MikroTik Router OS V3.0 User Manual

							4 D chain=hotspot action=redirect to-ports=64873 hotspot=local-dst dst-port=80protocol=tcp

 	 ,$ 
 8
 
 
 ,$ 
 (
  GDCN:  ,
!
 ,$ (
 

5 D chain=hotspot action=redirect to-ports=64875 hotspot=local-dst dst-port=443protocol=tcp

 	 ,$! 
 8
 
 
 ,$! 
 (
  GDCN<  ,
!
 ,$! (
 

6 D chain=hotspot action=jump jump-target=hs-unauth hotspot=!auth protocol=tcp
+ 
 	
 
 59! 	
 
 8
  
	
2 

  	 
 

 
 	

7 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp
+
 	
  
 	
2 

 7 
 
 
 	

8 D ;;; www.mikrotik.comchain=hs-unauth action=return dst-address=66.228.113.26 dst-port=80 protocol=tcp
#
 
 
 
 	
  
 (

 
	
 	
 3$ 
 
 

  

 $


 & (

  
 
  

 
  
 
 3$ ,  	 


  
 
 
 
 
 	
9 D chain=hs-unauth action=redirect to-ports=64874 dst-port=80 protocol=tcp
+ 
 ,$ 8
 	 
 
 
 6	 I	
  (  

 
 GDCND 
 *

  	
$

 
 

  

 $
  	
 ,$ 8
 
  

	 
 
 

	

  
 
 8
   	
	
	 
 
 
 ,
!
 

(
 &
 GDCN:
10 D chain=hs-unauth action=redirect to-ports=64874 dst-port=3128 protocol=tcp11 D chain=hs-unauth action=redirect to-ports=64874 dst-port=8080 protocol=tcp
,
!
  	
 	 
	
 
 
 
 	    ,$  8
  
 


	  
 H	
H 

 8
 
 


  & 	
 	     
 
 *

 	 
   
 

 
 


  


 
  
 
 ,
!
 
 
	
  	 H0
(	 $H * 
  

 
	
 	 

  
   ( 
 
 
	
	
	 	 
	
 	
 
 
 



 	 
  	
 
 


   	
   	
 
 9
 
	
 
 
  &GDCND  
 	 	  ,$ 8
 
 
  T; &

 ,$ 	
 ,$  8
 	   
 	 
12 D chain=hs-unauth action=redirect to-ports=64875 dst-port=443 protocol=tcp
Page 380 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							,$!   


 
 
 GDCN< 

13 I chain=hs-unauth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp

  !$ 
 	 	  
 
 
 ,
!
 
	

 *
 	 
  	 
  
 
 
 
 
	
   
  
	
  
 


 !$ 
	

   	 


 
 	 
 
 ( (% & !$ ( 

	  
 
 
 =

	(		 
 
 

  
> !$ (  	( 
 
 
 
 
	
  
  	
 
 
 
(	 4 
14 D chain=hs-auth action=redirect to-ports=64874 hotspot=http protocol=tcp
$(
 ,$  (  	
2  +


	
  8
 	 
 
  4
 


	
	

 
 &
 H0
(	 $H 

8 	
 	(


 	
  

	  
	
	
	 
 
 ,$  8
 
 
 ( 

  
 ,
!
 ,$  &
 
 
	
 


 
 
 GDCND 
 	 ,$  8
  


  (   
  
	
 

	
 	(   


   
 ,
!
 	
	 

	  
 = 
	(		 


 

  
>  (  	( 
 
 
 
  	  	 	

 	(


   
  
 
 
  	  	 
 	
 ,$ 8
 
  
 
   
 
 
	
	

  
 8

15 I chain=hs-auth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp
$(
 !$   	
2  &
 	 	 
  T/:
Packet filter rules
#
 	
$ 	

 

 
	
  	
 
 

  
 &

  	

	  
 
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
+
 	
 
	
 
	( 
 
  	
 
	
2 

   

 
 
 
 	
 
 
 

 
 *$7	 6	 I	
 

1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
F(

 
	
  
 

 
 
 
 
 
 
 	

 	
 	 
 

 	
  4
 
	
2 8
 
 
 


2 D chain=input action=jump jump-target=hs-input hotspot=from-client
F(

 
	
   

 
 
 
 
 
 
 
 	

 	
 	 


3 I chain=hs-input action=jump jump-target=pre-hs-input
Page 381 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							) 
 
 =
> 
	  
 	
 
 
 
 	

	
( 


 

	
   
  	
 
 
 
(	 
	
  
 4 
4 D chain=hs-input action=accept dst-port=64872 protocol=udp5 D chain=hs-input action=accept dst-port=64872-64875 protocol=tcp
+ 

 	 
 
 	 	


	

 	
  ( &	  	
6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
+ 
 
	  
	
2 

 
 
 
 
   
	
 
 	 	 	 
 
	

	(
 
 

7 D chain=hs-unauth action=return protocol=icmp8 D ;;; www.mikrotik.comchain=hs-unauth action=return dst-address=66.228.113.26 dst-port=80 protocol=tcp
0
 9+ 
	  
 3$7
 	
 6	 I	
 

  	 
 
 	
 

 
 	
  	 (

  	( 
 
 

  

 $ 

 	
 
 	
  	( 
 
 
 

 
 
 9+ 
	 
 	 
  
9 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp10 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
F(

  
	
 	 

 
 7
  
 6	 I	
   4
 9
 	  3$

  4

 3$ 




11 D chain=hs-unauth-to action=return protocol=icmp12 D ;;; www.mikrotik.comchain=hs-unauth-to action=return src-address=66.228.113.26 src-port=80protocol=tcp
!	 	

 	 
  TN 	
 TC    
 	
 

 
 
 

 &	

 
 
 	 
13 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
4
 	 	
 
 
 

 
 *3$ 4
 	
Customizing HotSpot: HTTP Servlet Pages
Description
E 	
 	
 	 
 

 
  (
 	  	 ,
!
 (  	( 
 


 
   
 
 



  	 ,
!
 (  &
  

 	
 
	
 (
 	 	  
 
 
    
 	
  	
 
  
Page 382 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							
 	
  	  



 
 
 
 
 	
 #$ 

 E 	
  
 	 	 
 
 
 
	

  
 

  
 	
	 9
 
	
 
  
 
 
 
 
	
	 	 	
	
 ,A 

 
 	 
 
 	  (
 (		  
 (
	 	

Available Servlet Pages
	
 ,A (
 	  	 
 
 
•

% 
7 
  
 	

  & 	 
 
 	
•
% 
7 
 	 
 
 	  
 	  
	 	
 	  	 	 
	 


 		

•username- username
•password- either plain-text password (in case of PAP authentication) or MD5 hash of chap-id
variable, password and CHAP challenge (in case of CHAP authentication). This value is used
as e-mail address for trial users
•dst- original URL requested before the redirect. This will be opened on successfull login
•popup- whether to pop-up a status window on successfull login
•radius- send the attribute identified with  in text string form to the RADIUS server
(in case RADIUS authentication is used; lost otherwise)
•radiusu- send the attribute identified with  in unsigned integer form to the RADIUS
server (in case RADIUS authentication is used; lost otherwise)
•radius-- send the attribute identified with  and vendor ID  in text
string form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
•radius-u- send the attribute identified with  and vendor ID  in
unsigned integer form to the RADIUS server (in case RADIUS authentication is used; lost
otherwise)
•*%=7 P	(	!
  5< 	 	
 0 

 
 

 
 

•	

 7 	 
 	
 

 	  
 *
 7 
	
 	 	
 
  


	 8
 	 & 1 	 
 
 
 ,
!
 
 	
•

% 
7 
	
 	  
	

  
 

 *
  	 	 
 	 	(



	
	
	
•
% 
7 
 	 
 	
    
 ! 
	 
	

 	
 
 


  	 	 
	 
 
 	

	 		

•erase-cookie- whether to erase cookies from the HotSpot server on logout (makes impossible
to log in with cookie next time from the same browser, might be useful in multiuser
environments)
•% 
7  	 
 
 	
	  

•rlogin.html- page, which redirects client from some other URL to the login page, if
authorization of the client is required to access that URL
•rstatus.html- similarly to rlogin.html, only in case if the client is already logged in and the
original URL is not known
•radvert.html- redirects client to the scheduled advertisement link
Page 383 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•flogin.html- shown instead of login.html, if some error has happened (invalid username or
password, for example)
•fstatus.html- shown instead of redirect, if status page is requested, but client is not logged in
•flogout.html- shown instead of redirect, if logout page is requested, but client is not logged in
! 
 	 	 	(		 	    

  

Serving Servlet Pages
 ,
!
 (
 
2 < 

 8
 

1.8
  	 
 
•    
 	
 	(


   
  	
% 
 	 
	 	 
 
 
  	(


 	
•    
 	
 	(


  

   
  
 8
 	 
(
•   

  
 
 
 

	

 
  	  	 	
 

 
 8
 
	 (
•   

  
 	
 
 

	

 
  	  	 	

% 

	 
% 
 

 


% 
  
 
 
 
 
 	
2.8
  H1H 
 
 ,
!
 
•    


% 
 	 

% 
 

 


% 

 
 
 
 
 
	
 	
•   

  

% 
 	 
% 
 

 


% 

 
 
 
 
 
 	
3.8
  H1
H 	
•  	   
 &  		  

% 
 	 

% 
 

 


% 
  
 
 
 
 
	 8
 	 

 
	
 	 &
 	 
	 

	

 	 	 

 (

•   

  
 &
	 	 

  
  	 		
% 


• 
  	 	 & 	  	
% 
 	 
	
% 
 

 

% 
 
•
 	  	
	 % 
 
4.8
  H1
	
H 	
•    


% 
 	
•   

  
	

% 
 	 	

% 
 

 


% 

  
 
 
 
 
 	
5.8
  %1
% 	
Page 384 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•    

% 
 	
•   

  
	
% 
 	 	
% 
 

 


% 

  
 
 
 
 
 	


	
  
  

  
 
 	 8
 
 
 	 
 
 
 
% #$ ( F D.D
 	
 	 	
 
 
 
2 	
 
 ,
!
 	


	

 	  
• 	 	 	 	  	 
 
 
 
% #$ ( 
 
 
  
 
 
( ,
!
 ( 
•) 	

 
 (		  

 
 
 
 ,
!
 (
 
   
  


 
 
 &
	  	  	 
 

% +3 	 	   	 
 

(	  (
 
 2 &A
 +

  
 (	 
	  	   

% +3
	 	   	 
	 	
 	
•
	

 	  
 	 

 ( & 	 
 	 ( 
	
  	 
 	 3
3	 3

% +3 	 	  	 
 
  
	
 
 
	

 
 

  


 

	
	 +
 
 
	

 
 (  	
 +5*0! 	
		 
	
 

 
  
 
 	

  

 

 (		 
  	 
 ,A  
 ]&(	K
	 

	    
 H(	K
	H  


	  
 (		 &

 8
  



 	   
 	
 ,
!
 ,A  	 	
%1% %1
% %1
	
%  %1
% 	  	 	
 

  ,A &%

% 
% 
  
 
 
 ,
!
( &
 
 

  
	 

  	 	(		 
 
	
 	 
 	


 
  	
(		  	 	(		 
 
 	 
 #
	 
  	 
 
 
 
 	 
 



 	
  
login
Variables
+  
 !(
 ,A 	  (		 
    (	 O		 
	 		 
 
 

,A   
 (
 	 7 
 	 	
	
	 	 
 
 
( (	  

,
!
 !(
 # 
 (		 
  	
 	  
  (	 
 
 	
 + 

 (		 	 (	 
 	 (
 	 
   
 4
 
  
 	
 
 
 
 	
	 & 	 
  
 
  	  	  

•3
 ( (		
•hostname- DNS name or IP address (if DNS name is not given) of the HotSpot Servlet
(hotspot.example.net)
•identity- RouterOS identity name (MikroTik)
•login-by- authentication method used by user
•plain-passwd- a yes/no representation of whether HTTP-PAP login method is allowed
(no)
•server-address- HotSpot server address (10.5.50.1:80)
•ssl-login- a yes/no representation of whether HTTPS method was used to access that servlet
page (no)
Page 385 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•server-name- HotSpot server name (set in the /ip hotspot menu, as the name property)
•A

•link-login- link to login page including original URL requested
(http://10.5.50.1/login?dst=http://www.example.com/)
•link-login-only- link to login page, not including original URL requested
(http://10.5.50.1/login)
•link-logout- link to logout page (http://10.5.50.1/logout)
•link-status- link to status page (http://10.5.50.1/status)
•link-orig- original URL requested (http://www.example.com/)
•I
	 

 
	


•domain- domain name of the user (example.com)
•interface-name- physical HotSpot interface name (in case of bridged interfaces, this will
return the actual bridge port name)
•ip- IP address of the client (10.5.50.2)
•logged-in- yes if the user is logged in, otherwise - no (yes)
•mac- MAC address of the user (01:23:45:67:89:AB)
•trial- a yes/no representation of whether the user has access to trial time. If users trial time
has expired, the value is no
•username- the name of the user (John)
•0 
	
 
	


•idle-timeout- idle timeout (20m or  if none)
•idle-timeout-secs- idle timeout in seconds (88 or 0 if there is such timeout)
•limit-bytes-in- byte limit for send (1000000 or --- if there is no limit)
•limit-bytes-out- byte limit for receive (1000000 or --- if there is no limit)
•refresh-timeout- status page refresh timeout (1m30s or  if none)
•refresh-timeout-secs- status page refresh timeout in seconds (90s or 0 if none)
•session-timeout- session time left for the user (5h or  if none)
•session-timeout-secs- session time left for the user, in seconds (3475 or 0 if there is such
timeout)
•session-time-left- session time left for the user (5h or  if none)
•session-time-left-secs- session time left for the user, in seconds (3475 or 0 if there is such
timeout)
•uptime- current session uptime (10h2m33s)
•uptime-secs- current session uptime in seconds (125)
•	 

  	 	(		 
 
 
 
	
 	
•bytes-in- number of bytes received from the user (15423)
•bytes-in-nice- user-friendly form of number of bytes received from the user (15423)
•bytes-out- number of bytes sent to the user (11352)
Page 386 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•bytes-out-nice- user-friendly form of number of bytes sent to the user (11352)
•packets-in- number of packets received from the user (251)
•packets-out- number of packets sent to the user (211)
•remain-bytes-in- remaining bytes until limit-bytes-in will be reached (337465 or --- if
there is no limit)
•remain-bytes-out- remaining bytes until limit-bytes-out will be reached (124455 or --- if
there is no limit)
•	
 (		
•session-id- value of session-id parameter in the last request
•var- value of var parameter in the last request
•error- error message, if something failed (invalid username or password)
•error-orig- original error message (without translations retrieved from errors.txt), if something
failed (invalid username or password)
•chap-id- value of chap ID (\ù)
•chap-challenge- value of chap challenge
(\ï\
\Ø\\\œ\e\¥\Ã\«\b\¦\[\}\ý\Î)
•popup- whether to pop-up checkbox (true or false)
•advert-pending- whether an advertisement is pending to be displayed (yes or no)
•+5*0!7	
 (		
•radius- show the attribute identified with  in text string form (in case RADIUS
authentication was used;  otherwise)
•radiusu- show the attribute identified with  in unsigned integer form (in case
RADIUS authentication was used; 0 otherwise)
•radius-- show the attribute identified with  and vendor ID  in text
string form (in case RADIUS authentication was used;  otherwise)
•radius-u- show the attribute identified with  and vendor ID  in
unsigned integer form (in case RADIUS authentication was used; 0 otherwise)
Working with variables
$(if )
	


 	
   
 
 	 #
 



   
  (	 
^(	K
	X  

  	
 
 

 *
  	
 8(	

 
$(if  != )*
   

	 
 8(	
 	 $(if  == ) 
	


 	( 
 


$(elif )$(else)$(endif) *
 
	 	 
   

some content, which will always be displayed$(if username == john)Hey, your username is john$(elif username == dizzy)Hello, Dizzy! How are you? Your administrator.$(elif ip == 10.1.2.3)You are sitting at that crappy computer, which is damn slow...$(elif mac == 00:01:02:03:04:05)This is an ethernet card, which was stolen few months ago...$(else)I dont know who you are, so lets live in peace.
Page 387 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							$(endif)other content, which will always be displayed
 
 
  
 
   
 6 
 7 
 
 (	  
 (		  	



Customizing Error Messages
+  	 	 
 
 
%

 

 
 
( ,
!
 (
 
 E 	

	
 	
 
	
	
 	 
 	 
  
	
( 	
	    
 
%

 E 	

	  (		 
 
 	 + 



 	 (
 
 
	
 
Multiple Versions of HotSpot Pages

 ,
!
 	 
  
 	 ,
!
 ( 	 
  	
  
   &


 	
	  	
	
	  P	(	!
 &
 
 $5+1	 (
  ,A 	
 
2 
 	
 	
 
 
 ,
!
 ,A 
 	
 	 
 ,A  
	 

 
 
	
 
 # 	 
 
	
	
 (

 
 A	
(	
 
 H(H 	
 
	
 
 

 

 
	

 	

 	(

 	
 

   	

	
	
 

 A	
(	
 * 
 8
 ,A 	 	
 

  
 
 
 8
 
 



 ,A   
 	
 
    
 	
 

   

	
 
 

H1(1
S
J]&
77H  

 	 A	
(	
 (
  
 	Latviski +
 A	
(	
 (
  

	
 
 

F
 (
English
+

 	  

 
  
  %
	
% (		
LatviskiEnglish
+
  
 	 
 
 & 	 H(H 	 
 
 	 ,
!
 	  

	


	
 	
 & 	$(link-status) = http://hotspot.mt.lv/lv/status !  	 ,
!
	 
 
 
 H]&
7H (		 

 
  	
 	 
  	 7 	 

 

	 

 
 
 
 	 
 

Notes
*  	

 
  ,$73,+$ 	


	

 
 
   
	
  
 
7
FG



 & 
 
 
*%= 
  		 	  
0

	

  


   
 3,+$ 
  	
 

 	 
  

 
 
 ,
!
 	
	 
 	  ,$73,+$ 
  
5
						

							
   ]&7 ^	
JH

11
((1
S	J]&	7_J]&7HX
^1	X 9 
 	

	   
(
 
 H/-:U-GD