Setting up a basic MikroTik hotspot

c0d4r

找个地方，用来备忘，呵呵

Setting up a basic MikroTik hotspot

Mikrotik routeros includes an excellent hotspot solution. Read on for details on getting a basic hotspot going using RouterOS on any standard x86 PC hardware or a RouterBOARD.

The Routeros hotspot solution is very powerful and only the very basics of the solution are covered here; just enough to get you started.

Introduction
This article assumes you want to set up a basic hotspot as shown in the diagram below. If you have a DNS server integrated into your router the same rule applies, just use the router IP for your DNS server as well.



To help get you started MikroTik now include a combined radius server and simple web administration package for RouteROS called the User Manager. This provides a much simpler means of user administration then the command line or Winbox. The User Manager package is included standard with all versions of RouterOS from about 2.9.35 onwards.

Advanced users might wish to provide their own RADIUS server, however this is outside the scope of this article.

Getting the Hotspot to Work
First of all you will need to have a copy of RouterOS. You can purchase a license or download a 24-hour trial from Mikrotik. RouterBOARDs also usually come with RouterOS pre-licensed and installed. You will also need a computer with at least a 100MHz CPU, 32MB RAM and an IDE hard disk, or a RouterBOARD. Either method you choose will need a compatible wireless card and Ethernet adapter, or two Ethernet adapters with one connected to a standard wireless access point. You should check your hardware against the RouterOS compatibility list.

If you are installing RouterOS for the first time, download the ISO image from Mikrotik and burn it to CD. Note that installation of RouterOS will completely wipe the contents of the hard disk! Boot the PC off this CD and install the following packages:

System
DHCP
Wireless
Hotspot
Proxy
User Manager (optional)
Security (optional - recommended)
Advanced tools (optional)
Now to get started. Log onto the PC as admin with no password. If this box intended for deployment, change set a password by typing in password at the prompt. Change the hostname by typing in name.

Assign an IP address to each interface. As this is going to be set up as a router, they will need to be on a different subnet. Substitute wlan1 with ether2 if you have a separate access point.

[admin@Mikrotik] > ip address add address=192.168.24.3/24 interface=ether1
[admin@Mikrotik] > ip address add address=192.168.30.1/24 interface=wlan1
Now we need to add a default route to the IP of the internet router.

[admin@MikroTik] > ip route add gateway 192.168.24.1
Enable the wireless interface and set it to run as an access point as below. If you have an access point instead, ignore the command below, make sure it is running with no security enabled, use a suitable SSID and channel and change its admin password.

[admin@Mikrotik]> interface wireless set wlan1 ssid="My HotSpot" band=2.4ghz-b mode=ap-bridge
Run the hotspot setup as below. Substitute the values in italics to suit your network. The user account bears no relation to the admin account and is used for the hotspot service only. You may also need to add a host record to your DNS server for the hostname of the hotspot box. Make sure the address pool does not conflict with any devices using static IPs, such as access points.

[admin@MikroTik] > ip hotspot setup
hotspot interface: wlan1
local address of network: 192.168.30.1/24
masquerade network: yes
address pool of network: 192.168.30.2-192.168.30.99
select certificate: none
ip address of smtp server: 0.0.0.0
dns servers: 192.168.24.2
dns name: hotspot.mydomain.net (or leave this blank)
name of local hotspot user: user
password for the user: password
That’s the guts of it there. Fire up your laptop, associate to the network and try to access a web page. You should be redirected to the hotspot login page instead where you can enter the user credentials you set up earlier. Click the thumbnails for a full view of the default page.



You should now be able to access the web normally and a pop-up window will display your connection time and data usage as you go.



Bear in mind I have left out the certificate so usernames and passwords will be sent as plain text. If you intend on deploying the hotspot, you should install a certificate on it and set up SSL to protect account data from being sniffed.

Setting up User Manager
The User Manager is a nice and simple web administration for setting up user account for the MikroTik hotspot and other services. It can be hosted on either the same box as the hotspot or located in a separate box on the same local network. One User Manager package can control multiple hotspots.

Before getting the User Manager set up, check for any existing hotspot account and remove them. To do this, run the following command:

[admin@MikroTik] > ip hotspot user print
Flags: X - disabled, D - dynamic
# SERVER NAME ADDRESS PROFILE UPTIME
0 fred default 0s
If any items are listed (in this case bob), run the following command to remove them:

[admin@MikroTik] > ip hotspot user remove 0

You can delete multiple items at the same time, simply separate each item number with a comma.

To get the User Manager working we first need to add a customer login. This is used to access the UM web administration. Make sure you substitute the values in italics to suit.

[admin@MikroTik] > tool user-manager customer add login=hs_admin password=password


Now we need to add the hotspot as a RADIUS client to the user manager. This is done under the user manager router section. The shared secret can be any string of text and should be reasonably long and complex. If you are setting the user manager up on the same box as the hotspot, use 127.0.0.1 for the IP address.

[admin@MikroTik] > tool user-manager router add ip-address=hotspot-ip shared-secret=12345

subscriber=hs_admin

In return, we need to set up the hotspot to use RADIUS for user authentication. First this involves creating a RADIUS client to communicate with the UM. Remember that if you have both services on the same box, the IP address should be set to 127.0.0.1. The secret should be the same as you set up above.

[admin@MikroTik] > radius add service=hotspot address=ip-address secret=12345

Now we tell the hotspot itself to use a RADIUS client. First bring up a list of hotspot profiles:

admin@MikroTik] > ip hotspot profile print

Locate the profile in use and type the following command where 1 is the number of the profile to configure:

[admin@MikroTik] > ip hotspot profile set 1 use-radius=yes

Now we are done with configuration. Browse to http://router-ip/userman where router-ip is the IP address of the box you are configuring UM on. Login using the customer username and password created earlier.

Click on the User menu and select Add. Enter in a username, password and any other details you wish. You can limit the speed the client can access the internet by selecting the Rate limits checkbox and typing in a suitable speed (e.g. for a flat 128kBps download/64kBps upload speed limit simply type in 128k in the RX field and 64k in the TX field).

Click Add and you should be able to now access the hotspot using the username and password you specified. If you want to generate a printable ticket for the users you set up, click on the Users link, select the users to make a ticket for, click Generate and select the number of tickets per page.

Other Tips
You can also go a step further and play with some other available options, as this only skims the surface of the hotspot capabilities. I’ll post more notes as I play with additional options.

To disable communication between wireless clients (recommended), disable the default forward option on the wireless interface.
interface wireless set wlan1 default-forward=disabled
To set up a walled garden (pages people can access without authenticating), use the following command:
ip hotspot walled-garden add dst-host=www.website.com

To limit client bandwidth type the following, replacing profilename with the current hotspot profile in use and speed with the rate limit in bits per second:
ip hotspot profile set profilename rate-limit=”speed“
You can customise the login and status pages by editing the files in the hotspot directory of the Mikrotik box. You can access these via FTP.

c0d4r

Mikrotik version 2.8beta10 used as a wireless Hotspot server/authenticator
A detailed setup guide by Joe Mehaffey(c)
rel  10/10/03-rev v



What we are trying to do:
The Mikrotik Router OS system is software designed to run on an "IBM type" Personal Computer. It has many capabilities including operating as a Wireless HotSpot controller, router, firewall, PPPoE controller,  among many other capabilities.  This router basically can be used to operate a small ISP.  In our example,  we are setting up a three port system which is designed to have one port going to the internet, a second to provide HotSpot services via an external access point and a third port to serve the user's local LAN.  Separation and firewall protection is provided to prevent intrusion from the internet and from the HotSpot port into the user's local LAN.  Be sure to verify the firewall protection for yourself.  Advantages/Limitations of the Mikrotik Hotspot System as seen by the author can be viewed HERE.

The basic features that I need in this Home Hotspot installation are:

Provide isolation of computers on my home LAN  from internet traffic and users on the WIRELESS HotSpot Access Point.  This needed to be done without the use of encription on the wireless link so "anyone" could easily log in without first getting permission.
Allow my normal household internet traffic to/from the internet to use the same connection as traffic from my wireless HotSpot
Allow traffic on the Internet to access my mail server and any other servers on my Home LAN.
Provide "Casual" users of the Home HotSpot to "log in" and access their WebMail and normal Internet while limiting their bandwidth usage.
Allow "Trusted" users of the Home Hotspot to "log in" to access whatever ports and services may be allowed for them on an individual basis.
Allow "Me" to access anything I want to over the Wireless Hotspot connection to the local LAN or to the Internet.

Provide the capability to have a direct PPPoE connection to a DSL/Cable modem or alternatively a direct connection to a router LAN port.

I have concluded that the Mikrotik system provides all these features and many more.  The basic configuration topology I wanted to develop is  the three ethernet port shown below.

                       LAN access OR            ether1        ether2         HotSpot RF Equipment        |Remote
Internet <..> Cable/DSL modem <..> MikroTik  Router <...>Wireless Access Point<~~> |Wireless
                       (ports 192.168.168.x)                ether3                (Ports 10.5.50.x)                   |Computers
                       (in example below)                          |                    (in example below)         
                                                                                |               
                                                                          LOCAL
                                                                             LAN
                                                                           USERS
                                                                    (ports 192.168.2.x)
                                                                    (in example below)
The basic configuration:

The following definitions and configuration conditions apply to the Mikrotik Hotspot/Router OS installation described below.
1) The "public" (Internet) connection for the router (Router IP address = 192.168.168.28) is via an external (to the Mikrotik unit) hardware router with gateway IP address 192.168.168.1. This gateway is accessed via the "ether1" port on the Mikrotik unit.
2) The "Hotspot IP address pool" is used for contact with an external HotSpot client. The "universal client" allows for a user with "any" fixed IP address to make initial contact for user LOGIN. When the user then puts in "any" URL (e.g., http://www.yahoo.com) the DHCP server initially assigns an address from this pool (or uses the IP address already existing on a client) to clients and this connection is used to bring up the initial login screen. In the following example, this "hotspot IP address pool range" is 10.5.50.1 through 10.5.50.199. This service uses the ether2 hardware port on the Mikrotik unit. This IP pool is used by all hotspot clients for access.
3) The simple router configuration provides NO protection for OTHER devices which may be connected on the 192.168.168.X/24 (ether1) LAN from being accessed (perhaps maliciously) from the ether2 (hotspot) port. Suitable routing filters can be installed if this is a problem. See Mikrotik manual.
4) Before starting the entry of the following command sequence: a) connect the ether1 port to a LAN which has internet services available on a gateway address (192.168.168.1 in the example). b) connect a suitable Wireless Access Point (Dlink DWL-900AP+ or the 200mw Senao AP used by author) to the ether2 NIC port. Configure this AP with a suitable SSID, note it's MAC address for future reference, set the unit to Access Point Mode, set the AP unit to be a DHCP Client. c) Perform ALL the following commands from the Mikrotik Command Line Interface unless noted otherwise.  I find the Winbox interface to be very useful for checking configurations and making changes after the system is initially setup.  However,  I had problems when I tried to input the initial setup in via the WinBox Interface. d) AS SOON AS the basic system works (and at intervals during initial setup if you wish), make a backup file of the operational system. "Simple" changes can screw up the programming and in many cases you will not immediately see how to recover. The availability of a backup file will prevent your having to type everything in again by hand. e) Before you begin, make any IP address modifications to a printout of the following sequence and then follow that modified instruction list precisely.
5) The ether3 port will be used for a LOCAL LAN port.  Web-Proxy filters will be used to isolate the local LAN on 192.168.2.X/24 from the HotSpot ether2 port on 10.5.50.X/24 and from the internet on ether1.  Note:  If you are going to use a third ether3 port, be sure and install all three (or more as needed) NIC cards before you begin programming. The computer will not be confused, but the programmer might be if the LAN port numbers move around in the computer chassis as a result of installing a new NIC (LAN card) after programming has begun.
6) The computer for your router can be "most any" Pentium PC if you are just serving the three ethernet ports.  The three NIC cards can be most any late model 10/100 card.  The supported list is in the Mikrotik manual.   64megs of RAM are needed and at least a 100meg hard drive or a 64meg Flash Drive will work fine.  A floppy will be necessary for initially loading the system if you use a hard drive.  A CDROM drive is optional and really not required.  No floppy or CDROM is necessary if the Mikrotik FLASH DRIVE (with Hotspot and system software)option for US$125 from  http://www.fament.com is used as the system is supplied ready loaded with the latest Mikrotik software.   Mikrotik provides several initial install modes.  I used the "make up 9 floppies and boot them in in sequence to get the system loaded" option when loading a hard drive.  See Mikrotik manual for more detailed install instructions.

Generally:
The ether1 interface is connected to 192.168.168.X/24 network (public network). Connection to the internet is provided through the gateway of the local LAN router at 192.168.168.1.

Then on ether2 interface we create a 10.5.50.1/24 network port with universal client, transparent proxy and other features. The SMTP server has to be setup as well as the dns server.  We'll use the  LAN gateway address 192.168.168.1 since our external "public" router connected to the internet  provides DNS service and internet connectivity on this address. (Note: If your router allows it, you can use your ISP's DNS server IP address(es). If not, you may HAVE to use your local router's DNS services as the author did.)

Then on ether3 interface, we create a 192.168.2.1/24 network port for connection to your local (or household) LAN.  Web-Proxy filters will then be used to isolate ether2 from ether3 and ether1 from access to either ether2 or ether3 for protection from hacking.
  
In the programming guide below: a) instructions and comments are in BLACK.   b) What the computer prints on the monitor screen are in GREEN.   c) What you type into the keyboard in response is in RED.

Step by Step Programming Procedure:  

The following procedure assumes that you have already installed the BASIC MIKROTIK ROUTER OPERATING SYSTEM.  If you need to do this basic install, proceed FIRST to http://www.gpsinformation.org/ho ... krotikfloppies.html  to do the basic router software installation BEFORE continuing on the procedure on this page.  DEMO LICENSE USERS NOTE CAREFULLY!>  Demo Licensed Mikrotik software MUST be version 2.8beta5 or later and you must answer NO to the universal client and web-proxy questions in the Hotspot setup or your installation will fail.

At the beginning of this setup process, the 'system reset' command at the Mikrotik command line is used to initialize the Mikrotik router.  The <enter> key is pressed after each RED command is entered.  Proceed exactly as follows.  Note: ALL spaces and punctuation marks are ESSENTIAL when inputing commands in RED below.  If a command (such as /ip) has a slash in front, be sure to put it in. [Brackets] are NOT the same as (parenthesis).  You must be VERY careful when inputing the commands.  You can make a simple typographical error and the system may accept it and then your system may not work at all.

A few "getting around" commands for the Command Line Interface are: 1) commands are always followed by pressing ENTER.  2) / forward slash gets you back to the root directory.  3) hold shift then  ?  key gives you the command list for the command folder you are in. 4) .. takes you back one directory.  5) entering < /ip address> from "any command directory" takes you to the ip address directory.  6) the default system user ID is admin with a blank (just hit enter) password. 7) To save your work at any time, enter  /system backup save name=<yourfilename> (without the <>) at the command prompt.  8) To go from one directory to another on the tree branch, just enter the name.  For instance, if you are at >ip and want to go to the system directory, just enter <system>, then ENTER.

Programming the basic two port Hotspot system

The default user ID for the Mikrotik Router is <admin> and the password is blank (just press ENTER).   As SOON as you do the system reset and login, you will change your password.   When the router initially boots up, you will see:

Mikrotik 2.8beta10   (You might have a later version and that is OK.   Note that Mikrotik version 2.7.3 thru 2.7.10 and 2.9beta1 thru 2.8beta4 cannot be used to generate a working Hotspot using the free DEMOnstration license key.  They work fine with the paid license key.  However 2.8beta5 and later produce a working Hotspot with the DEMO license key using the proceedure below.)
                              (You type in what is in RED and then press ENTER.)
1) Mikrotik Login: admin  (BE SURE to use lower case letters.  It does matter.)
2) Password:            (The default password is <blank> so just press ENTER.)
You will see Mikrotik's text logo and then:   After you are logged in to the router from the command terminal, you will get the [admin@MikroTik]  prompt as below.  Then enter what is in RED and press ENTER.  
3) [admin@MikroTik] > system reset  
4) Dangerous! Reset anyway? (y/N):  y
The system reset command will clear out any old configuration data and reboot.  After reboot, login again as before and start entering the commands as follows when you have logged in successfully.
5) [admin@MikroTik] > password  (This will let you change your password to something besides <blank>.
6) old password:                   (Since your old password was <blank> just press ENTER.)
7) new password: mynewpassword  (Select YOUR choice of password to enter here and write it down.)
8) retype new password: mynewpassword  (Asks second time just to be sure.)
Then:
9)   [admin@MikroTik] > interface
10) [admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#     NAME   TYPE  MTU<!--[if !supportLineBreakNewLine]--><!--[endif]-->
0 X ether1    ether   1500<!--[if !supportLineBreakNewLine]--><!--[endif]-->
1 X ether2    ether   1500
<!--[if !supportLineBreakNewLine]--><!--[endif]-->2 X ether3    ether   1500
There are three NICs installed in the system and initially all three are disabled (X).
11) [admin@MikroTik] interface> set 0,1 disabled=no (This enables both of the ethernet ports ether1, ether2, and leaves ether3 off for now.)
<!--[endif]-->12) [admin@MikroTik] interface> /ip
(Note: The address 192.168.168.28 (below) represents the PUBLIC INTERNET side IP address of the Mikrotik Router. Change to your own suitable address as may be required.)
(All commands must be all in one continuous string (no carriage returns) when input and followed at the end by a carriage return.  Be careful to look for parts of commands on second and even third lines in the listings below.  The /24 after the IP address is equivalent to stating that the mask is 255.255.255.0)

Note: In this option (starting with step #13),  we are going to use DHCP for automatic configuration of the ether1 NIC IP address, for the Gateway IP address, and for DNS Server resolution.  If you would prefer to use FIXED IP addresses for these,  use the alternative procedure HERE.  To use the Mikrotik's  DHCP CLIENT for IP resolution on ether1 NIC port, proceed as directed below.  Make sure your ether1 NIC port is connected to a router with DHCP SERVICES and then proceed to step #13

13) [admin@MikroTik] interface> /ip dhcp-client
14) [admin@MikroTik] ip dhcp-client> set enabled=yes interface=ether1
Now to check the dhcp setup we just did:
15) [admin@MikroTik] ip dhcp-client> print
                                          enabled:  yes
                                        interface:  ether1
                                      host-name:  **
                                          client-id:  **
                           add-default-route:  yes
                                use-peer-DNS:  yes
To show the dhcp leases that should have been obtained assuming your ether1 port is connected to a router with DHCP Services:
16) [admin@MikroTik] ip dhcp-client> lease print
                             address: 128.1.1.120/24
                             expires:  sept/25/2003 09:43:00
                             gateway: 128.1.1.1
                       primary-dns:  207.69.188.186  (yours will likely be different)
                   secondary-dns:  192.195.1.2  (if your DHCP server provides a second DNS server.  Yours will differ.)
[admin@MikroTik] ip dhcp-client> /ip
17) [admin@MikroTik] ip> /ip hot (This abbreviation moves you to folder "hotspot".  The first 2 or 3 letters of commands will usually work.)

(Now we run the Mikrotik Hotspot Setup Wizard.)
18) [admin@MikroTik] ip hotspot> setup
Select interface on which to run HotSpot
19) hotspot interface: ether2 (You enter the <ether2> which is the port used by the external access point for HotSpot Access.)

Enable universal client configuration? (Note: This feature permits a roaming hotspot client (user) to have ANY IP ADDRESS and GATEWAY ADDRESS set into his computer networking setup and still operate the Hotspot.  This feature is NOT AVAILABLE to demo hotspot licenses.)
NOTE!  For the FREE DEMO LICENSE, you MUST answer NO to this question.
20) enable universal client: yes  (paid license users MAY erase the default <no> and enter yes.  Note: The Universal Client feature allows a user with "any" IP address to access into the HotSpot without changing his fixed IP address setup by only selecting your SSID.   If you enable the Universal Client,  you WILL NOT be able to use the DWL-900AP+ in REPEATER mode.  The IP "mangle" that Universal Client uses to allow a user with "any" IP address to login to the HotSpot confuses simple repeaters such as the DWL-900AP+.   

Now we setup the HotSpot address for the Access Point interface on ether2.  This is your selected hotspot gateway IP address for your Hotspot Access Point. It must be in the range of your Hotspot Pool selected below.
21) Local address of hotspot network gateway: 10.5.50.1/24 (Just press ENTER if the default is OK, otherwise enter your own gateway IP address for your HOTSPOT system.  Don’t change this unless you understand what you are doing.)

22) masquerade hotspot network: yes

Now we set up the pool for HotSpot IP addresses. This is your assigned range for DHCP generated Hotspot IP addresses. 10.5.50.1 is reserved for the hotspot gateway IP address.
23) Address pool of hotspot network will be: 10.5.50.2-10.5.50.254  (If you want to put some fixed IP addresses inside this DHCP pool range, they will operate just fine.  (Note:  If you are tempted to set the upper bound to some other number such as 200 to allow space for FIXED IP addresses for some devices, this is NOT a good idea   This is because if  later you use Universal Client mode,  then for the fixed IP addresses outside the HotSpot's DHCP range,  the UC will double assign a second IP address to the "out of range" MAC addresses  and this can cause strange results such as timeout timers not working properly.   Note also: Due to a bug in the hotspot setup wizard in current Mikrotik software,  you cannot have a range of 10.5.50.50-10.5.50.254 and leave the range 2 through 49 open.  If you fail to follow  this guidance, you will find that multiple users cannot reliably login to the hotspot.  Just use the default and be happy! )

Now setup so the router can access your SMTP server. Select SMTP server IP address of your mail server's SMTP server 207.69.188.15 (You have to put in YOUR SMTP server's IP address for outbound email. This can be your ISP's SMTP server or a local server.  If you do not have an SMTP server, enter some unused IP address in the IP range used by ether1.  (DEMO users will not get this option.)
24) ip address of smtp server: 207.69.188.15

Use local DNS cache?
25) use local dns cache: yes  (You get to pick if you want the HotSpot to use the dns cache or go outside to your external DNS server  for each DNS request.)

Now we setup the DNS configuration. Enter YOUR router gateway IP or your ISP's recommended DNS server IP address here. It may be that only your router gateway IP will work here if your router provides DNS services. Using your ISP's DNS server will usually be faster if your router permits this or if you plan to use PPPoE on ether1 connected directly to a DSL or Cable modem.
Setup DNS Configuration
26) dns servers: 192.168.168.1  Should be the same as your other DNS server entries.  

Now we create the first local hotspot user.  It is easy to create additional hotspot users using WinBox at a later time.  Using WinBox, you can set up a <guest> profile which allows multiple logons without password and other profiles (such as the default) that allow only one login per name.  In addition, this same profile can set the Tx and Rx baud rates allowed for each separate user profile.  Each user ID can be set up with the same or different password or no password at all.

27) Name of local hotspot user: admin (This is the hotspot administrator's user ID.  You can change if you wish. WRITE THIS AND THE PASSWORD DOWN! This is NOT the same as the Mikrotik Router's User ID and PASSWORD.)
28) password for the user: admin (This is administrator's password. Change as you see fit.)
Note: Setting up additional users is easy to do using WinBox. There is no provision for HotSpot users to self-register their own user names and passwords for "free hotspot" use.  In fact, there is no real need on a “free hotspot".  However, you can, for instance, set up "guest" as a user name with no password and set up a “guests” profile in WinBox USER PROFILES.  Then add  a note on the html login screen that "GUEST users may login as <guest> with no password for low speed internet access" or similar if you wish to offer universal low speed access to transient guests as well as offering "known users" high speed access. This change of speed requires additional  entries for guest baud rates  in the hotspot user profiles.  I suggest having multiple entries in the user table  for “guest” including guest, GUEST, Guest, and <guest> to try to cover all combinations a user is likely to enter in the login window.   See Mikrotik HotSpot manual for more information on how to setup the WinBox software and enter additional users and passwords.

Select another port for (www) service.
port 80 is (normally) used by www service, select some other port for this service.
29) another port for service: 8081
Normally port 80 is used for (www) service.  But on the Hotspot ether2 port, port 80 is used by the Hotspot Services and login html page.  This means that if you wish to be able to access the winbox, then you will have to use port 8081 to access the router from the WINBOX interface. The Hotspot system demands use of port 80.  
Use transparent web proxy for hotspot clients?   
A "web proxy" is a cache used to store webpages,  images, etc so that repeated accesses to such items do not have to go all the way to the destination sever when users go to the same webpage (such as http://www.yahoo.com) repeatedly over a short time.  Such proxy servers typically have a short lifetime to avoid furnishing "stale" data to users.
NOTE!  For the FREE DEMO LICENSE, this feature is NOT AVAILABLE and  you MUST answer NO to this question.
30) use transparent web proxy: yes  (Answer "yes" for paid license users.)

Now, let's see if we are communicating with the external Access Point and user. Note that unless you actually have a computer or access point connected to and powered up and linked  to the ether2 port this entire printout (Flags:X .....) will be BLANK.  If you wait to plug in your computer or access point until AFTER you execute this command and then execute it again (up arrow brings up prior command(s)), it can be 30+ seconds after you plug in the cable before you get the printout.  Make SURE you have a "connected" light on both ends of your ether2 to computer/AP cable.  The actual IP addresses may differ.
31) [admin@MikroTik] ip hotspot> universal client print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
#      MAC-ADDRESS    ADDRESS   TO-ADDRESS    INTERFACE     IDLE-TIME
0 D 00:05:5D:5F:4E:34 10.5.50.100   10.5.50.100            ether2                    10s

See item 32a) below for proper syntax for version 2.7.x and earlier revisions.
32) [admin@MikroTik] ip hotspot> /ip hotspot profile set default shared-users=1 (versions 2.8.x and higher)

32a) [admin@MikroTik] ip hotspot> /ip hotspot profile set default only-one=yes  (versions BELOW 2.8)
This command sets the hotspot to accept SINGLE logins from the default user group.  You will need to setup a <guests> user profile with the "only-one" parameter "unchecked" in the winbox IP>HOTSPOT>USER>ROFILE settings.  We need this on our Hotspot system so multiple simultaneous  <guest> logins  can occur.  To install and enter the WINBOX program, proceed as follows:  a) connect either to your local LAN router/hub that is feeding the ether1 (public) port or b) connect to the hotspot port, and login to the hotspot as the admin with password.  Once connected one of these two ways,  you can install and enter WinBox by calling up your browser and entering the PUBLIC IP address of your Mikrotik router as the URL with port 8081 as: http://192.168.168.28:8081.  Then click on the WinBox icon on the upper left of the browser window and download <winbox.exe> to a suitable directory on your computer.  Then execute the file winbox.exe load WinBox.  (You can use Windows Explorer to send an icon to your desktop if you wish.)  Then Click the WinBox icon on your desktop to go to winbox.)  To set up the guest listings, click on USERS>Groups.  You will see three default groups with read, write, and all privileges.  Add (click +) groups: guest, registered, member (for example).  Give these groups ONLY web privileges.  Then exit all winbox screens after clicking OK on each.  Now click on USERS and add all the names you need and assign them to whichever group you wish.  Then go to the IP>HOTSPOT>ROFILES and you will see your users listed.  Double click on the profile line “guests” and view the popup window.  You should see the profile name “guests”, mark-flow should be “hs-auth”, and the ONLY-ONE should be UNchecked (or "shared users" should be set to maybe 50), and login method should be “enabled-address”.   All else blank for now. This screen will allow multiple simultaneous logins to the guest group.  Here in this window you can also set up timeouts, bandwidth allowances, and other variables. Consult your Mikrotik manual for more details.  

==========================================
At this point, the basic hotspot setup is completed and you should be able to enter any normal URL into the browser of a computer connected by wireless to the Wireless Access Point (may need to use a crossover cable if AP is directly connected to the ether2 NIC) and see the login screen. Enter your  user ID and password (admin, admin) and you should be connected through to the internet. You should also be able to connect a Windows computer NIC directly to the ether2 port using a crossover cable if you want to try out the system operation without using the wireless link initially.  You may want to edit the Login.html, trouble.html and other login-related pages using FrontPage, Dreamweaver or similar to customize these for your particular installation.  Don't try and edit using Netscape Composer or it will likely fail to work with Mikrotik.  (Mine did.)

Here is my list of "Gotchas" that will hopefully keep you from having some of the problems I did in getting started in further applications
==========================================

ADDING A THIRD NIC PORT TO SERVE YOUR LOCAL LAN.
If you add a THIRD port to the router,  you can isolate your Hotspot from your local LAN and prevent Hotspot users from having any access to your local LAN which is using a common DSL or Cable internet line.  Add the third ethernet card as ether3 and enter the following programming to activate the ether3 port. With this arrangement and programming, Hotspot users connected on ether2 and any local LAN users connected via ether3 will have full internet access via ether1, but will be isolated from each other.

Note:  Demo software users have only 4 total NAT entries allowed and other limitations which will not permit all of the following to be entered.  No harm in seeing how far you can get for your own configuration.  Remember that the "web-proxy" commands are inoperative in the DEMO licensed software.

The IP address range of the third port will be 192.168.2.1 to 192.168.2.254. The gateway address of the third port will be 192.168.2.1. When the third LAN card is added to the computer, it will show up in the interface print list as ether3 and it will be "X" which means out of service. Note that which port is designated as ether1, ether2, and ether3 (by the computer) may change if the third LAN card is added AFTER the above Hotspot programming.
36) [admin@MikroTik] >  /interface
37) [admin@MikroTik] >  print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 R ether1 ether 1500
1 R ether2 ether 1500
2 X ether3 ether 1500
(Note: To enable ether3, in case it is disabled (X), proceed as follows.
38) [admin@MikroTik] interface> enable ether3
39) [admin@MikroTik] interface> print
<!--[if !supportLineBreakNewLine]-->Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 R ether1 ether 1500
1 R ether2 ether 1500
2 R ether3 ether 1500
(Note: The R above shows that all three ports are now "Running".  Note that the ether1 card is known as #0 in the list ID.)
40) [admin@MikroTik] interface> /ip
41) [admin@MikroTik] ip> ad
42) [admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS               NETWORK       BROADCAST       INTERFACE
0 192.168.168.28/24    192.168.168.0     192.168.168.255          ether1
1 ;;; hotspot network
10.5.50.1/24                 10.5.50.0             10.5.50.255                  ether2

43) [admin@MikroTik] ip address> add address=192.168.2.1/24  comment="Home network"  interface=ether3
44) [admin@MikroTik] ip address> ..  ( The .. means drop back one directory level.)
45) [admin@MikroTik] ip>  /ip pool add name=home_dhcp_pool ranges=192.168.2.2-192.168.2.199
(Note: Adds new DHCP pool name to list.  Leaves IP addresses 192.168.2.200 through 192.168.2.254 for use by fixed IP address devices.)
46) [admin@MikroTik] ip>  /ip dhcp-server add name="home_dhcp_server" interface=ether3 lease-time=24h  \  address-pool=home_dhcp_pool netmask=24 gateway=192.168.2.1 \  disabled=no
Note: The above sets up the new DHCP server for ether3 port so users can get IP addresses in the range. Also sets up the gateway as address 192.168.2.1.  
47) [admin@MikroTik] ip> firewall src-nat add src-address=192.168.2.0/24 action=masquerade
(Note: Sets up to masquerade all of the IPs on ether3 so they can access the internet via ether1 using the gateway 192.168.2.1.)
At this point, if ether1 is connected to a LAN port with IP=192.168.168.1 (or YOUR router's gateway address) you SHOULD be able to connect to ether3 and make an immediate connection to the internet.
==================================================================
The following (optional) commands are grouped so you can pick and choose which services you may want to block/add.
====
Now for additional Added features, firewall filters, PPPoE, and etc.
48) [admin@MikroTik]ip> /ip firewall dst-nat add dst-address=0.0.0.0/0:53 protocol=udp  \  action=nat to-dst-address=192.168.168.1  \  comment="intercept all DNS requests"  This commands that all DNS requests will be grabbed and repointed to your local router at 192.168.168.1. This is already done automatically for the Hotspot (ether2) interface.  If you want to add this for ether3 but NOT all interfaces (in case you have more than 3 ports) you would add  <in-interface=ether3>  to the line above.
Note the [BRACKETS] in the command below.
49) [admin@MikroTik] ip> /ip firewall dst-nat set [find comment="intercept all DNS requests”]   \   to-dst-address=192.168.168.1 action=nat
The above finds the comment "intercept all DNS requests" and sends all related DNS requests to 192.168.168.1.  
Note: As an ALTERNATIVE to the above you could use: </ip firewall dst-nat set [find comment="intercept all DNS requests"]  \  to-dst-address=10.5.50.1>  However,  sending the DNS calls DIRECTLY to the DNS server is saves router processing time and is preferred.)
50) [admin@MikroTik] ip>  address print  (This shows how your network is setup.)
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS           NETWORK         BROADCAST         INTERFACE
0 ;;; Public Internet Network
192.168.168.28/24   192.168.168.0       192.168.168.255           ether1
1 ;;; hotspot network
10.5.50.1/24              10.5.50.2               10.5.50.255                  ether2
2 ;;; Home Network
192.168.2.1/24          192.168.2.0           192.168.2.255              ether3
====
Now we put in blocking filters to prevent ANY access to ether2 and ether3 from the internet ether1.
51) [admin@MikroTik] ip>/ip web-proxy access add src-address=192.168.2.0/24  (This for future use by port ether3.  Putting it in now assures it is installed in the correct sequence later when you finish installing ether3.)
52) [admin@MikroTik] ip>/ip web-proxy access add src-address=10.5.50.0/24      (This for use by the HotSpot on ether2)
53) [admin@MikroTik] ip>/ip web-proxy access add action=deny                            (This denys access from all other ports such as ether1.)
(Note: The three commands above protect your ether2 and ether3 users from access from the internet.  This will allow ONLY local clients on your local LAN and on your HotSpot to access the web-proxy.  If you are running your Mikrotik box behind a NAT/firewall and already on a local LAN, this is not essential, but it can't hurt.  Failure to put in this protection will leave you "wide open" if you are connected directly to the internet via PPPoE or LAN without benefit of other firewall protection.
====
Now we add commands to allow Winbox, our mail server, and other local servers connected to ether2 to operate.
First we open up the four ports so Winbox and its associated FTP client can operate from all ports to the Mikrotik Router.
54) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:3987 protocol=tcp \ comment="accept winbox-tls"
55) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:8081 protocol=tcp \ comment="accept winbox"
56) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:20-21 protocol=tcp \ comment="accept ftp"

At this point, Winbox can connect to the router through any of the three ether(x) ports.  However you might want to limit who can connect either by having a src-address=xxx.xxx.xxx.xxx/32 (/32 single ip) or set WHO can connect to the service under /ip service.====At this point, you should be able to connect a Windows computer with NIC (with crossover cable) into the ether3 port and access the internet via the ether1 connection to the internet as well as have the ether2 port operating as a Hotspot controller.  As of this point, no inbound traffic from thepublic port ether1 to ether2 or ether3 is permitted.  Ether 1 must be connected to a LAN router interface to the internet with DHCP service ongateway address 192.168.168.1.====Now we add filters to allow outside users on the internet to access our mail server.  Most ISPs block access to port 25 but you can insert any port you wish for the xxx below.57) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:25 protocol=tcp \ comment="accept incoming SMTP" Now we add a filter to allow access to port 110 so mail server users can collect their mail58) [admin@MikroTik] ip> /ip firewall rule input add dst-address=0.0.0.0/0:110 protocol=tcp \ comment="allow POP3 mail pickup"You can add additional filters as needed.  We also need to add filters to direct incoming mail traffic to our mail server which happens to be on IP address 192.168.2.66.====THESE FILTERS are a "work in progress"  Check back and I am working on PPPoE and more filters and will add them when they are checked out and working.=======================================================OPTIONAL ADDITIONAL FEATURES:You may wish to have some computers arranged so that they automatically login and so no manual LOGON sequence is required.  There are two ways to do this.  One way is to use the remote client's MAC address as the password and the other is to use "cookies".          a) To Automatically LOGIN the computer with MAC=00:80:C8:AC:EE:34, enter the following commands: 59) [admin@MikroTik] /ip hotspot set auth-mac=yes auth-mac-password=yes       [admin@MikroTik]  /ip hotspot user add name=00:80:C8:AC:EE:34 \  password=00:80:C8:AC:EE:34      [admin@MikroTik]  /ip hotspot user add name=00:80:A4:CC:EF:84 \  password=00:80:A4:CC:EF:84Following these commands, the particular computers with the two selected MAC addresses will immediately login (automatically) and connect whenever browser access  to a URL is attempted.  You can add any number of automatic logins by this approach.  In addition,  Cookies can be used for automatic login.  See the Mikrotik Manual for details.------------------------You may want to allow users to access certain websites WITHOUT having to login to the Hotspot.  For instance, you might wish to allow them to access the Atlanta Free Net website at http://www.atlantafreenet.org before they login.  What you do is to include firewall rules in the hotspot-temp chain to allow access to particular IP addresses PRIOR to the firewall rule which rejects all other traffic from temporary addresses.  This new rule MUST be placed BEFORE the "redirect to hotspot service rule.  To do this you enter the following commands:60a)  [admin@MikroTik] /ip firewall  dst-nat add dst-address=x.x.x.x:32 dst-port=80 protocol=tcp \ action=accept60b)  [admin@MikroTik] /ip firewall rule hotspot-temp add dst-address=x.x.x.x/32 dst-port=80 protocol=tcp \ action=returnAgain: You must place these rules BEFORE the final REJECT rules.  Note that you MUST use an IP address.  A URL cannot be used.  Note that Mikrotik will soon have a version allowing URLs instead of IP addresses in this mode.  
-------------------------
You may wish to add a rule to allow all users to use your mailserver port 25 REGARDLESS of what their mail server settings happen to be.   You will need to be careful to setup your mail server to avoid becoming a spam relay!  Here is how you set up the Mikrotik to direct any/all port 25 traffic to YOUR mailserver's port 25.  The following assumes 192.168.168.66 is your mailserver.
61) [admin@MikroTik] /ip firewall dst-nat add src-address=10.5.50.0/24 dst-port=25 protocol=tcp \ to-dst-address=192.168.168.66 action=nat \ comment="Translate all SMTP TCP port 25 traffic to our mail server"

----------------------
Editing the login.html page
If you want to edit the text on the login page,  you must be aware of the fact that normal html editors such as Mozilla Composer,  DreamWeaver, and FrontPage can "mess up" the login page so it will not work with Mikrotik any longer.  Mikrotik uses a special non-standard format for one item which you will have to verify does not get changed by your editor.  
The problem is with lines like this:
    <form %form-input%>
The HTML editor knows, that it is not a valid construction and makes it to look like this:
    <form %form-input="">
which is not a valid construction for hotspot.  You will have to manually remove the "" from such lines and insert the % back instead..
-----------------------------


Hotspot users must access the Hotspot by use of a browser with JAVA support.  This currently includes IE5/6, Netscape 4/6/7 and Mozilla 1.4 among many others.

======================================================I want to express my appreciation for the able assistance of Eje Gustafsson of the The Family Entertainment Network  http://www.fament.com  for his able assistance in finishing up this design and in particular for the firewall filter design and other special features.  Mr. Gustafsson is a design consultant on the Mikrotik and Star OS Hotspot Routers and I am impressed with his expertise.  FEN also sells Mikrotik software licenses and "solid state FLASH disk drives" for use with the Mikrotik software.  With this flash drive, a router can be built with no floppy/CDROM/Hard Drive for reliability.The instructions in this article are copyrighted (c) by Joe Mehaffey 2003.  These directions may be freely copied for individual use PROVIDED the article is not changed/edited or used commercially  without the written approval of the author.

c0d4r

Mikrotik Hotspot Advantages/Limitations
by Joe Mehaffey
as of 10/7/2003


I have been looking at various Hotspot Router Software offerings for several months.  I wanted a more flexible system than NoCatAuth which could incorporate three NIC ports and which did not depend exclusively on remote authentication.  The Mikrotik system was one of my first attractions,  but after weeks of frustrated effort in March, I found that the Mikrotik HOTSPOT software would not work with external stand alone  wireless Access Points I wanted to be able to use.  In late May, I got an email from Mikrotik saying that the system would now work on other than the expensive routers.  I have tested out the new version 2.7.4 software and it seems to have everything I have been looking for and at a reasonable price.

Mikrotik is a software company in Latvia that has been developing their version of a Linux router since about 1995.  In 2002, they first offered a WiFi Hotspot capability which operated with specific internal (to the Linux computer) wireless cards and a few APs.  In mid 2003,  this range has expanded to allow working with a wide range of vendor’s standard Wireless Access Points.  This recently includes the Dlink 900AP+ and similar inexpensive APs as well as the old standbys such as Cisco.  Some specific features and advantages of the Mikrotik Router with HotSpot in  (the latest) version 2.7.4 are:

1)  It is supported software with a constant stream of feature enhancements and fixes for problems experience by users.  Bug fixes are frequent and severe problems seem to be fixed pretty fast.The Mikrotik system has a very complete (500+ page) reference manual as the system has functions that allow it to do about everything an ISP could dream of doing and more than most casual users will ever need.  But..  If you need some routing feature,  likely it is already available.  

2)  The bad news is Mikrotik Tech Support is not the best even after you buy a license so they will assist.    The Mikrotik technicians know a lot about their system but:  Most answers to emailed questions seem to be references to the manual and if you send three questions, they likely will only answer part of them.  Some answers I did receive had errors that are just killers for a beginning router programmer/user.  

There are lots of command examples in the manual  but almost zero overall application examples.  The exception is a HotSpot example, but even with this, only someone already familiar with router ip table setup can get through the complete design without outside help.  I did get some  excellent help from Eje Gustaffason at <http://www.fament.com> who offers Mikrotik consulting for $100 per hour.  Not Cheap...  But a lot cheaper than spending weeks with a simple problem that you cannot work out.  Eje is fast and efficient and best of all he gives workable answers with explanations a beginner can understand and use.  The detailed three port application example plus the two port example that I have worked up are the only ones I know of.  Let me know if there are improvements/clarifications needed.

3)  The system software itself is inexpensive.  A  fully working basic software system with PPPoE and limited to 4 simultaneous Hotspot users and 4 total NAT entries is FREE to download and use from <http://www.mikrotik.com> for evaluation and unlimited use but without any support whatsoever (which is quite reasonable).  Other options include a solid state 64meg  IDE FLASH "disk drive" with the fully Licensed Mikrotik Router + Hotspot software loaded on it with a one year free update service for US$125 from http://www.fament.com/catalog/product_info.php?products_id=39.  This Flash drive system requires no floppy/CDROM/Hard Drive in a router system.  The licensed software alone is about $75 from fament.com<!--[endif]--> if you want to make a WiFi Hotspot authenticator/controller in a computer you already have and you wish to use your conventional disk drive (100meg or more). The system for  local Hotspot use will run fine on a Pentium I-75mhz machine with 64megs of RAM.

4)  The Mikrotik system is quite complex and will take most people a good while to learn in detail.  HOWEVER,  with the cook book application guide that  I have worked up HERE,  a three port Hotspot  router can be assembled and made operational in one evening by someone who just knows how to do  medium complexity  software installs on a PC.

5)  The system allows the HotSpot owner/operator (OO) to edit the locally stored html files used for login,  FAQs, Help pages,  etc.  The user can freely add or change links between these pages and the main login page using FrontPage or Dreamweaver or even Netscape Composer except for the login.html page which has tables.

6)  It is possible to allow internet access to specific websites (with fixed IP addresses) without login when desired.  

7)  Hotspot User Authentication can be done from a local list (default) or from a local or remote RADIUS authentication server.  The system can be programmed to use local authentication when it is available and to query a RADIUS server when the desired entry is not in the local list.  The RADIUS server is expected to periodically update the local list.  If the RADIUS server or link should fail, the local authentication will continue uninterrupted.  In my opinion, a feature like this is an essential ingredient for our growing Atlanta Free Net system.

6)  The Mikrotik “UNIVERSAL CLIENT” optionally permits “any” roaming user with “any” normal IP address and gateway setup in his networking to access the Hotspot without changing his networking setup.  I really like this feature.     Note:  The Universal Client feature is mutually exclusive with use of the DWL-900AP+ as a REPEATER of Mikrotik data packets.  The "address mangling" done to accommodate the Universal Client confuses the DWL-900 Repeaters.

7)  It is easy to give any number of user “groups” different privileges on the Hotspot.  For instance,  group “guests” could be given 32kbps internet service speed upon login.  Registered Guests could be (for instance) given 144kbps.  Members could be given 1mbps and Owners could be given “full” speed.  It is possible to configure queues so that even if the higher speed users are using “all available” bandwidth,  low priority users still get most of their allocated bandwidth.  "Burst" modes can also be configured so that users get a "burst" of traffic for some seconds and then get throttled to some lower speed.  This can give even low speed users the feel of higher speed, yet throttle their download speed on game or file download.

8)  The Mikrotik system can be configured with multiple NICs with varying capabilities.  In my “cook book” system design, I have the router configured to accept one “public” LAN (could be PPPoE) input for the internet connection.  A second NIC is the connection for the Hotspot Access Point.  A third NIC port is provided to connect the local home LAN to the internet.  web-proxy and NAT filters are used to insure that users on the Hotspot cannot access computers on the home LAN and vice versa.  This eliminates the need in most cases for a separate router as the Mikrotik system can provide full NAT and firewall services for both the Hotspot and for the local LAN services at the same time..

9)  Inbound service via the Mikrotik OS Router can direct traffic to mail servers and/or other computers or servers on the home local LAN.

10)  The Hotspot provided can accommodate multiple simultaneous logins with the same username and password.  In my own setup,  I instruct "roaming guests" to sign in as “guest” with a blank password.  This gives internet connectivity and mail service at low speed.  If a user registers with me,  I will give him connectivity speeds as negotiated.  For now, everyone is at DSL speed but I can change that at will.

11)  The one thing I know of that the Mikrotik does not now offer that is provided in the NoCatAuth box is SELF REGISTRATION.  With the Mikrotik box,  registration and user enabling past the “guest” stage requires an email to the hotspot supervisor and manual input of a user ID and password.  This input takes about half a minute via a windows based GUI.

12)  The bandwidth throttling system allows the user to throttle bandwidth for individual user groups, and for entire NIC ports.  Thus, you can prevent your hotspot users from using all of your bandwidth even if a number of users simultaneously download large files.

13)  Perhaps most useful for the Owner/Operator of Hotspots,  programming changes can be done by most any user who has a reasonable amount of computer skills in the area being changed.  By this, I mean “anybody” can change a user name, password, and user group or setup a new usergroup with different capabilities and bandwidth allocations.  But while changing the bandwidth offered a user group is straightforward,  the OO <must> understand the basic area of bandwidth allocation on a network.  Other changes similarly require that the user understand what he is doing.  Routing changes demand that the user understand at least the basics of Linux ip table operation and setup.

14)  The Mikrotik is undoubtedly an extremely complex system overall, but straightforward if you just need to put up a three port system in accord with my new Hotspot Application Note.  The draft document  is available  at the link below.  I am continuing to add features and it will be fleshing out more in the weeks to come.  The basic hotspot and authentication all work fine and I am in the process of refining the firewall features. I will also be adding PPPoE as an option so the router can connect directly to a DSL or Cable modem.  You can manually input the commands in just a couple of hours.  See http://www.gpsinformation.org/ho ... otspot_article.html

yusir0710

讲中文啊