I’d like to be able to add some simple (and not so simple) features and functions to the hotspot pages, such as a feature on the Status page for a customer to change their password (once logged in).
From what I’ve read so far, this is not possible. I’ve got to run a separate external webserver and use the PHP API to do this. This is not going to work for me, as I want to deploy Mikrotik CPE devices like the RB951G-2HnD in households where they may be behind a DSL router with NAT. Its not practical to expect every customer to setup up a port forwarding rule on their DSL router to get to the Mikrotik router, and also not practical to deploy a webserver on every site - not even a Raspberry Pi.
Ideally, I’d like to be able to run the PHP API on the hotspot (RB951G-2HnD), but this doesn’t seem likely anytime soon. If this was possible, I could offer a service like Skydog.com, and sell thousands of Mikrotik router and make everyone at Mikrotik rich!
"I’ve got to run a separate external webserver and use the PHP API to do this. "
This is what you need, it does not require any physical change or NAT configuration for the customer
i.e deploy your portal on your website http://wifi.mfrater.com
on the RB751, change the login.html file to something like
This way your users will be automatically redirected on your online captive portal and you will be able to do what you want. Look at the files generated by default in the RB751 hotspot directory to understand how login/logout works. Don’t forget to put wifi.mfrater.com in the walled garden.
If there’s another, upstream router that hides the downstream with a NAT (as mfrater says), then that other router would have to be configured for the API to work.
If the MikroTik router itself is the top CPE device - as in, the device owning the public IP - then yes, there’s no configuration needed. Merely detecting the IP from PHP, and reaching back with the API is enough.
Having said that…
This doesn’t sound like a realistic scenario for an ISP provider… unless maybe you plan to sell the MikroTik router without internet service attached?
I mean, why would anyone place a router upstream of yours? If it’s about Wi-Fi connectivity, they can always place it downstream of yours, or you could bundle it in your router itself. If it’s about bundling the internet with TV and landline phone, then the upstream router/modem will surely be under your control as well, so it should be possible to configure it.
boen_robot mhh well i have done this several times, and there were routers between the miktorik AP and the website, it’s not a problem in my opinion as long as all the core system is hosted outsite customer’s place (Radius, database with customer’s credentials, PHP stuff, etc).
If you want to change a password inside customer’s Mikrotik device, then yes, there is a problem; you should then be able to set up some L2TP tunnel between customer’s miktorik and central site to be able to reach it directly regardless of routers between them.
If you want to change a password inside customer’s Mikrotik device, then yes, there is a problem;
Yes, this is my problem, when the Mikrotik is NATed behind another router. And yes, I’m not planning on selling the ISP connections, so sometimes the Mikrotik will be NATed behind a DSL router, and sometimes, it’ll have a direct Ethernet WAN connection back to the ISP (using PPP or DHCP for IP allocation). When its directly connected, the problem doesn’t exist of course.
So, when the Mikrotik will be NATed behind a DSL router, using an L2TP (or IPsec?) tunnel may be the best way around it, but may not scale too well once you have thousands of devices to remotely configure. Thats a lot of tunnels!
Another possibility is having the Mikrotik NATed routers poll a centralised server for config updates via SSH or telnet (or FTP?), and get configuration updates (e.g. changed user password) that way. (Its always easier to make connections out from a NATed router than make connections in). However, polling doesn’t scale well either, and adds a delay to any configuration update, depending on the polling period.
Maybe if you could configure the L2TP server so as to only estabilish a L2TP VPN of itself and the other device per username. That way, you won’t exhaust IPs for L2TP tunnels - you’d always need just the two. I’m not aware if/how to configure a L2TP server that way though. I’m just thinking that it shouldn’t be a problem, protocol wise.
Or do you mean that your single web server will be called by multiple devices, thus potentially becoming unresponsive at some point when you get more popular than you bargoned for? Well, there’s could hosting solutions for that, although yes, they typically aren’t on the cheap side. Still - you can start with a single server, and grow as you need to. As long as the domain name remains the same, old and new clients alike will be able to use the service without problems.
BTW, on that note…
not practical to deploy a webserver on every site - not even a Raspberry Pi.
Why not? Both are relatively small - you could easily get a big box and put them both in, with the necesary ports sticking out. Yes, it won’t necesarily look appealing (unless maybe you invest in placing an order for lots of custom boxes that are “tight” and “fancy looking”, and put some marketing twist on it), but it would certainly work. If it’s all in a single box (plastic wise) that’s as easy to install as a TP-Link/Linksys/D-Link home router, I for one can imagine myself buying one, and I have a few customers who I’m sure would be fine even with a bigger box (e.g. hotels, restaurants).
I think you run up against the NAT problem again.. i.e you can’t establish an inbound connection to a Mikrotik when the router in front of it doing the NAT isn’t configured for port forwarding.
It makes me wonder how Apple do it with “Find my Iphone”. To get an ipad to report its position, or to play a sound, when the ipad is NAted behind a router, they must have a way of contacting the device, ie making an inbound connection. Either that, or the have a persistent connection (IPsec tunnel?) established via an outbound request from the ipad back to the icloud that they can use. (that’s a awful lot of tunnels)
Here’s another idea.. What about Webfig? Webfig must already use all the functionality that I’m after. e.g you can easily change a user’s password in Webfig. So it must already have its own “API” to execute commands into the router and change config. I don’t want to give webfig access to users. All I need is access to the same API, or functions that Webfig uses to change router config, and then I could write my own simple, intuitive, html5 and feature limited GUI.
not practical to deploy a webserver on every site - not even a Raspberry Pi.
It’d be like using a sledge hammer to crack a peanut.
Webfig with Skins comes close. Its the kind of thing I could give to a Hotspot “Administrator” and give them access to a few things like IP-> Hotspot-> Users and they could change any users password.
I haven’t tried creating a Webfig Skin Status Page yet. I need to upgrade RouterOS to 5.7 to do that. Not sure if it would give the menu granularity required for them to just change their own password.
And I don’t think this will give me the chance to add my own fields to a Status page to change variables that I use in scripts. For example, I have a “Login Allowed” start and finish time for each day of the week per user (that I store in a User’s comments field.) I don’t want a user to be able to edit their own User comment themselves - they’d just stuff up the format. I want to create my own webpage fields for the user to enter times into, and then validate and push these into the User comments field myself.
