MikroTik Router OS V3.0 User Manual

							select certificate(namenone|import-other-certificate) - choose SSL certificate from the list of the
imported certificates
•none- do not use SSL
•import-other-certificate- setup the certificates not imported yet, and ask this question again
Notes
5

 
 

 


 	
 	
 
 
 ( 8

 	
 (	  
 8


	  

 ! 8

 	 		  
  
	

Example
 
 ,
!
 
 
/ 

	 &  		 
 
 	  /;-.-/1- ip hotspot setuphotspot interface: ether1local address of network: 192.0.2.1/24masquerade network: yesaddress pool of network: 192.0.2.2-192.0.2.126select certificate: noneip address of smtp server: 0.0.0.0dns servers: 192.0.2.254dns name: hs.example.netname of local hotspot user: adminpassword for the user: rubbish[admin@MikroTik] >
HotSpot Interface Setup
Home menu level:/ip hotspot
Description
,
!
 
  
 
 
(	 

	 E 	
 
 
 

 ,
!
 
	

 



 

	
Property Description
HTTPS(read-only: flag) - whether the HTTPS service is actually running on the interface (i.e., it is
set up in the server profile, and a valid certificate is imported in the router)
address-pool(namenone; default:none) - IP address pool name for performing one-to-one NAT.
You can choose not to use the one-to-one NAT
•none- do not perform one-to-one NAT for the clients of this HotSpot interface
addresses-per-mac(integerunlimited; default:2) - number of IP addresses allowed to be bind with
any particular MAC address (it is a small chance to reduce denial of service attack based on taking
over all free IP addresses in the address pool). Not available if address-pool is set to none
•unlimited- number of IP addresses per one MAC address is not limited
idle-timeout(timenone; default:00:05:00) - idle timeout (maximal period of inactivity) for
Page 370 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							unauthorized clients. It is used to detect, that client is not using outer networks (e.g. Internet), i.e.,
there is NO TRAFFIC coming from that client and going through the router. Reaching the timeout,
user will be dropped of the host list, and the address used buy the user will be freed
•none- do not timeout idle users
interface(name) - interface to run HotSpot on
ip-of-dns-name(read-only: IP address) - IP address of the HotSpot gateways DNS name set in the
HotSpot interface profile
keepalive-timeout(timenone; default:none) - keepalive timeout for unauthorized clients. Used to
detect, that the computer of the client is alive and reachable. If check will fail during this period,
user will be dropped of the host list, and the address used buy the user will be freed
•none- do not timeout unreachable users
profile(name; default:default) - default HotSpot profile for the interface
Command Description
reset-html(name) - overwrite the existing HotSpot servlet with the original HTML files. It is used
if you have changed the servlet and it is not working after that
Notes

  
  	   
 + 

 
	
 
 	  	
	


	

  


 
 	 
 
	
 	 
 *$ 	   
 	(   

+3 	
Example
 	 ,
!
 
 
 


	 	
 
 
 
  
7
7
 9+  	 

&	  
0	      
 9+
[admin@MikroTik] ip hotspot> add interface=local address-pool=HS-real[admin@MikroTik] ip hotspot> printFlags: X - disabled, I - invalid, S - HTTPS# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT0 hs-local local HS-real default 00:05:00[admin@MikroTik] ip hotspot>
HotSpot Server Profiles
Home menu level:/ip hotspot profile
Description
 	  (	 

 ,
!
 
 
 	 ,
!
 !( $ 
 
 	 	
	
	
  
   

	 	
   

 
 (   	 (  


  

( 
 	
	 

	 7 
  
 
	

  
 
 
 (  # 	 
 
 
 	 
 

 
  (
 	  	 (  	
 
 

+5*0! (  	


	


Page 371 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Property Description
dns-name(text) - DNS name of the HotSpot server. This is the DNS name used as the name of the
HotSpot server (i.e., it appears as the location of the login page). This name will automatically be
added as a static DNS entry in the DNS cache
hotspot-address(IP address; default:0.0.0.0) - IP address for HotSpot service
html-directory(text; default:hotspot) - name of the directory (accessible with FTP), which stores
the HTML servlet pages (when changed, the default pages are automatically copied into specified
directory if it does not exist already)
http-cookie-lifetime(time; default:3d) - validity time of HTTP cookies
http-proxy(IP address; default:0.0.0.0) - address of the proxy server the HotSpot service will use
as a [parent] proxy server for all those requests intercepted by Universal Proxy system and not
defined in the /ip proxy direct list. If not specified, the address defined in parent-proxy parameter of
/ip proxy. If that is absent as well, the request will be resolved by the local proxy
login-by(multiple choice: cookie|http-chap|http-pap|https|mac|trial; default:
cookie,http-chap) - which authentication methods to use
•cookie- use HTTP cookies to authenticate, without asking user credentials. Other method will
be used in case the client does not have cookie, or the stored username and password pair are
not valid anymore since the last authentication. May only be used together with other HTTP
authentication methods (HTTP-PAP, HTTP-CHAP or HTTPS), as in the other case there would
be no way for the cookies to be generated in the first place
•http-chap- use CHAP challenge-response method with MD5 hashing algorithm for hashing
passwords. This way it is possible to avoid sending clear-text passwords over an insecure
network. This is the default authentication method
•http-pap- use plain-text authentication over the network. Please note that in case this method
will be used, your user passwords will be exposed on the local networks, so it will be possible
to intercept them
•https- use encrypted SSL tunnel to transfer user communications with the HotSpot server.
Note that in order this to work, a valid certificate must be imported into the router (see a
separate manual on certificate management)
•mac- try to use clients MAC address first as its username. If the matching MAC address exists
in the local user database or on the RADIUS server, the client will be authenticated without
asking to fill the login form
•trial- does not require authentication for a certain amount of time
mac-auth-password(text) - if MAC authentication is used, this field can be used to specify
password for the users to be authenticated by their MAC addresses
nas-port-type(text; default:wireless-802.11) - NAS-Port-Type attribute value to be sent to the
RADIUS server
radius-accounting(yes | no; default:yes) - whether to send RADIUS server accounting
information on each user once in a while (the while is defined in the radius-interim-update
property)
radius-default-domain(text; default:) - default domain to use for RADIUS requests. It allows
to select different RADIUS servers depending on HotSpot server profile, but may be handful for
single RADIUS server as well.
Page 372 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							radius-interim-update(timereceived; default:received) - how often to sent cumulative accounting
reports.
•0s- same as received
•received- use whatever value received from the RADIUS server
radius-location-id(text) - Raduis-Location-Id attribute value to be sent to the RADIUS server
radius-location-name(text) - Raduis-Location-Name attribute value to be sent to the RADIUS
server
rate-limit(text; default:) - Rate limitation in form of rx-rate[/tx-rate]
[rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]]
[priority] [rx-rate-min[/tx-rate-min]] from the point of view of the router (so rx is client upload,
and tx is client download). All rates should be numbers with optional k (1,000s) or M
(1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and
tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not
specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both
rx-burst-time and tx-burst-time are not specified, 1s is used as default. rx-rate-min and tx-rate min
are the values of limit-at properties
smtp-server(IP address; default:0.0.0.0) - default SMTP server to be used to redirect
unconditionally all user SMTP requests to
split-user-domain(yes | no; default:no) - whether to split username from domain name when the
username is given in user@domain or in domain\user format
ssl-certificate(namenone; default:none) - name of the SSL certificate to use for HTTPS
authentication. Not used for other authentication methods
trial-uptime(timetime; default:30m/1d) - is used only when authentication method is trial.
Specifies the amount of time the user identified by MAC address can use HotSpot services without
authentication and the time, that has to pass that the user is allowed to use HotSpot services again
trial-user-profile(name; default:default) - is used only only when authentication method is trial.
Specifies user profile, that trial users will use
use-radius(yes | no; default:no) - whether to use RADIUS to authenticate HotSpot users
Notes
*
  

  

  

	 * 

 	
	

 

 
 	 
  

 	
	
	
*
  
  +5*0! 	


	

 


 
  
  
	 	


	

 
  		   

 
 
  
 
 	


	

 

Example
HotSpot User Profiles
Home menu level:/ip hotspot user profile
Description
Page 373 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							+
 ( 
,
!
+++


HotSpot Users
Home menu level:/ip hotspot user
Description
+
 ( 
,
!
+++


HotSpot Active Users
Home menu level:/ip hotspot active
Description
+
 ( 
,
!
+++


HotSpot Cookies
Home menu level:/ip hotspot cookie
Description
3 	
    	


	

 
 
 ,

 (
Property Description
domain(read-only: text) - domain name (if split from username)
expires-in(read-only: time) - how long is the cookie valid
mac-address(read-only: MAC address) - users MAC address
user(read-only: name) - username
Notes
 	
  
  
 
 	 +3 	 # 	 
   	 		
  
	   
 
 	 

3 	
  7 
	
% 
 	  
   
  5	
 (	
 
   2	 &N-
 
 
 	
  	
  	 
(	 ,
!
 (   	 
/ip hotspot profile set default http-cookie-lifetime=1d
Example
 
 
 
  (	 
[admin@MikroTik] ip hotspot cookie> print
Page 374 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							# USER DOMAIN MAC-ADDRESS EXPIRES-IN0 ex 01:23:45:67:89:AB 23h54m16s[admin@MikroTik] ip hotspot cookie>
HTTP-level Walled Garden
Home menu level:/ip hotspot walled-garden
Description
6	 	
  	 
  	 
	
2     
 8 	
2	

 

	 
      	 
 ( 	 
  
	 
	

 	
,
!
 ( (  
 


 
 
 	
	 6	 I	
  ,$ 	
 ,$! 
  
 
 	
 	 

 
 6	 I	
 
 
	
  
  &

  

 $ 
  



 

  
 	
	  
	
Property Description
action(allow|deny; default:allow) - action to undertake if a request matches the rule:
•allow- allow the access to the page without prior authorization
•deny- authorization is required to access this page
dst-address(read-only: IP address) - IP address of the destination web server (installed by IP-level
walled garden)
dst-host(wildcard; default:) - domain name of the destination web server
dst-port(integer; default:) - the TCP port a client has send the request to
hits(read-only: integer) - how many times has this rule been used
method(text) - HTTP method of the request
path(wildcard; default:) - the path of the request
server(name) - name of the HotSpot server this rule applies to
src-address(IP address) - IP address of the user sending the request
Notes
6	 
 &
 
	


  	
 	 
 

 & 
  

 	

H	H  
 	 
 
 H	H +(		 	 	 %\% &	
 	
 
  	

		
 	
 %S% &	
 	
 
 		
 	 
 	 	 	
  
  


  
	
 	 	 	 
 
  
	
 
 	 
 &%%
!	 
 
 
 	 

•MM 8
   
 

M		
 
 

•M%	


 	
%
 &
 	 
 
 
 
 	


 	
 	
 
•
  
	
 
  	 	  
 (
 	


  S 	
 
 


 

 	



Page 375 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•
  
	
 
  	 	 	
 
 (
 	


  T 	
 
 
  

	



E 	
 

 
 
  ,$! 8
 	 
 	
 

 &	
  

 7 
	
  	
 

,$! 
 	 	 M 
 
 8

*$7( 	 	
  
 
 
 

 	 
	 

  *
 
 	 



   &
  
 

Example
 	 
	
2 8
 
 
$$$%%	
%$% 
	
[admin@MikroTik] ip hotspot walled-garden> add path=/paynow.html \\... dst-host=www.example.com[admin@MikroTik] ip hotspot walled-garden> print detailFlags: X - disabled, D - dynamic0 dst-host=www.example.com path=/paynow.html action=allow[admin@MikroTik] ip hotspot walled-garden>
IP-level Walled Garden
Home menu level:/ip hotspot walled-garden ip
Description
 
  	
	 6	 I	
  
 *$ 8
 ! 
 ( 

  	
	
 ,$
	
 ,$! 
  
 & 
 	
	 59! 
	 ,$ 
 	
 	
  
 8

Property Description
action(accept|drop|reject; default:accept) - action to undertake if a packet matches the rule:
•accept- allow the access to the page without prior authorization
•drop- the authorization is required to access this page
•reject- the authorization is required to access this page, in case the page will be accsessed
withot authorization ICMP reject message host-unreachable will be generated
dst-address(IP address) - IP address of the destination web server
dst-host(text; default:) - domain name of the destination web server (this is not a regular
expression or a wildcard of any kind). The DNS name specified is resolved to a list of IP addresses
when the rule is added, and all those IP addresses are used
dst-port(integer; default:) - the TCP or UDP port (protocol MUST be specified explicitly in the
protocol property) a client has send the request to
protocol(integerddp|egp|encap|ggp|gre|hmp|icmp|idpr-cmtp|igmp|ipencap|ipip|
ipsec-ah|ipsec-esp|iso-tp4|ospf|pup|rdp|rspf|st|tcp|udp|vmtp|xns-idp|xtp) - IP protocol
name
server(name) - name of the HotSpot server this rule applied to
src-address(IP address) - IP address of the user sending the request
Page 376 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Example
One-to-one NAT static address bindings
Home menu level:/ip hotspot ip-binding
Description
E 	
 
 9+ 
	
	

 
	
	 	 
 
 
 
	 *$ 	 & *$ 

  


	 +3 	 E 	
 	 	  	 
 	 ,
!
 	


	

 & 
  
	  

 	(
 
  
 
 
 

 
 	
 
   	
Property Description
address(IP addressnetmask; default:) - the original IP address or network of the client
mac-address(MAC address; default:) - the source MAC address of the client
server(nameall; default:all) - the name of the server the client is connecting to
to-address(IP address; default:) - IP address to translate the original client address to. If
address property is given as network, this is the starting address for the translation (i.e., the first
address is translated to to-address, address + 1 to to-address + 1, and so on)
type(regular|bypassed|blocked) - type of the static binding entry
•regular- perform a one-to-one NAT translation according to the values set in this entry
•bypassed- perform the translation, but exclude the client from having to log in to the HotSpot
system
•blocked- the translation will not be preformed, and all packets from the host will be dropped
Notes
  	
  
   	
 
   

 
 
 
  
 
  
 
 ( 

  
	
 		  E 	
 (
 
 	
 

 
+%+%+%++	 	
 
 
  
 
 

	 
  	

 	
  
 	 
	
  

 	
 	
 
 


Active Host List
Home menu level:/ip hotspot host
Description
 
  	 	
( 

 
 
	
 	 


 
 
 ,
!
 	
	  
 
 	

7
7
 9+ 
	
	


Property Description
address(read-only: IP address) - the original IP address of the client
authorized(read-only: flag) - whether the client is successfully authenticated by the HotSpot
Page 377 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							system
bridge-port(read-only: name) - the actual physical interface, which the host is connected to. This
is used when HotSpot service is put on a bridge interface to determine the hosts actual port within
the bridge.
bypassed(read-only: flag) - whether the client does not need to be authorized by the HotSpot
system
bytes-in(read-only: integer) - how many bytes did the router receive from the client
bytes-out(read-only: integer) - how many bytes did the router send to the client
found-by(read-only: text) - how was this host discovered (first packet type, sender, recipient)
host-dead-time(read-only: time) - how long has the router not received any packets (including
ARP replies, keepalive replies and user traffic) from this host
idle-time(read-only: time) - the amount of time has the user been idle
idle-timeout(read-only: time) - the exact value of idle-timeout that applies to this user. This
property shows how long should the user stay idle for it to be logged off automatically
keepalive-timeout(read-only: time) - the exact value of keepalive-timeout that applies to this user.
This property shows how long should the users computer stay out of reach for it to be logged off
automatically
mac-address(read-only: MAC address) - the actual MAC address of the user
packets-in(read-only: integer) - how many packets did the router receive from the client
packets-out(read-only: integer) - how many packets did the router send to the client
server(read-only: name) - name of the server, which the host is connected to
static(read-only: flag) - whether this translation has been taken from the static IP binding list
to-address(read-only: IP address) - what address is the original IP address of the host translated to
uptime(read-only: time) - current session time of the user (i.e., how long has the user been in the
active host list)
Command Description
make-binding- copy a dynamic entry from this list to the static IP bindings list (name) - item
number (text) - custom comment to the static entry to be created (regular|bypassed|blocked) - the
type of the static entry
Service Port
Home menu level:/ip hotspot service-port
Description
P
   	 9+ 
 ,
!
  
7
7
 9+ %	%  
 
	
 	

	
 
 	 
	
	

  	( 
 
 



   
  
# 
 
7
7
 9+ 
 
  	    #$ 

Property Description
Page 378 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							name(read-only: name) - protocol name
ports(read-only: integer) - list of the ports on which the protocol is working
Example
 
 
 #$ 
  
 -. 	
 -/ 3$ 

[admin@MikroTik] ip hotspot service-port> printFlags: X - disabled# NAMEPORTS0 ftp21[admin@MikroTik] ip hotspot service-port> set ftp ports=20,21[admin@MikroTik] ip hotspot service-port> printFlags: X - disabled# NAMEPORTS0 ftp2021[admin@MikroTik] ip hotspot service-port>
Customizing HotSpot: Firewall Section
Description
+	
  
 ( 
	 

 
 

  


 
 & 
 	
 	
( 
 	

	  	 	 
 
 	 
	 
 	
(	

 	 ,
!
 ( 0
 
 !
(
 -C 
 	 	
(  	  	 
 
 	 	 
 	
 4  	  


7
7
 9+ 	

NAT rules
#
 	
$ 
 

 
	
  	
 
 

  
 &

  	

	  
 
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
$


 	 ,
!
7	
 
	  	
  	 ,
!
 

 

 	 		
 	

1 I chain=hotspot action=jump jump-target=pre-hotspot
+
 	

 
	
   
  ,
!
  	   
 
 
 

	
 
	
  
  	

	
 

 	
  

 

	
 	
  
  
 
 
 
 
(	
4  &	 
 	
  

 	( 	
   	

2 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=udp3 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=tcp

 	 59! 8
 
 
 ,
!
 (  GDCN- 
 ( 59! (  	 ,
!
 
*  	

 ,
!
 ( 
 

 	 
 	

 
 	   
 	 	 	





Page 379 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.