How to Setup Your Mikrotik for Hotspot Gateway
Important note: This solution requires a Hotspot Operator Account at HotSpotSystem.com. You can create an Operator Account here. If you would like to see what features you will be able to use with our solutions, click here. If you already have an Operator Account, then read on...
1. First we need to define the first port for the WAN connection so the router will connect to the internet via another router with DHCP.
In winbox click IP > DHCP Client and Add DHCP Client to port ether1
2. Let's add the hotspot service to the 2nd LAN port. Click IP > HotSpot and the hotspot Setup box, choose ether2 as hotspot interface. You can accept default values but choose None for certificate. Modify the IP address range to 10.5.50.1/20.
You also need to modify the Internal LOGIN/LOGOUT URLs in the control center to "Mikrotik" to get in sync with your gateway (under Manage > Locations > click on name > Modify Hotspot Data > Splash Page Settings).
3. You need to add our radius servers as authentication and accounting servers.
In the hotspot profiles (IP > HotSpot > (Server) profiles) choose your hotspot profile and click the radius tab, check Use RADIUS. Then click the login tab and de-select cookie, allow HTTPS, HTTP PAP and CHAP.
4. You need to define our radius server. Click Radius and the + sign to add our radius server.
Click Service > Hotspot, enter radius address: radius.hotspotsystem.com, Secret: hotsys123
Check the box next to hotspot
Modify the timeout value to 3000. If Winbox does not let you type a host name then you need to resolve it from a DOS prompt (hit Windows button + R, then type CMD then ENTER, or from a Terminal on MAC) by typing 'ping radius.hotspotsystem.com' . You can set the IP address you get from the ping command.
5. You need to add the secondary radius server. Click Radius and the + sign.
You need to add the secondary radius server. Click Radius and the + sign.
Check the box next to hotspot
Modify the timeout value to 3000
You need to add the secondary radius server. Click Radius and the + sign.
Check the box next to hotspot
Modify the timeout value to 3000
6. We have to allow certain sites and servers for non authenticated users otherwise they can't buy access.
In the section IP > HotSpot > Walled Garden, click on + sign and add the following domains to Dst. Host one by one:
*.hotspotsystem.com
*.worldpay.com
*.paypal.com
*.paypalobjects.com
*.paypal-metrics.com
*.altfarm.mediaplex.com
*.akamaiedge.net
paypal.112.2O7.net (it is a capital O here!)
*.moneybookers.com
*.adyen.com
*.directebanking.com
*.paysafecard.com
For Hotspot FREE SOCIAL locations: you need to add several domains/hosts to the allowed field in order to allow users to log in to there favorite social site. Please follow this article to add these domains/hosts to the whitelist.
Then in the section IP > HotSpot > Walled Garden > IP List add the following IPs to Dst. Address one by one (if your Mikrotik doesn't allow netmask values (.0/24) you can skip the netmask value):
194.149.46.0/24
198.241.128.0/17
66.211.128.0/17
216.113.128.0/17
70.42.128.0/17
128.242.125.0/24
216.52.17.0/24
62.249.232.74
155.136.68.77
66.4.128.0/17
66.211.128.0/17
66.235.128.0/17
88.221.136.146
195.228.254.149
195.228.254.152
203.211.140.157
203.211.150.204
82.199.90.136/29
82.199.90.160/27
91.212.42.0/24
7. You need to syncronize the router's time with our server.
Click on System > NTP (or SNTP) Client. Enter primary and secondary NTP servers. To find NTP servers, go to http://www.pool.ntp.org/ and select the location's continent on the right side of the page. You'll find NTP servers there.
Be sure to leave TimeZoneName: manual, and TimeZone: 00:00 in System > Clock. (Don't set your own timezone, because the router has to show the GMT time!) Also applies here, that you may need to resolve the servers' names in a ping command to get them accepted by Winbox if it does not resolve them by clicking the Apply button.
8. You need to change the router's NASID. The NASID setting in the Mikrotik is located under System > Identity. Default is 'MikroTik'.
Change this the following way: OPERATORUSERNAME_LOCATIONNUMBER
Example: Operator Username is 'globalhotspot', Location ID: '2', then NASID should be: 'globalhotspot_2'
NOTE: In case you are installing multiple routers in the same location, you should use different NAS IDs. For the second routers you need to add '_wds_1' to the NAS Id, for the third router '_wds_2', etc. So for example if you want to install the second router in location 3, the NASID should be set to 'globalhotspot_3_wds_1'.
9. You have to customize Mikrotik's built-in hotspot pages.
Click on the filenames to download the following files: login.zip (contains 2 files)
On the side menu go to Files, and find these files under the 'hotspot' directory.
Unzip the downloaded files and drag and drop them to your "hotspot" directory in the Winbox program. Be sure to move the cursor under the hotspot directory.
If you wish to use FTP you can FTP to your mikrotik router with the admin userid and password and replace the file there under the 'hotspot' directory.
10. You have to set the Login/Logout URL IP addresses in the Control Center. Log in to the Control Center with your Operator Username and password and go to Manage > Locations. Click on the location, then click on Modify Hotspot Data & Settings. In Splash Page Settings modify the Internal Login/Logout URL Set to Mikrotik.
11. Extend the shared-users limit in your hotspot profile. Sub-menu: /ip hotspot user profile or go to IP > Hotspot > User Profiles > default > Shared-Users Change shared-users to 5.
12.You have to add hourly checking for up status for the Router Alert feature.
Go to System > Scheduler and add a new task by pressing the plus sign.
Name: up
Interval: 01:00:00
On Event:
Policy: enable all
Press Apply and OK.
13. Set the DHCP lease time of the hotspot to 1 day under IP > DHCP server > open the DHCP server by a double-click> Lease time > set 1d 00:00:00 .
14. Let's set the LAN ports 3 & 4 to use with the hotspot as well. Go to Interfaces > ether3 > General tab > Master port > ether2. Do the same to ether4 as well.
15. From here we are setting up the free internet connection on port #5.
Go to IP > Addresses. Click the + sign to add an IP address to ether5 port. Set a private IP range here, we use 192.168.20.1 in our case.
Address is 192.168.20.1/24, network is 192.168.20.0, interface is ether5, click Apply and OK.
16. We set up a DHCP server on interface ether5. Go to IP > DHCP Server > DHCP Setup. Select ether5 for the interface, DHCP address space is 192.168.20.0/24, gateway for DHCP network is 192.168.20.1, DHCP relay should be left blank, IP addresses to give out would be 192.168.20.2-192.168.20.254, DNS servers are fine on 8.8.8.8 for Google's DNS, lease time can be 1d 00:00:00 for one day. If you have any specific plans you can use a different value here.
17. The last step is to add a NAT rule for masquerading the internal address range of the free ethernet interface. Click the + sign, chain is 'srcnat', click the Src. Address to give 192.168.20.0/24 here (or the range you have used).
Click the Action tab and select masquerade for the Action. Click Apply and OK.
Click the Action tab and select masquerade for the Action. Click Apply and OK.
Please note, that in this case in the router the IP > Pool and IP > Routes sections are being filled out by the router automatically according with the new ether5 interface IP range. If you want to modify something or do the configuration manually, you need to make these changes too.
