Mikrotik Hotspot

A HOTSPOT is way to provide internet access to subscribers by means of an easy to use login
interface as it does not require any client software/driver/dialer at user end. To log in, users may
use almost any web browser , so they are not required to install additional software.It is also
possible to allow users to access some web pages without authentication using Walled Garden
feature.
In my personnel opinion, Hotspot is best suited for ad hoc situations, where you cannot control
how the client has their machines configured. This is generally useful in Conference Rooms,
Hotels, Cafes , Restaurants and likewise since people will come and go and you have few
permanent users.
One big advantage of using hotspot is that HotSpot does not require any client
software/driver/dialer. One disadvantage of using HotSpot is that its usually requires your client
to open up his browser to log in before he can use your service . So users wanting to connect to
your service using a router or some kind usually have a problem (as routers usually dont support
logging in via HTTP).
Following is a quick setup guide (CLI version) on how-to setup HOTSPOT server in Mikrotik
using command interface.
This guide will help you in setting up . . .
# HOTSPOT server,
# It will also configure DHCP to assign users IP Address from 172.16.0.1-172.16.0.255 ip pool .
Change it accordingly.
# I will add two Speed / Rate Limit Profiles, 256k and 512k, it will add a new user zaib
password=test with 512k profile and user test Password=test with 256k Limit.
# It will Add Default Route to internet which is DSL router ip 192.168.2.2 ,
Change it accordingly.
Sebagai contoh, Mikrotik memiliki dua interface cards.

Ether1 LAN = 172.16.0.1 / Connected with LAN/Hotspot users

Ether2 WAN = 192.168.2.1 / Connected with DSL router
DSL Router = 192.168.2.2
Script Starts Below.
/ip address
add address=172.16.0.1/24 comment=LAN disabled=no interface=ether1
network=172.16.0.0
add address=192.168.2.1/24 comment=WAN disabled=no interface=ether2
network=192.168.2.0
/ip pool
add name=hs-pool-1 ranges=172.16.0.10-172.16.0.255
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udppacket-size=512 servers=192.168.2.2
/ip dhcp-server
add address-pool=hs-pool-1 authoritative=after-2sec-delay bootpsupport=static disabled=no interface=ether1 lease-time=1h name=dhcp1
/ip dhcp-server config set store-leases-disk=5m
/ip dhcp-server network add address=172.16.0.0/24 comment="hotspot
network" gateway=172.16.0.1
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 htmldirectory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 loginby=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0
split-user-domain=no use-radius=no
add dns-name=login.aacable.net hotspot-address=172.16.0.1 htmldirectory=hotspot http-cookie-lifetime=1d http-proxy=0.0.0.0:0 loginby=cookie,http-chap name=hsprof1 rate-limit="" smtp-server=0.0.0.0
split-user-domain=no use-radius=no
/ip hotspot
add address-pool=hs-pool-1 addresses-per-mac=2 disabled=no idle-timeout=5m
interface=ether1 keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default sharedusers=1 status-autorefresh=1m transparent-proxy=no
add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalivetimeout=2m name="512k Limit" open-status-page=always ratelimit=512k/512k shared-users=1 status-autorefresh=1m transparent-proxy=yes

add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalivetimeout=2m name="256k Limit" open-status-page=always ratelimit=256k/256k shared-users=1 status-autorefresh=1m transparent-proxy=yes
/ip hotspot service-port set ftp disabled=yes ports=21
/ip hotspot walled-garden ip add action=accept disabled=no dstaddress=172.16.0.1
/ip hotspot set numbers=hotspot1 address-pool=none
/ip firewall nat add action=masquerade chain=srcnat disabled=no
/ip hotspot user
add disabled=no name=admin password=123 profile=default
add disabled=no name=zaib password=test profile="512k Limit"
server=hotspot1
add disabled=no name=test-256k password=test profile="256k Limit"
server=hotspot1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 scope=30
target-scope=10

Setelah selesai konfigurasi cek dari client pcsecara otomatis maka client mendapat hotspot dhcp
server, buka browser , maka akan terlihat tampilan Hotspot Login

OR you can customize the hotspot login page to show your logo look like something

HOWTO CUSTOMIZE HOTSPOT LOGIN PAGE

You can use some fancy good looking login page. To customize the login page, Open Winbox ,
Goto Files , here you will see various files, look at hotspot/login.html , Drag n Drop this file to
Desktop. See the attached picture.

Now open it using any html editor, I always prefer FRONTPAGE for editing HTML pages due to
its easy interface. Customize it according to your need, You must have some prior knowledge of
some website / html editing. You can insert your logo , advertisement and lot more in this page.
After you are done, simply Upload the file back from where you downloaded it. use drag n drop
feature. For beginners, I recommend you not to change any default variable, just ad your logo n
text , After you are familiarized with the structure, you can build your own fully customized
login page.

Howto Redirect User to your selected site after succesful

Login
If you want that after successful login to hotspot , user must be redirected to your advertisement
web site / any other web, then You will need to replace a variable on the hotspot/login.html
document on the mikrotik router.
You must replace $(link-orig) with the url of the website you want them to get after login.

There are two links that you have to replace, and both look like this:
1input type=hidden name=dst value=$(link-orig)
Change them to
1input type=hidden name=dst value=http://aacable.wordpress.com
Now after successful login, user will automatically redirected to yoursite.com, you can also
create your customized page showing users details using the variables available.

Howto Allow URL for some destinations for non

authenticated Users
Sometimes it is required to allow access to some destinations / URLs for non authenticated users,
for example if you have a web / radius server and you want that user can access it without login
to hotspot, then you can add its ip address in walled garden.
1/ip hotspot walled-garden add dst-host=www.website.com
2/ip hotspot walled-garden ip add dst-address=192.168.2.2 action=accept
3OR
4/ip firewall nat add chain=pre-hotspot dst-address=192.168.2.2 action=accept

HOTSPOT users cant communicate with each other on

LAN or PROXY-ARP issue
If you face hotspot broadcast issue / arp-poisoning , problem, Remove the address pool from the
Hotspot to turn off Universal NAT,
1/ip hotspot set number address-pool=none
2OR
3/ip hotspot set numbers=hotspot1 address-pool=none
4OR

Howto Bypass authentication for Few Clients

This bypasses the hotspot by mac address.
1/ip hotspot ip-binding add mac-address=xx:xx:xx:xx:xx:xx type=bypassed
(change xx:xx:xx:xx:xx:xx with your users mac address. You can also use the ip address to
bypass.
.

.HOTSPOT

FLAGS,

HOTSPOT FLAGS,
S static, If you have the lease set as a static dhcp lease (assigns same ip every time device
requests one) it shows as static. That is in /ip dhcp-server lease using make-static.
H DHCP,
D Dynamic,
A If someone connects to the hotspot, they show up in the Hosts tab but are not yet authorized.
Once they log in, they show up in the Active tab and are now authorized.
P bypassed > Go to IP > Hotspot > IP Bindings > and add a new item. One of the type
options is bypassed, which simply means they dont have to login. From the wiki, bypassed
performs the translation, but excludes client from login to the HotSpot
============
Some more flags for ROUTE
X Disabled, not active
A Active, in use
C Connected, a directly connected host route
S Static, added manually
R RIP route, received from the routing information protocol
B BGP, received from the border gateway protocol
O Received from the open shortest path first protocol
M Received from the mesh made easy protocol
B Blackhole route, packets are silently discarded
U Unreachable, discards the packets and sends an ICMP unreachable messages
P Prohibit, discards packet and sends an ICMP communication administratively prohibited
message