DIY HotSpot Wifi

If do you need help or do you have comments about this document you can go to DIY HotSpot Wifi blog post.

Catalan version

  • Linksys WRT54G used as AP in bridge mode.
  • Mikrotik Routerboard 150 as a Hotspot gateway.
  • Router ADSL

Disable Internet interface and don't use Internet port. Only need to configure LAN interface with the IP that you want because it is only a maitenance IP. In our case we put and IP as the same range of clients and we protect access to the AP with user and password.

RouterBoard 150 is a device with routerOS that can be configured as a HotSpot gateway. It hasn't a wireless interface only has 5 ethernet ports. 1 port with POE support and 4 standard ethernet ports. In our scenario we use the first port as a WAN port and other 4 ports as a bridge where we can connect AP bridges, if you need more ports to connect APs you can connect a switch to any of 4 ports.

In resume we connect the first port to ADSL router and the AP bridges to any other port of the Mikrotik.

Creating the bridge with interfaces 2 to 5:

/ interface bridge 
add name="bridge1" mtu=1500 arp=enabled stp=no priority=32768 ageing-time=5m \
    forward-delay=15s garbage-collection-interval=5s hello-time=2s \
    max-message-age=20s comment="" disabled=no 
/ interface bridge port 
add interface=ether2 bridge=bridge1 priority=128 path-cost=10 comment="" \
add interface=ether3 bridge=bridge1 priority=128 path-cost=10 comment="" \
add interface=ether4 bridge=bridge1 priority=128 path-cost=10 comment="" \
add interface=ether5 bridge=bridge1 priority=128 path-cost=10 comment="" \

Setting IP for interfaces 'ethernet0'and 'bridge1':

/ ip address 
add address= network= broadcast= \
    interface=ether1 comment="Internet" disabled=no 
add address= network= broadcast= \
    interface=bridge1 comment="Interface LAN i WLAN" disabled=no 

Setting up default static IP route, DNS and NAT:

/ ip route 
add dst-address= gateway= scope=255 target-scope=10 \
    comment="" disabled=no 
/ ip dns 
set primary-dns= secondary-dns= \
    allow-remote-requests=no cache-size=2048KiB cache-max-ttl=1w 
/ ip firewall nat 
add chain=srcnat src-address= action=masquerade \
    comment="masquerade hotspot network" disabled=no 

IP pool and DHCP server:

/ ip pool 
add name="hs-pool-6" ranges= 
/ ip dhcp-server 
add name="dhcp1" interface=bridge1 lease-time=1h address-pool=hs-pool-6 \
    bootp-support=static authoritative=after-2sec-delay disabled=no 
/ ip dhcp-server config 
set store-leases-disk=5m 
/ ip dhcp-server network 
add address= gateway= comment="hotspot network" 

Creatting a HotSpot in 'bridge1' itnerface and mantain FTP service enabled in default port (21/tcp) where we can connect to custom HTML login interface:

/ ip hotspot 
add name="hotspot1" interface=bridge1 address-pool=hs-pool-6 profile=hsprof1 \
    idle-timeout=5m keepalive-timeout=none addresses-per-mac=2 disabled=no 
/ ip hotspot service-port 
set ftp ports=21 disabled=no 

Now we need to create a profile for HotSpot service:

/ ip hotspot profile 
add name="hsprof1" hotspot-address= dns-name="" \
    html-directory=hotspot rate-limit="" http-proxy= \
    smtp-server= login-by=http-chap split-user-domain=no use-radius=yes \
    radius-accounting=yes radius-interim-update=received \
    nas-port-type=wireless-802.11 radius-default-domain="" \
    radius-location-id="" radius-location-name="" 
/ ip hotspot user profile 
set default name="default" idle-timeout=none keepalive-timeout=2m \
    status-autorefresh=1m shared-users=1 transparent-proxy=yes \
    open-status-page=always advertise=no 

A great idea is use user manager service to administer HotSpot users and customers. The basic advantage is that you have a web interface to manage this. You can access to web user manager interface from WAN IP. The minimal configuration is add your customer (who operates the network) and add the router where is users database, it's important to set WAN IP address here because 'bridge1' address is protected by HotSpot itself and the protection don't permit to connect itself.

/ tool user-manager customer 
add login="mysubscriber" password="mypassword" time-zone=+00:00 \
    permissions=owner parent=mysubscriber comment="" disabled=no 
/ tool user-manager router 
add subscriber=mysubscriber name="router1" ip-address= \
    shared-secret="mysubscriber2pass" log=auth-ok,auth-fail,acct-fail comment="" \

You can set a test user to test hotspot without accessing to web user manager:

/ tool user-manager user 
add subscriber=mysubscriber name="myuser" password="mypassword" comment="" disabled=no 

Finally a simple Radius adjustments because we need to connect HotSpot access control system to user manager service:

/ radius 
add service=hotspot called-id="" domain="" address= \
    secret="mysubscriber2pass" authentication-port=1812 accounting-port=1813 \
    timeout=300ms accounting-backup=no realm="" comment="" disabled=no 

Now when you connectat a laptop to 'myssid' network with wireless interface with DHCP client enabled the laptop recives and IP from IP pool of DHCP server. Then the user go to the browser and enter an URL this request is captured by HotSpot and the browser shows HotSpot login web page:

The user enter user and password and then the browser is redirected to the original URL requested by user while a little pop-up is launched where it is showing HotSpot information.

When user finishes the session can press the 'log-off' button from this pop-up or simply can close the browser and it is disconnected by a timeout.

You only need to request URL: and then you can use your customer settings to access, in this example:
user: myuser
pass: mypassword

If you plug a PC or Laptop to mikrotik or if you connect by wifi network the process is the same, but is necessary pass the HotSpot authentication process, because you want to access to a WAN IP that is behind the HotSpot.

  • hotspot_wifi.txt
  • Last modified: 2012/06/06 10:15
  • (external edit)