ne30n2
July 21, 2017, 6:26am
1
Hi,
I’m currently have CCR1009 which I have already upgraded to latest stable version 6.39.2. I am experiencing issue with iOS device not automatically showing up login page.
Therefore I tried to downgrade from 6.39.2 to 6.35 but without success. I can only downgrade to version 6.38.5 which is the Factory firmware version, but not version lower than this.
So I really need you suggestion how to downgrade to lower version.
Thx
ne30n2
July 21, 2017, 8:39am
2
Please note that after trying to downgrade. The log show an error: omitting package system-6.35: min RouterOS version is 6.38.5
normis
July 21, 2017, 8:43am
3
How about trying to resolve the issue instead?
We tested iOS 10 and iOS 11 beta and detected no hotspot login popup problems with RouterOS 6.40 RC
ne30n2
July 21, 2017, 11:09am
4
Oh well Normis, please help to advice if I have any mistake config this.
#RouterOS 6.39.2
#
/interface bridge
add arp=reply-only comment="bridge1: ether 4-5 as HOTSPOT" name=bridge1
add arp=reply-only comment="bridge2: ether 6-7 as LAN" name=bridge2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-WAN
set [ find default-name=ether3 ] name=ether3-WAN
set [ find default-name=ether4 ] name=ether4-HOTSPOT
set [ find default-name=ether5 ] name=ether5-HOTSPOT
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
/ip firewall layer7-protocol
add name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$\
|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet\
/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
/ip hotspot profile
add dns-name=wifi.com hotspot-address=10.10.10.1 login-by=\
http-chap,mac-cookie name=HOTSPOT use-radius=yes
/ip hotspot
add disabled=no idle-timeout=4h interface=bridge1 name=hotspot1 profile=\
HOTSPOT
/ip hotspot user profile
add !idle-timeout keepalive-timeout=1d name=unlimited_user shared-users=\
unlimited transparent-proxy=yes
add !idle-timeout keepalive-timeout=1d name=shared1user shared-users=1 transparent-proxy=yes
/ip pool
add name=pool_HOTSPOT ranges=10.10.10.2-10.10.10.254
add name=pool_LAN ranges=10.10.20.2-10.10.20.254
/ip dhcp-server
add add-arp=yes address-pool=pool_HOTSPOT authoritative=after-2sec-delay \
disabled=no interface=bridge1 lease-time=1d name=HOTSPOT_dhcp
add add-arp=yes address-pool=pool_LAN authoritative=after-2sec-delay disabled=no \
interface=bridge2 lease-time=4h name=LAN_dhcp
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw password=\
XXX time-zone=+07:00
/tool user-manager profile
add name=30day_shared1 name-for-users="" override-shared-users=1 owner=\
admin starts-at=logon validity=4w2d
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name=shared1user ip-pool="" name=\
shared1user owner=admin transfer-limit=0B upload-limit=0B uptime-limit=0s
/interface bridge port
add bridge=bridge1 interface=ether4-HOTSPOT
add bridge=bridge1 interface=ether5-HOTSPOT
add bridge=bridge2 interface=ether6-LAN
add bridge=bridge2 interface=ether7-LAN
/ip address
add address=192.168.10.2/24 comment="WAN: ether1" interface=ether1-WAN \
network=192.168.10.0
add address=192.168.20.2/24 comment="WAN: ether2" interface=ether2-WAN \
network=192.168.20.0
add address=192.168.30.2/24 comment="WAN: ether3" interface=ether3-WAN \
network=192.168.30.0
add address=10.10.10.1/24 comment="HOTSPOT: bridge ether4-5" interface=\
bridge1 network=10.10.10.0
add address=10.10.20.1/24 comment="LAN: bridge ether 6-7" interface=bridge2 \
network=10.10.20.0
add address=10.0.10.1/24 comment="Access point IP to HOTSPOT" interface=\
bridge1 network=10.0.10.0
add address=10.0.20.1/24 comment="Access point IP to LAN" interface=bridge2 \
network=10.0.20.0
/ip dhcp-server network
add address=10.10.10.0/24 comment="HOTSPOT pool" dns-server=10.10.10.1 \
gateway=10.10.10.1
add address=10.10.20.0/24 comment="LAN pool" dns-server=10.10.20.1 gateway=\
10.10.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.20.0/24 comment="WAN1: 192.168.20.0/24" list=WAN2
add address=192.168.30.0/24 comment="WAN1: 192.168.30.0/24" list=WAN3
add address=192.168.10.0/24 comment="WAN1: 192.168.10.0/24" list=WAN1
add address=10.10.10.0/24 comment="HOTSPOT: 10.10.10.0/24" list=LAN_HOTSPOT
add address=10.10.20.0/24 comment="LAN: 10.10.20.0/24" list=LAN_HOTSPOT
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=add-src-to-address-list address-list=bit-list \
address-list-timeout=1m chain=forward comment="Block Bittorrent" \
dst-address-list=!bit-unblock-list layer7-protocol=layer7-bittorrent-exp \
src-address-list=!bit-unblock-list
add action=add-src-to-address-list address-list=bit-list \
address-list-timeout=1m chain=forward dst-address-list=!bit-unblock-list \
layer7-protocol=layer7-bittorrent-exp src-address-list=!bit-unblock-list \
src-address-type=local
add action=drop chain=forward dst-port=!80,443 protocol=tcp src-address-list=\
bit-list
add action=drop chain=forward protocol=udp src-address-list=bit-list
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=WAN1
add action=accept chain=prerouting dst-address-list=WAN2
add action=accept chain=prerouting dst-address-list=WAN3
add action=accept chain=prerouting disabled=yes dst-address-list=LAN_HOTSPOT
add action=mark-connection chain=input comment="INPUT: mark connection" \
connection-mark=no-mark in-interface=ether1-WAN new-connection-mark=\
WAN1_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether2-WAN new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether3-WAN new-connection-mark=WAN3_conn passthrough=yes
add action=mark-routing chain=output comment="OUTPUT: mark connection" \
connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn \
new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting comment=\
"PPC HOTSPOT: WAN1 (200Mbs) + WAN2 (200Mbs) + WAN3 (50Mbs)" \
connection-mark=no-mark dst-address-type=!local hotspot=auth \
in-interface=bridge1 new-connection-mark=WAN1_conn passthrough=yes \
per-connection-classifier=both-addresses:9/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
both-addresses:9/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
both-addresses:9/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
both-addresses:9/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
both-addresses:9/4
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
both-addresses:9/5
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
both-addresses:9/6
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
both-addresses:9/7
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=\
both-addresses:9/8
add action=mark-connection chain=prerouting comment=\
"PPC LAN: WAN1 (200Mbs) + WAN2 (200Mbs) + WAN3 (50Mbs)" connection-mark=\
no-mark dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=both-addresses:9/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=both-addresses:9/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=both-addresses:9/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=both-addresses:9/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN2_conn passthrough=yes per-connection-classifier=both-addresses:9/4
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN2_conn passthrough=yes per-connection-classifier=both-addresses:9/5
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN2_conn passthrough=yes per-connection-classifier=both-addresses:9/6
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN2_conn passthrough=yes per-connection-classifier=both-addresses:9/7
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN3_conn passthrough=yes per-connection-classifier=both-addresses:9/8
add action=mark-routing chain=prerouting comment=\
"Mark packets from each connection to to proper routes " connection-mark=\
WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
new-routing-mark=to_WAN3 passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=\
"NAT to make local IP to be able to go to extranet" out-interface=\
ether1-WAN
add action=masquerade chain=srcnat out-interface=ether2-WAN
add action=masquerade chain=srcnat out-interface=ether3-WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.10.0/24
/ip hotspot walled-garden
add dst-host=:^www.apple.com
add dst-host=:^www.airport.us
add dst-host=:^www.itools.info
add dst-host=:^www.appleiphonecell.com
add dst-host=:^captive.apple.com
add dst-host=:^www.thinkdifferent.us
add dst-host=:^www.ibook.info
/ip route
add check-gateway=ping distance=1 gateway=192.168.10.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.20.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.30.1 routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway=192.168.10.1
add check-gateway=ping distance=2 gateway=192.168.20.1
add check-gateway=ping distance=3 gateway=192.168.30.1
/radius
add address=10.10.10.1 secret=1234 service=hotspot
/radius incoming
set accept=yes
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=10.10.10.1 log=\
auth-fail name=mikrotik shared-secret=1234 use-coa=yes
normis
July 21, 2017, 12:02pm
5
You have specifically added Apple captive portal checks to walled garden. This does one thing - makes sure iPhone does not show popup. Why did you make that config?
How iPhone checks if there is a login page:
Connects to some WiFi point
Checks if it can open “captive.apple.com ” in background
now a very important thing happens!
A) IF it understands the contents, it means there is no hotspot, and it does nothing.
You have added the checking mechanism to walled garden, so iPhone never knows that there is a login page (variant A)
ne30n2
July 21, 2017, 2:07pm
6
Hi Normis,
Before posting this post, if have done some research on this.
add the walled garden (meaning i did try adding and not adding this rule at the time the login page issue)
change hotspot dns to .go .net .com .de .local…
Maybe could you please suggest something else?
normis
July 21, 2017, 2:07pm
7
delete all the walled garden rules and try again. then post new config
ne30n2
July 21, 2017, 2:29pm
8
Here it is Normis
/interface bridge
add comment="bridge1: ether 4-5 as HOTSPOT" name=bridge1
add comment="bridge2: ether 6-7 as LAN" name=bridge2
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-WAN
set [ find default-name=ether3 ] name=ether3-WAN
set [ find default-name=ether4 ] arp=reply-only name=ether4-HOTSPOT
set [ find default-name=ether5 ] arp=reply-only name=ether5-HOTSPOT
set [ find default-name=ether6 ] arp=reply-only name=ether6-LAN
set [ find default-name=ether7 ] arp=reply-only name=ether7-LAN
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/ip firewall layer7-protocol
add name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$\
|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet\
/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
/ip hotspot profile
add dns-name=wifi.com hotspot-address=10.10.10.1 login-by=\
http-chap,mac-cookie name=HOTSPOT use-radius=yes
/ip hotspot
add disabled=no interface=bridge1 name=hotspot1 profile=HOTSPOT
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=1d on-login=\
"/tool fetch mode=http url=\"\"" on-logout=\
"/tool fetch mode=http url=\"\"" shared-users=unlimited \
transparent-proxy=yes
add !idle-timeout keepalive-timeout=1d name=unlimited_user shared-users=\
unlimited
add !idle-timeout keepalive-timeout=1d name=shared1user shared-users=1
/ip pool
add name=pool_HOTSPOT ranges=10.10.10.2-10.10.10.254
add name=pool_LAN ranges=10.10.20.2-10.10.20.254
/ip dhcp-server
add add-arp=yes address-pool=pool_HOTSPOT disabled=no interface=bridge1 \
lease-time=1d name=HOTSPOT_dhcp
add add-arp=yes address-pool=pool_LAN disabled=no interface=bridge2 \
lease-time=4h name=LAN_dhcp
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw password=\
XXX time-zone=+07:00
/tool user-manager profile
add name=30day_shared1 name-for-users="" override-shared-users=1 owner=admin \
starts-at=logon validity=4w2d
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name=shared1user ip-pool="" name=\
shared1user owner=admin transfer-limit=0B upload-limit=0B uptime-limit=0s
/interface bridge port
add bridge=bridge1 interface=ether4-HOTSPOT
add bridge=bridge1 interface=ether5-HOTSPOT
add bridge=bridge2 interface=ether6-LAN
add bridge=bridge2 interface=ether7-LAN
/ip address
add address=192.168.10.2/24 comment="WAN: ether1" interface=ether1-WAN \
network=192.168.10.0
add address=192.168.20.2/24 comment="WAN: ether2" interface=ether2-WAN \
network=192.168.20.0
add address=192.168.30.2/24 comment="WAN: ether3" interface=ether3-WAN \
network=192.168.30.0
add address=10.10.10.1/24 comment="HOTSPOT: bridge ether4-5" interface=\
bridge1 network=10.10.10.0
add address=10.10.20.1/24 comment="LAN: bridge ether 6-7" interface=bridge2 \
network=10.10.20.0
add address=10.0.0.1/24 comment="Access point IP to LAN" interface=bridge1 \
network=10.0.0.0
add address=10.0.0.1/24 comment="Access point IP to LAN" disabled=yes \
interface=bridge2 network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.10.10.0/24 comment="HOTSPOT pool" dns-server=10.10.10.1 \
gateway=10.10.10.1
add address=10.10.20.0/24 comment="LAN pool" dns-server=10.10.20.1 gateway=\
10.10.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.10.10.1 name=wifi.com
/ip firewall address-list
add address=192.168.20.0/24 comment="WAN1: 192.168.20.0/24" list=WAN2
add address=192.168.30.0/24 comment="WAN1: 192.168.30.0/24" list=WAN3
add address=192.168.10.0/24 comment="WAN1: 192.168.10.0/24" list=WAN1
add address=10.10.10.0/24 comment="HOTSPOT: 10.10.10.0/24" list=LAN_HOTSPOT
add address=10.10.20.0/24 comment="LAN: 10.10.20.0/24" list=LAN_HOTSPOT
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=add-src-to-address-list address-list=bit-list \
address-list-timeout=1m chain=forward comment="Block Bittorrent" \
dst-address-list=!bit-unblock-list layer7-protocol=layer7-bittorrent-exp \
src-address-list=!bit-unblock-list
add action=add-src-to-address-list address-list=bit-list \
address-list-timeout=1m chain=forward dst-address-list=!bit-unblock-list \
layer7-protocol=layer7-bittorrent-exp src-address-list=!bit-unblock-list \
src-address-type=local
add action=drop chain=forward dst-port=!80,443 protocol=tcp src-address-list=\
bit-list
add action=drop chain=forward protocol=udp src-address-list=bit-list
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=WAN1
add action=accept chain=prerouting dst-address-list=WAN2
add action=accept chain=prerouting disabled=yes dst-address-list=WAN3
add action=accept chain=prerouting disabled=yes dst-address-list=LAN_HOTSPOT
add action=mark-connection chain=input comment="INPUT: mark connection" \
connection-mark=no-mark in-interface=ether1-WAN new-connection-mark=\
WAN1_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether2-WAN new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark disabled=yes \
in-interface=ether3-WAN new-connection-mark=WAN3_conn passthrough=yes
add action=mark-routing chain=output comment="OUTPUT: mark connection" \
connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn disabled=yes \
new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting comment=\
"PPC HOTSPOT: 7x for WAN1 (200Mbs) + 1x for WAN2 (30Mbs)" \
connection-mark=no-mark dst-address-type=!local hotspot=auth \
in-interface=bridge1 new-connection-mark=WAN1_conn passthrough=yes \
per-connection-classifier=src-address:5/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
src-address:5/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
src-address:5/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
src-address:5/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=bridge1 \
new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
src-address:5/4
add action=mark-connection chain=prerouting comment=\
"PPC LAN: 7x for WAN1 (200Mbs) + 1x for WAN2 (30Mbs)" connection-mark=\
no-mark dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=src-address:5/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=src-address:5/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=src-address:5/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=src-address:5/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge2 new-connection-mark=\
WAN2_conn passthrough=yes per-connection-classifier=src-address:5/4
add action=mark-routing chain=prerouting comment=\
"Mark packets from each connection to to proper routes " connection-mark=\
WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn disabled=\
yes new-routing-mark=to_WAN3 passthrough=yes src-address-list=LAN_HOTSPOT
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=\
"NAT to make local IP to be able to go to extranet" out-interface=\
ether1-WAN
add action=masquerade chain=srcnat out-interface=ether2-WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ether3-WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.10.0/24
/ip route
add check-gateway=ping comment=Gateway distance=1 gateway=192.168.10.1 \
routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.20.1 routing-mark=to_WAN2
add check-gateway=ping disabled=yes distance=1 gateway=192.168.30.1 \
routing-mark=to_WAN3
add check-gateway=ping comment=\
"Failover: if one of the WAN fail, swtich to the next" distance=1 \
gateway=192.168.10.1
add check-gateway=ping distance=2 gateway=192.168.20.1
add check-gateway=ping disabled=yes distance=3 gateway=192.168.30.1
/radius
add address=10.10.10.1 secret=1234 service=hotspot
/radius incoming
set accept=yes
/tool user-manager database
set db-path=user-manager
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=10.10.10.1 log=\
auth-fail name=mikrotik shared-secret=1234 use-coa=yes