We have all devices in the same subnet, there is no multiple VLANs in this site, just VLAN 1.
They asked me to give to some devices just 1 hour at a day, Internet access. Without specific time.
Most mobile phones should have this restriction. All mobile phones connects to an no Mikrotik access point, which have no option to do this. But the access point is no applying nat.
I think that hotspot is the only way.
I found the “Session timeout” option in the user profile section, I thing I should use this, but I am not sure.
3 questions:
How can I do to refresh automatically the available time every day?
Is there a way to apply hotspot just for some devices? I preffer to do not reserve IPs, but I think we have no another option without segment the network. All other devices should have internet access with no authentication if possible.
Is this possible to use the same user in all the phones with restriction?
I think I should create another SSID for these devices and configure this new SSID in another VLAN but this should need more time to do this. We have no access to switches just now.
This is probably the best and easiest approach. Create a new SSID assigned to a new “restricted” VLAN. Then create two firewall rules, one for allowing WAN access during specific time (schedule under Extra - Time in WinBox), the second one blocking access.
All devices in this VLAN will have the same restriction.
This is actually one perfect use-case for WPA2-Enterprise/WPA3-Enterprise with PEAP/MSCHAPv2 and User Manager acting as RADIUS server. No worry about devices having random MAC address, because each user/device has their own username & password. But you’ll need access points with WPA2-Enterprise/WPA3-Enterprise support and those are normally more expensive.
They does not want to specify one specific hour, they want to users to have 1 hour, whenever each user want
Is this possible? How?
Also, with hotspot, is there any way to use the same username and password in all the restricted devices?
Each device should have internet access during one hour, starting when each device is logged in.
For example:
If device1 is logged in at 10:33 AM with user:John, password: 123456, device1 should have internet access until 11:33 AM
If device2 is logged in at 02:00 PM with user:John, password: 123456, device2 should have internet access until 03:00 PM
It’s possible with User Manager and WPA Enterprise like I wrote above, but the Access Points must be compatible with RouterOS with regards to Change-of-Authorization (CoA)
It should work with hotspot too. You can do a test setup yourself. What you need is:
Install User Manager and set it up with Profiles, Limitations, Profile-Limitations, User Groups, Users, User-Profiles. Don’t forget to check Use Profiles in the UM settings.
In UM, add the one “Router” entry for the router itself, with 127.0.0.1 as Address.
In the RADIUS menu, add a “New RADIUS Server”, which is the User Manager at 127.0.0.1, same Shared Secret as above. Enable the “hotspot” checkbox.
On the RADIUS dialog, click Incoming and check Accept. This allows CoA (Change of Authorization).
Configure Hotspot, with Use RADIUS enabled.
That should do it. It has been a while that I tested that, so I might have missed something.
I’m curious, how does the hotspot place restrictions? Isn’t it using MAC addresses behind the scenes? What if a client changes their MAC address and reconnects as basically a new user?
@OP, sounds like what @CGGXANNX recommended is the way to go. But limiting access by time is very unusual these days. Since you said there is a single VLAN, and there is a resistance to buy an AP for a valid business need, is it by chance a home environment where you have limited set of devices? If this is true, then do what @anav suggested and lock out by default anything that you didn’t approve manually.
I know Apple became less agressive on randomizing MACs in the recent iOS versions by default (https://support.apple.com/en-us/102509). You would need to research other vendors. Once you establish whitelisting by MAC, or if you are not concerned about users trying to break out in the first place (e.g. restricting access for children), you could get away with some firewall rules and possibly scripts. You wouldn’t need hotspot or any fancy enterprise features or even VLANs (depending on the situation) for this to work.
For example, you can use three filter rules in this order:
Match packets not in list2 and add source to address list list1 with timeout of 01:00:00.
Match packets in list1 and add source to address list list2 with timeout of 23:00:00.
Match packets not in list1 and drop.
The first outgoing packet will get added to list1, then immediately to list2, then skip rule #3 because of list1.
Once the 1-hour timeout expires in list1, packets won’t match rule #1 (because the IP is still on 24-hour list2) and so won’t get added back to list1 but will match rule #3 and get dropped.
After 24 hours (1 hour allowed + 23 more hours) list2 times out, starting the whole process again.
If you want to reset the restrictions without waiting full 24 hours, you can run a simple script to clear out list2 at midnight, for example.
These rules need to be above everything else, including fasttrack.
Last time I tested Hotspot together with User Manager, the Hotspot setup created new chains and dynamic rules in the firewall. Devices get IP addresses with DHCP normally but there are dynamic Dst NAT rules with that force the unauthorized devices to the Hotspot login page if they need to use the gateway. When not yet authorized, DNS53 and the HTTP/HTTPS ports are captured and redirected, the rest are blocked. The DHCP server also announces the Hotspot login URL (RFC7710). You can read about the generated firewall rules here Hotspot customisation - RouterOS - MikroTik Documentation
If the unauthorized devices don’t need the gateway (only need to talk to other devices on the same layer 2) then they’ll be able to do it without restrictions.
The user can change MAC address and get assigned new IP address via DHCP but that address would not yet be in the allowed list. The NAT chain will force the device to the login page again (other ports are blocked). The login page check uses User Manager (RADIUS server) for the authorization and UM can verify the elapsed session time (as well as other limitations).
And because unauthorized Hotspot clients are NAT-ed and Filter-ed all the time, when the limitations are exceeded (such as session time depleted) access to the outside via gateway is blocked immediately.
FYI I just redid the test configuration and it worked as expected, client loses access to the internet after one hour (and some minutes depending on the interim update interval setting). Some notes:
Please be aware that the hotspot wizard expects an unconfigured interface, you should either set aside an ethernet port (move out of the bridge) or add a new VLAN interface without configuring IP addresses on it.
The user group in User Manager only needs the PAP checkbox enabled.
Don’t forget these checkboxes for the RADIUS settings:
Make sure you have a valid TLS certificate (you can generate one with Let’s Encrypt) before using the Hotspot wizard and select it inside the wizard.
Enable these for the hotspot server setting. Interim Update specifies how often the hotspot server contacts the RADIUS server (User Manager) to report usage. The profile limitations are only checked during those updates, only then the clients exceeding the limitations would be disconnected.
Unfortunately, the current error message when a user who has used up his 1h/day limit tries to login again currently sounds like this. So you might need to do some HTML page customizations:
I could configure everything as in your screenshoots. When I connect a client to hotspot, I get to the screen to write credentials, and get “Radius Server is not responding”
I just did not install the certificate. the “Radius server is not responding” message is because of the certificate?
Why is the certificate needed?
Do you know any tutorial to generate the cerficate?
Sorry, I am very noob with hotspot and certificates, and the lets encrypt page is not clear enought for me
The purpose of a hotspot certificate (or certificate of any other server to which a client authenticates itself using some credentials) is that the client knows it has connected where it intended to so it does not reveal its credentials to some imposter or man in the middle.
With Let’s Encrypt, the thing is that you have to manually download and install also the intermediate certificates, R10 and R11, that are used to directly sign the individual entity certificate, and these are signed by the root CA that is pre-installed on most devices. So when presenting its certificate, the server must send also R10 or R11 along with it, otherwise the client would be missing a link between the own certificate of the server and the root CA. The link is either R10 or R11 (they are chosen randomly at each renewal of the server certificate).
With this Android, and Apple devices, and some Linux distros too have a better way to discover the URL to the hotspot login page, instead of having to send probe request to canary webpage. Windows doesn’t support RFC 8910/7710 yet. If you are ok with the login page being served over unencrypted HTTP (and with RFC 8910 not available), then you don’t need the certificate.
About the “Radius Server is not responding” error message: Unfortunately this seems to be a generic error message shown by Hotspot when the RADIUS server (User Manager) cannot authenticate the login. The same message is shown when you enter a bogus username and password. I don’t think it’s related to the missing TLS certificate. You’ll probably need the log for more information:
Add a log topic entry for “manager” and you’ll see more details in the log. In the screenshot above I’ve entered some non-existing usernames. If the username and password are correct, the issue could be some missing association between user and profile and limitation. You must assign at least one user-profile association entry for each user and this entry must be “running active”. Before testing with the 1h access profile limitatiion, maybe you can create test accounts with unlimited access first to see if the login is working:
/user-manager profile
add name=unlimited name-for-users="Unlimited Access" validity=unlimited
/user-manager user group
add name=hotspot-users outer-auths=pap
/user-manager user
add group=hotspot-users name=test-unlimited password=aBcDeFgH123
/user-manager user-profile
add profile=unlimited user=test-unlimited
And try to login with test-unlimited and aBcDeFgH123.
In older RouterOS versions, you’ll need to temporarily enable the www service in RouterOS and make port TCP 80 of your router reachable from the internet while executing the command. This is still the case if you have a custom domain name (dns-name parameter). Current RouterOS version can generate the certificate using the “DNS” method if you use MikroTik cloud domain (no dns-name parameter) and in that case you don’t need port 80 open anymore. Don’t forget to check if the intermediate certificates are present as @Sindy wrote above.
Once you have the certificate, you can either re-run the wizard or modify the existing Hotspot Server Profile entry to select the certificate. The DNS Name of the Hotspot Server Profile must match the certificate.
Let’s Encrypt certificates must be renewed every 3 months (should be done earlier than that). RouterOS can automatically renew, but unfortunately, I think currently you’ll still need to manually switch to the new certificate in the Hotspot Server Profile entry’s parameters.
