University of Babylon, IT CollegeInformation Network Dep., Third Class, Second Semester

MTCNA CourseMikroTik Certified Network Associate

2014-2015 By M.Sc. I.T Alaa A. Mahdi

HotSpotHotSpot is a way to authorize users to access some

network resources, but does not provide trafficencryption.

To log in, users may use almost any web browser(either HTTP or HTTPS protocol), so they are notrequired to install additional software.

The gateway is accounting the uptime and amount oftraffic each client have used, and also can sendthis information to a RADIUS server.

The HotSpot system may limit each particular user'sbitrate, total amount of traffic, uptime and someother parameters

• The HotSpot system is targeted to provideauthentication within a local network (forthe local network users to access theInternet). It is possible to allow users toaccess some web pages withoutauthentication using Walled Garden feature.

• The MikroTik HotSpot Gateway providesauthentication for clients before access topublic networks .

HotSpot Gateway features:• Different authentication methods of clients using local

client database on the router, or remote RADIUSserver;

• Users accounting in local database on the router, or onremote RADIUS server;

• Walled-garden system, access to some web pageswithout authorization;

• Login page modification, where you can putinformation about the company;

• Automatic and transparent change any IP address of aclient to a valid address;

HotSpot Setup

• The simplest way to setup HotSpot serveron a router is by /ip hotspot setupcommand. Router will ask to enterparameters required to successfully set upHotSpot. When finished, defaultconfiguration will be added for HotSpotserver.

Interface name

• Interface name on which to run HotSpot. • To run HotSpot on a bridge interface, make

sure public interfaces are not included to the bridge ports.

local address of network

• local address of network (IP) which isHotSpot gateway address

IP address to redirect SMTP (e-mails) to your SMTP server

dns servers

• dns servers (IP) DNS server addresses usedfor HotSpot clients, configuration takenfrom /ip dns menu of the HotSpot gateway

name of local hotspot user

• name of local hotspot user (string; Default: "admin") username of one automatically created HotSpot user, added to /ip hotspot user

HotSpot default setup createsadditional configuration:

1- DHCP-Server on HotSpot Interface.2- Pool for HotSpot Clients.3- Dynamic Firewall rules (Filter and NAT).

ip hotspot active

• HotSpot active menu shows all clientsauthenticated in HotSpot.

Menu is informational, it is not possible tochange anything here.

ip hotspot host

• Host table lists all computers connected tothe HotSpot server. Host table isinformational and it is not possible tochange any value there.

Users

• This is the menu, where client'suser/password information is actuallyadded, additional configuration options forHotSpot users are configured here as well .

User Profile

• User profile menu is used for commonHotSpot client settings. Profiles are likeUser groups with the same set of settings,rate-limit, filter chain name, etc.

rate-limitSimple dynamic queue is created for user,once it logs in to the HotSpot. Rate-limitation is configured in the followingform[rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time][priority] [rx-rate-min[/tx-rate-min]]]].

512k/512k 1m/1m 256k/256k 28/28For example, to set 1M download, 512k

upload for the client, rate-limit=512k/1M

shared-users (integer; Default: 1)Allowed number of simultaneously logged in users with the same HotSpot username.

IP Bindings

• IP-Binding HotSpot menu allows to:• Setup static One-to-One NAT translations,• Allows to bypass specific HotSpot clients

without any authentication, and also• Allows to block specific hosts and subnets

from HotSpot network

• address (IP Range; Default: "")The original IP address of the client

• mac-address (MAC; Default: "")MAC address of the client

• server (string | all; Default: "all")Name of the HotSpot server. all - will be applied to all hotspot servers

• to-address (IP; Default: "")New IP address of the client, translation occurs on the router (client does not know anything about the translation)type (blocked | bypassed | regular; Default: "")

Type of the IP-binding action

• regular - performs One-to-One NAT according to the rule, translates address to to-address

• bypassed - performs the translation, but excludes client from login to the HotSpot

• blocked - translation is not performed and packets from host are dropped

Walled Garden

• You may wish not to require authorization forsome services (for example to let clients accessthe web server of your company withoutregistration), or even to require authorizationonly to a number of services (for example, forusers to be allowed to access an internal fileserver or another restricted area). This can bedone by setting up Walled Garden system.

action

• Action to perform, when packet matches the rule

• allow - allow access to the web-page without authorization

• deny - the authorization is required to access the web-page

• server (string; Default: )Name of the HotSpotserver, rule is applied to.

• src-address (IP)Source address of the user,usually IP address of the HotSpot client

• method (string; Default: )HTTP method of therequest

• dst-host (string; Default: )Domain name of thedestination web-server

• dst-port (integer; Default: )TCP port number,client sends request to

• path (string; Default: )The path of the request,path comes after '''http://dst_host/'''

IP Walled Garden

• Walled-garden menu for the IP requests(Winbox, SSH, Telnet, etc.)

• action (allow | deny | reject; Default: allow)Actionto perform, when packet matches the rule

• allow - allow access to the web-page withoutauthorization

• deny - the authorization is required to access theweb-page

• reject - the authorization is required to access theresource, ICMP reject message will be sent toclient, when packet will match the rule

• server (string; Default: )Name of the HotSpotserver, rule is applied to.src-address (IP; Default:)Source address of the user, usually IP address ofthe HotSpot client

• dst-address (IP; Default: )Destination IPaddress, IP address of the WEB-server.Ignored if dst-host is already specified.

• dst-host (string; Default: )Domain name ofthe destination web-server. When thisparameter is specified dynamic entry isadded to Walled Garden

• dst-port (integer; Default: )TCP portnumber, client sends request to

• protocol (integer | string; Default: )IPprotocol

• Important Links• http://wiki.mikrotik.com/wiki/How_to_mak

e_transparent_web_proxy• http://wiki.mikrotik.com/wiki/Manual:Hots

pot_Introduction• http://wiki.mikrotik.com/wiki/Manual:IP/H

otspot/User