Differences

This shows you the differences between two versions of the page.

Link to this comparison view

hotspot_wifi [2012/06/06 12:15] (current)
Line 1: Line 1:
 +====== DIY HotSpot Wifi ======
 +
 + If do you need help or do you have comments about this document you can go to [[http://​oriol.joor.net/​blog/?​item=montar-un-hotspot-gateway-amb-mikrotik-i-linksys-wrt54gl|DIY HotSpot Wifi blog post]].
 +
 + ​[[montat_un_hotspot|Catalan version]]
 +
 +===== Network Topology =====
 +
 +{{ http://​oriol.joor.net/​blog/​wiki/​media/​hotspot/​topologia-xarxa-thumb.png }}
 +
 +[[http://​oriol.joor.net/​blog/​wiki/​media/​hotspot/​topologia-xarxa.png|+ Zoom]]
 +
 +===== Elements =====
 +
 +  * Linksys WRT54G used as AP in bridge mode.
 +  * Mikrotik Routerboard 150 as a Hotspot gateway.
 +  * Router ADSL
 +
 +===== Linksys WRT54G in AP bridge mode =====
 +
 +Disable Internet interface and don't use Internet port. Only need to configure LAN interface with the IP that you want because it is only a maitenance IP. In our case we put and IP as the same range of clients and we protect access to the AP with user and password.
 +
 +{{ http://​oriol.joor.net/​blog/​wiki/​media/​hotspot/​conf01.png }}
 +\\
 +{{ http://​oriol.joor.net/​blog/​wiki/​media/​hotspot/​conf02.png }}
 +
 +===== Mikrotik RouterBoard 150 =====
 +
 +RouterBoard 150 is a device with routerOS that can be configured as a HotSpot gateway. It hasn't a wireless interface only has 5 ethernet ports. 1 port with POE support and 4 standard ethernet ports. In our scenario we use the first port as a WAN port and other 4 ports as a bridge where we can connect AP bridges, if you need more ports to connect APs you can connect a switch to any of 4 ports.
 +
 +In resume we connect the first port to ADSL router and the AP bridges to any other port of the Mikrotik.
 +
 +Creating the bridge with interfaces 2 to 5:
 +
 +<code bash>
 +/ interface bridge ​
 +add name="​bridge1"​ mtu=1500 arp=enabled stp=no priority=32768 ageing-time=5m \
 +    forward-delay=15s garbage-collection-interval=5s hello-time=2s \
 +    max-message-age=20s comment=""​ disabled=no ​
 +/ interface bridge port 
 +add interface=ether2 bridge=bridge1 priority=128 path-cost=10 comment=""​ \
 +    disabled=no ​
 +add interface=ether3 bridge=bridge1 priority=128 path-cost=10 comment=""​ \
 +    disabled=no ​
 +add interface=ether4 bridge=bridge1 priority=128 path-cost=10 comment=""​ \
 +    disabled=no ​
 +add interface=ether5 bridge=bridge1 priority=128 path-cost=10 comment=""​ \
 +    disabled=no ​
 +</​code>​
 +
 +Setting IP for interfaces '​ethernet0'​and '​bridge1':​
 +
 +<code bash>
 +/ ip address ​
 +add address=1.1.1.2/​24 network=1.1.1.0 broadcast=1.1.1.255 \
 +    interface=ether1 comment="​Internet"​ disabled=no ​
 +add address=10.5.50.1/​24 network=10.5.50.0 broadcast=10.5.50.255 \
 +    interface=bridge1 comment="​Interface LAN i WLAN" disabled=no ​
 +</​code>​
 +
 +Setting up default static IP route, DNS and NAT:
 +
 +<code bash>
 +/ ip route 
 +add dst-address=0.0.0.0/​0 gateway=1.1.1.1 scope=255 target-scope=10 \
 +    comment=""​ disabled=no ​
 +/ ip dns 
 +set primary-dns=208.67.222.222 secondary-dns=208.67.220.220 \
 +    allow-remote-requests=no cache-size=2048KiB cache-max-ttl=1w ​
 +/ ip firewall nat 
 +add chain=srcnat src-address=10.5.50.0/​24 action=masquerade \
 +    comment="​masquerade hotspot network"​ disabled=no ​
 +</​code>​
 +
 +IP pool and DHCP server:
 +
 +<code bash>
 +/ ip pool 
 +add name="​hs-pool-6"​ ranges=10.5.50.65-10.5.50.190 ​
 +/ ip dhcp-server ​
 +add name="​dhcp1"​ interface=bridge1 lease-time=1h address-pool=hs-pool-6 \
 +    bootp-support=static authoritative=after-2sec-delay disabled=no ​
 +/ ip dhcp-server config ​
 +set store-leases-disk=5m ​
 +/ ip dhcp-server network ​
 +add address=10.5.50.0/​24 gateway=10.5.50.1 comment="​hotspot network" ​
 +</​code>​
 +
 +Creatting a HotSpot in '​bridge1'​ itnerface and mantain FTP service enabled in default port (21/tcp) where we can connect to custom HTML login interface:
 +
 +<code bash>
 +/ ip hotspot ​
 +add name="​hotspot1"​ interface=bridge1 address-pool=hs-pool-6 profile=hsprof1 \
 +    idle-timeout=5m keepalive-timeout=none addresses-per-mac=2 disabled=no ​
 +/ ip hotspot service-port ​
 +set ftp ports=21 disabled=no ​
 +</​code>​
 +
 +Now we need to create a profile for HotSpot service:
 +
 +
 +<code bash>
 +/ ip hotspot profile ​
 +add name="​hsprof1"​ hotspot-address=10.5.50.1 dns-name=""​ \
 +    html-directory=hotspot rate-limit=""​ http-proxy=0.0.0.0:​0 \
 +    smtp-server=0.0.0.0 login-by=http-chap split-user-domain=no use-radius=yes \
 +    radius-accounting=yes radius-interim-update=received \
 +    nas-port-type=wireless-802.11 radius-default-domain=""​ \
 +    radius-location-id=""​ radius-location-name="" ​
 +/ ip hotspot user profile ​
 +set default name="​default"​ idle-timeout=none keepalive-timeout=2m \
 +    status-autorefresh=1m shared-users=1 transparent-proxy=yes \
 +    open-status-page=always advertise=no ​
 +</​code>​
 +
 +A great idea is use user manager service to administer HotSpot users and customers. The basic advantage is that you have a web interface to manage this. You can access to web user manager interface from WAN IP. The minimal configuration is add your customer (who operates the network) and add the router where is users database, it's important to set WAN IP address here because '​bridge1'​ address is protected by HotSpot itself and the protection don't permit to connect itself.
 +
 +<code bash>
 +/ tool user-manager customer ​
 +add login="​mysubscriber"​ password="​mypassword"​ time-zone=+00:​00 \
 +    permissions=owner parent=mysubscriber comment=""​ disabled=no ​
 +/ tool user-manager router ​
 +add subscriber=mysubscriber name="​router1"​ ip-address=1.1.1.2 \
 +    shared-secret="​mysubscriber2pass"​ log=auth-ok,​auth-fail,​acct-fail comment=""​ \
 +    disabled=no ​
 +</​code>​
 +
 +You can set a test user to test hotspot without accessing to web user manager:
 +
 +<code bash>
 +/ tool user-manager user 
 +add subscriber=mysubscriber name="​myuser"​ password="​mypassword"​ comment=""​ disabled=no ​
 +</​code>​
 +
 +Finally a simple Radius adjustments because we need to connect HotSpot access control system to user manager service:
 +
 +<code bash>
 +/ radius ​
 +add service=hotspot called-id=""​ domain=""​ address=1.1.1.2 \
 +    secret="​mysubscriber2pass"​ authentication-port=1812 accounting-port=1813 \
 +    timeout=300ms accounting-backup=no realm=""​ comment=""​ disabled=no ​
 +</​code>​
 +
 +
 +===== Using HotSpot =====
 +
 +Now when you connectat a laptop to '​myssid'​ network with wireless interface with DHCP client enabled the laptop recives and IP from IP pool of DHCP server. Then the user go to the browser and enter an URL this request is captured by HotSpot and the browser shows HotSpot login web page:
 +
 +{{ http://​oriol.joor.net/​blog/​wiki/​media/​hotspot/​hotspot-url-auth.png }}
 +
 +The user enter user and password and then the browser is redirected to the original URL requested by user while a little pop-up is launched where it is showing HotSpot information.
 +
 +When user finishes the session can press the '​log-off'​ button from this pop-up or simply can close the browser and it is disconnected by a timeout.
 +
 +
 +===== Manage HotSpot Users =====
 +
 +{{ http://​oriol.joor.net/​blog/​wiki/​media/​hotspot/​userman-llistausuaris.png }}
 +
 +==== From Internet ====
 +
 +You only need to request URL: http://​1.1.1.2/​userman and then you can use your customer settings to access, in this example:
 +\\
 +user: myuser\\
 +pass: mypassword\\
 +
 +==== From WLAN or LAN ====
 +
 +If you plug a PC or Laptop to mikrotik or if you connect by wifi network the process is the same, but is necessary pass the HotSpot authentication process, because you want to access to a WAN IP that is behind the HotSpot.
 +