Howdy,
I have a question regarding usage of Hotspot service in routed network. Setup we devised is based on bunch of APs that work in Access Point mode with default gateway and DHCP on a MPLS router with gateway interfaces (to APs) joined in hotspot service VRF and all that funneled through a single Internet gateway with RouterOS Hotspot service running (that being default gateway for entire VRF technically speaking).
However from what little documentation I could find on how Hotspot service actually works, it seems that it identifies clients by MAC addresses which makes above setup nonfunctional, because all of the clients that join through same AP would be seen (on default gateway) by MPLS router interface MAC, not their own. It would mean that once the first client successfully authenticates, all of the others connecting though same AP would pass through, being counted as single session (If I remember correctly that's how Wifidog handles access lists on endpoints, I asume RouterOS HS does pretty much the same?).
This apparently makes RouterOS Hotspot service only suited for routed endpoint devices.
I've opted for my initial idea of stupid endpoints and everything (AAA, shaping etc.) being done on central server/router because it seems more manageable in large scale deployments.
Perhaps I am getting all this wrong and RouterOS Hotspot service could serve me in this kind of setup somehow?
What do you guys(&girls) suggest, what would you change, how would you modify such a setup or what portal software would you use etc.?
Thanks in advance,
Cira
Re: Hotspot service in routed network
Before I start, I do almost everything backwards, so take that into account!
I use hotspots on each remote ap. Actually, one for each client radio in each router. This keeps the backhaul radio traffic about as clean as it can get. Only bandwidth restricted authorized users (and clients purchasing time) on the backhauls to your internet connection.
Remember, backwards...
I use hotspots on each remote ap. Actually, one for each client radio in each router. This keeps the backhaul radio traffic about as clean as it can get. Only bandwidth restricted authorized users (and clients purchasing time) on the backhauls to your internet connection.
Remember, backwards...
Re: Hotspot service in routed network
Hotspots indeed have to run on the immediate layer 3 hop.
You can still do centralized AAA (the Hotspot on each router points to a central RADIUS server), centralized login pages (locally redirect to a central login page permitted in the walled garden), and if you really wanted to you could do centralized QoS (don't enforce rate limits on Hotspot routers, don't NAT, then shape later further upstream).
You could devise some VPLS or other layer 2 encapsulating scheme to move the (virtual) immediate layer 3 hop further upstream, but that can get ugly. It's best to run the Hotspot straight on the APs.
In my opinion running the Hotspot close to the end user makes sense. That way you don't have to backhaul traffic from unauthenticated users just to discard it on the central router. We found we issue 19 redirects per actual login on public Hotspots, and the WAN traffic rate is approximately half the LAN traffic rate at any given time.
With AAA and login pages being centralized each router near an end user could have a completely standard template applied to it that makes management fairly easy.
You can still do centralized AAA (the Hotspot on each router points to a central RADIUS server), centralized login pages (locally redirect to a central login page permitted in the walled garden), and if you really wanted to you could do centralized QoS (don't enforce rate limits on Hotspot routers, don't NAT, then shape later further upstream).
You could devise some VPLS or other layer 2 encapsulating scheme to move the (virtual) immediate layer 3 hop further upstream, but that can get ugly. It's best to run the Hotspot straight on the APs.
In my opinion running the Hotspot close to the end user makes sense. That way you don't have to backhaul traffic from unauthenticated users just to discard it on the central router. We found we issue 19 redirects per actual login on public Hotspots, and the WAN traffic rate is approximately half the LAN traffic rate at any given time.
With AAA and login pages being centralized each router near an end user could have a completely standard template applied to it that makes management fairly easy.
Re: Hotspot service in routed network
So there is no way to have Hotspot to differentiate users (their sessions that is) not by MAC, but by IP addresses?
Re: Hotspot service in routed network
Depending on how your clients get their ip addresses at the ap, you can set the hotspot to issue more than two ips per mac address. You will probably find that to be the limiting factor. I don't use it and don't recommend it. I like fewi's "...but that can get ugly".
Check "/ip hotspot host" to insure all is as you expect. 
Code: Select all
/ip hotspot
print detail
set X addresses-per-mac=256Re: Hotspot service in routed network
Many thanks, this helps a lot. Clients will get addresses from some external DHCP server (DHCP relay to it on MPLS router interface). It's planned that APs are to be connected to bunch of DOCSIS2.0 and 3.0 modems (possibly some fiberoptic nodes where it's possible/needed).Depending on how your clients get their ip addresses at the ap, you can set the hotspot to issue more than two ips per mac address. You will probably find that to be the limiting factor. I don't use it and don't recommend it. I like fewi's "...but that can get ugly".
What sort of problems and limitations in Hotspot service functionality (or this setup as awhole) can I expect? I would of course require AAA on central gateway (and if possible bandwidth shaping).
Re: Hotspot service in routed network
You should decide on what AAA software you plan on using, and what requirements you have. With one hotspot, you could use the local hotspot user database. Some use User Manager. I use FreeRADIUS with an external Apache/RADIUS server and a custom php interface to the radius database.
Re: Hotspot service in routed network
Sorry to respark an old query but I am wondering what to do on a situation where I have a single routed extension and want to hotspot both encompassing networks. i.e.
Main router
Ether1: Public Net
Ether 2: 10.5.50.1/24 with hotspot enabled
-- Switch -- --Several AP's - hotel guests
AP ( Bridged) 10.5.50.2/24
--WIFI--
Extended building Client Wlan 1: 10.5.50.3/24
Ether1: 10.5.51.1/24
--- Switch --- Several AP's - hotel guests
On my "main router" I have the masquerade on 10.5.50.0/23
Everything works hotspot disabled.
When I enable hotspot one the main router ether2 the devices in the 10.5.51.0/24 have performance problems or do not connect.
I have tried to tunnel the extended building with eoip so that I could put the hs on the eoip interface but it was very clunky and I ran into problems with that too.
Ideas?
Main router
Ether1: Public Net
Ether 2: 10.5.50.1/24 with hotspot enabled
-- Switch -- --Several AP's - hotel guests
AP ( Bridged) 10.5.50.2/24
--WIFI--
Extended building Client Wlan 1: 10.5.50.3/24
Ether1: 10.5.51.1/24
--- Switch --- Several AP's - hotel guests
On my "main router" I have the masquerade on 10.5.50.0/23
Everything works hotspot disabled.
When I enable hotspot one the main router ether2 the devices in the 10.5.51.0/24 have performance problems or do not connect.
I have tried to tunnel the extended building with eoip so that I could put the hs on the eoip interface but it was very clunky and I ran into problems with that too.
Ideas?