long host can stay out of reach to be removed from the hotspot
• limit-bytes-in (read-only integer) : value shows how many bytes received from the client, option is active when
the appropriate parameter is configured for hotspot user
• limit-bytes-out (read-only integer) : value shows how many bytes send to the client, option is active when the
appropriate parameter is configured for hotspot user
manual:ip/hotspot 4
• limit-bytes-total (read-only integer) : value shows how many bytes total were send/received from client, option
is active when the appropriate parameter is configured for hotspot user
ip hotspot host
host table lists all computers connected to the hotspot server. host table is informational and it is not possible to
change any value there
• mac-address (read-only mac-address) : hotspot user mac-address
• address (read-only ip address) : hotspot client original ip address
• to-address (read-only ip address) : new client address assigned by hotspot, it might be the same as original
address
• server (read-only name) : hotspot server name client is connected to
• bridge-port (read-only name) : /interface bridge port client connected to, value is unknown when hotspot is not
configured on the bridge
• uptime (read-only time) : value shows how long user is online (connected to the hotspot)
• idle-time (read-only time) : time user has been idle
• idle-timeout (read-only time) : value of the client idle-timeout (unauthorized client)
• keeaplive-timeout (read-only time) : keepalive-timeout value of the unauthorized client
• bytes-in (read-only integer) : amount of bytes received from unauthorized client
• packet-in (read-only integer) : amount of packets received from unauthorized client
• bytes-out (read-only integer) : amount of bytes send to unauthorized client
• packet-out (read-only integer) : amount of packets send to unauthorized client
ip bindings
sub-menu: /ip hotspot ip-binding
ip-binding hotspot menu allows to setup static one-to-one nat translations, allows to bypass specific hotspot
clients without any authentication, and also allows to block specific hosts and subnets from hotspot network
property description
address (ip range default: "") the original ip address of the client
mac-address (mac default: "") mac address of the client
server (string | all default: "all") name of the hotspot server.
• all - will be applied to all hotspot servers
to-address (ip default: "") new ip address of the client, translation occurs on the router (client does not know anything about
the translation)
type (blocked | bypassed | regular default:
"")
type of the ip-binding action
• regular - performs one-to-one nat according to the rule, translates address to to-address
• bypassed - performs the translation, but excludes client from login to the hotspot
• blocked - translation is not performed and packets from host are dropingped
manual:ip/hotspot 5
cookies
sub-menu: /ip hotspot cookie
menu contains all cookies sent to the hotspot clients, which are authorized by cookie method, all the entries are
read-only.
property description
domain (string) domain name (if split from username)
expires-in (time) how long the cookie is valid
mac-address (mac) client s mac-address
user (string) hotspot username
[ top | back to content ]
article sources and contributors 6
article sources and contributors
manual:ip/hotspot source: http://wiki.mikrotik.com/index.php?oldid=19414 contributors: janisk, marisb, normis, sergejsb, vitell