Greetings all !
Although I played with older versions of Mikrotik in the past, I never really learned much about it. Now, I need your help to setup fairly simple hotspot.
Hardware:
RB750G connected to DSL modem
Airlive WL-5460AP v2 (connected to RB via LAN)
D-Link DWL-2000AP+ (connected to RB via LAN)
What is needed:
Hotspot which is accessible through 2 APs with a user/password that I provide to clients for them to type on start screen (when they connect to AP);
Need to either limit max. traffic made per user to xxx MB (per day or even per total time they are to be connected) or to be able to limit access only to certain protocols (like HTTP and POP/IMAP);
Need to share bandwidth evenly among currently connected users (except admin, of course)
Need some type of guest account which will have only HTTP protocol enabled, minimum bandwidth and amount of traffic (username/pass for guests will be displayed on start page with instructions to ask staff for username/pass if you want non-guest account);
Would be nice if I can “shield” each user for other users, thus preventing unauthorized access to user computer.
This is basically it, I apologize for using lot of words when describing instead of more expert terms.
Furthermore, I would like to know how to setup APs properly. I have set like this at the moment:
AP mode (b+g mix)
Open system
SSIDs: “xxx_1” first AP, “xxx_2” second AP
Channel 1 on first AP, channel 12 on second AP
Fixed LAN IP addresses (192.168.1.10 first AP and 192.168.1.20 second AP, RB is 192.168.1.1)
DHCP off on both APs
Gateway is 192.168.1.1 on both APs
Is everything correct or do I need to change or add something ?
I know this is fairly simple setup but I really need your help. Thank you all in advance !
Sounds like it should work, go with static IPs. Mangement IPs shouldn’t be assigned via DHCP.
The wiki has basic guides to enabling a Hotspot, or just run “/ip hotspot setup” on the router to be guided through the setup process by just answering a couple of questions.
But if I set DHCP off on APs, how and will RB750 assign IP addresses to clients connected on certain AP ?
I mean, is it possible for RB to assign dynamic IP if there’s AP between him and client ? I apologize if I ask stupid question but I’m totally uncertain about that thing.
The APs should be set to bridge the wireless radio and wired port. The APs should NOT be the layer three hop for the customers, the Hotspot MUST be the layer three hop (the gateway).
If it’s really an access point and not a router, then it’s a layer 2 device. Yes the MikroTik will be able to hand out DHCP over an access point. If you actually have routers, some of them will have an AP mode, or you can “trick” it into acting like an AP by turning off the DHCP server inside of them and plugging the Ethernet cable into one of the LAN ports and not the WAN port. Though honestly if you do either of these things you are just asking for problems and headaches further down the road. In general D-Links are horrible to use, we tried them out for a period of time on our networks and will never use them again. They are designed for at home use, and have no place in a production network in my opinion. Invest the money in some actual access points.
Since you are just starting, assigning an IP address to equipment in the same subnet is fine, but you may want to consider assigning it a different IP address in a different subnet. This way people cannot do a scan on the local subnet and try and access your equipment. You can also set up filter rules to prevent them from access the equipment through the MikroTik.
As for isolating clients from each other, that is up to the edge equipment, in this case your access points. Most modern access points will offer you some form of client isolation, but you will need to look at your equipment to determine if it has it and to set it up. Whenever you want to prevent clients from talking to each other over a layer 2 network, then the protection needs to be set up at the very edge of the network where the clients connect, it’s not possible for a router or gateway to do this.. You can however set up the necessary protection to prevent a client connected to AP01 talking to someone on AP02 with the MikroTik since according to your setup both APs will connect directly to it and traffic will have to be forwarded through the MikroTik to get to the other device.
For rate limits and such you are looking at the Hotspot setup. For offering different tiers of service, you can have these things local to the MikroTik, but if you are planning on having multiple locations, then look into a central AAA server or service. Managing different access codes at different locations is ok for one or two networks, but the more networks you have the more problems you are asking for and you will spend a lot more time doing it that way than with a central service. Usermanager might be a good place to start, or you can set up something with FreeRadius, or there are pay for services out there that will help you out and get you started. They’ll also usually offer other services along with the use of their Radius server such as login page hosting, and equipment monitoring and management.
Getting someone to consult with would be a good idea to start, but this should get you set down the right path. I would strongly recommend setting what you want to do up in your office first to test it and once you are satisfied with everything move up from there. If you plan on doing this more often, it would also be well worth your time and money to get a test box and network set up where you can figure these things out and try them out before doing them on a live network.
I’ve already tried what you mentioned above and it’s working properly. As for APs, they are D-Link DWL-2000AP+ and Ovislink Airlive AP5460 V2. I’m aware of the fact that Dlink is obsolete and poor choice but it’s only temporary here, just to serve for first setup of network. Airlive is different story and I’m in overall very pleased with performance and setup options this one gives (considering the price). Furthermore, I have to stress the fact that this network will have 1-4 simultaneous users in 99% of the usage time, therefore I don’t require top notch gear.
Since you are just starting, assigning an IP address to equipment in the same subnet is fine, but you may want to consider assigning it a different IP address in a different subnet. This way people cannot do a scan on the local subnet and try and access your equipment. You can also set up filter rules to prevent them from access the equipment through the MikroTik.
Thanks for pointing that out. My first goal is to raise network and to make it work actually. After that I’ll try to implement other things. I still have hard time to comprehend the fact that on one router (network) there can be more than one subnet. I’ve only dealt with plain and simple routers so far.
As for isolating clients from each other, that is up to the edge equipment, in this case your access points. Most modern access points will offer you some form of client isolation, but you will need to look at your equipment to determine if it has it and to set it up. Whenever you want to prevent clients from talking to each other over a layer 2 network, then the protection needs to be set up at the very edge of the network where the clients connect, it’s not possible for a router or gateway to do this.. You can however set up the necessary protection to prevent a client connected to AP01 talking to someone on AP02 with the MikroTik since according to your setup both APs will connect directly to it and traffic will have to be forwarded through the MikroTik to get to the other device.
Thanks, the information that I cannot isolate clients on router level was the one I was looking for. Airlive has option to isolate clients and I’ll turn it on. Just wanted to make sure that I know whether RB can do it or not.
For rate limits and such you are looking at the Hotspot setup. For offering different tiers of service, you can have these things local to the MikroTik, but if you are planning on having multiple locations, then look into a central AAA server or service. Managing different access codes at different locations is ok for one or two networks, but the more networks you have the more problems you are asking for and you will spend a lot more time doing it that way than with a central service. Usermanager might be a good place to start, or you can set up something with FreeRadius, or there are pay for services out there that will help you out and get you started. They’ll also usually offer other services along with the use of their Radius server such as login page hosting, and equipment monitoring and management.
I will have only 1 network consisted of RB and 2 APs connected via LAN to RB. Nothing else. I want 2 types of permanent accounts, 1 guest with minimum rights and other with full speed but limited in traffic amount or protocol used. There will be no payments, no tickets, no PayPals, etc. I need to use this because Interent connection I’ll use in this network is limited with traffic amount on monthly basis. That why I cannot have some of the clients to connect and to start sucking data from the net like how much they want.
Getting someone to consult with would be a good idea to start, but this should get you set down the right path. I would strongly recommend setting what you want to do up in your office first to test it and once you are satisfied with everything move up from there. If you plan on doing this more often, it would also be well worth your time and money to get a test box and network set up where you can figure these things out and try them out before doing them on a live network.
I have few noob question again:
Situation is like this:
RB is online (IP 192.168.88.1)
ether1 is connected to DSL modem, PPOE client is running, connection is up.
Airlive is connected to ether2, DHCP on it is off, static IP is 192.168.88.10, gateway is 192.168.88.1
D-Link is on ether3, DHCP on it is off, static IP is 192.168.88.20, gateway is 192.168.88.1
DHCP server is running and it’s dishing out addresses from .50 to .254. but it’s doing that only on ether2. First question is: 1. How do I set up DHCP proper way ? Do I raise 2 DHCP servers (one for ether 2 and other for ether3) and split IP pool among them or do I do it some other way ? Newb question, I know.
After that - Hotspot issue. When I run Hotspot setup option: 2. Local address subnet should be different than my first subnet or not ?
3. What IP to put under SMPT server and is that important to me really at this point ?
4. What to put under DNS servers ? First IP of RB (192.168.88.1) ? IP of Hotspot (10.5.50.1) ? Certainly not IPs of my ISP DNS servers ?
If I manage to get Hotspot up and running: 5.How do I make it work on ether 2 and 3 ?
Again, I know these are newb questions but I’m really stuck.
1.) You can do it that way, but I find the easiest way to manage and set that up would be with a bridge. Make the bridge and assign the Ethernet ports to it. Use the horizon feature to prevent traffic from coming in one port of the bridge going out the other (the preventing a client on one AP from talking to a client on another AP I mentioned). Put the IP address, Hotspot, DHCP server, etc all on the bridge interface. This way you have one pool and set of rules to potentially maintain instead of two.
2.) You’ll want the DHCP server to hand out addresses that are considered local to the router (in the same subnet) so if your router is set up with 192.168.88.1/24 as it’s address, then set up the DHCP pool and server to hand out 192.168.88.50-192.168.88.254 or whatever number of addresses that you want.
3.) If you put in an address for an SMTP server it dynamically makes a forward rule that will redirect all tcp traffic going over port 25 to a different IP, namely your SMTP relay server. If you don’t have one, ignore that setting. If you do have one set up, put in your relay servers IP address. This is used since guests coming to a network will have their own relay server settings, and a lot of times these servers are locked down so they won’t be able to send e-mails out of your network, you get around this by bouncing their e-mails off of your server.
4.) For the DNS settings, you will want to put in actual DNS servers. These are not only used by the router to look up DNS names when it’s asked to, but will be handed to guests when they pick up a DHCP lease.
5.) Assign the hotspot to an interface, so if you do what I did with number one and assign the hotspot to the bridge, then it will be running off of ports 4 and 5. Modify it as you need.
For a basic local authentication hotspot, you can make any number of user names and passwords that the MikroTik will use to authorize people on the network for, you can then assign these user names and passwords to a profile and assign various attributes to them, such as bandwidth restrictions, how many can sign in with the account at a time, a time out, idle time out, etc. The Wiki link bellow goes into more depth of what the options are. http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot#ip_hotspot_user_profile
Apologies for not replying sooner but had lot of work and stoped working on Mikrotik.
Anyway, thank you Fewi and Feklar for your help, I’ve managed to get it up and running. I really appreciate it very much.
It seems I was making an error from step one when I was leaving some of the default Mikrotik configuration working (IP address and switching). I was under the impression that without proper IP address router won’t work even if there’s Hotppot address assigned. When I removed that it actually started to work without any hickups. However, I still have few questions to ask:
I’ve set up “client” user account with 500 MB total traffic (Limit Bytes total). After a while people start complaining about not being able to connect anymore. When I tried to log in with that user account it gave me message that traffic quota is reached. I was under the impression that traffic quota is done for each user connecting with this user account (via MAC address), not shared all together. Same thing with other accounts. What am I doing wrong ?
Since I have 2 APs on ether 2 and 3 I would like to have ether 4 (and perhaps 5) be able to access ether1 (DSL line) and configurations without any restrictions. I know it’s trivial thing for you but I don’t know how to route this in Winbox.
When I connect to wireless on 1 AP with my laptop can I set up NOT to have login screen and to have full access without loging on ?
I’m having troubles connecting with winbox via wireless. It takes long for mikrotik show up on list and when it shows up it takes 5-6 tries to connect properly. First 5-6 tries it says “mikrotik could not fetch index… etc”. How do I avoid this ?
My two APs now have SSIDs “xxxx_1” and “xxxx_2”. If I name them same (just “xxxx”) will it work properly ? I know that it has nothing to do with Mikrotik but with APs but taking oportunity to ask you.
Glad that you got it working. They are really nice little routers.
1.) I’d have to see your hotspot configuration to say for sure, but where did you define the limit? You’ll want to have defined it under ‘user profile’. If that’s where you have it, I would try assigning it to the radius profile (I’m assuming you are using some form of Radius) instead to see how that goes.
2.) It depends on what goals you are looking for. If you are looking to completely bypass the hotspot there but still have them on a private IP subnet, then you can either bridge those two ports together and set up a different subnet from the guest network with it’s own DCHP server and NAT rules, or if you are looking for it to be on layer two with the DSL line then you can bridge those three Ethernet ports together and see how that goes. It might get a little trikcy, but that’s all it should take.
3.) You can set up what’s called an IP Binding for your computer or others with them being bypassed. That is basically what you are looking for.
4.) Try connecting to it via it’s IP address instead of it’s MAC. That might work better for you. Other than that I would check your wireless connection by trying to ping the MikroTik and the outside world to see if and where you are getting packet loss.
5.) Yes you can assign them the same SSID and it will work, the guests computer will automatically display and associate to the one with the strongest signal. The only problem that might come up is if a guest moves out range of one, sometimes computers like to hold onto the association to another access point way too much. The only real reason why you would need to have different SSIDs in a hotspot is so you can make clients associate to only a specific AP if there is a problem with one, or for whatever reason their computer doesn’t like one AP over another. It’s been known to happen, but it is rare. Usually different SSIDs are supposed to denote a different network so having different SSIDs can confuse some people.
My Hotspot configuration is plain and simple. Bridged ether 2 and 3 (where my APs are connected), raised Hotspot with 10.5.50.1 address and same pool, HTTP CHAP, Cookie and Trial are only active, Radius is off. Besides admin I have 1 more user account for clients. There I’ve defined traffic limit (user > Limits > Limit Bytes Total) on 500MB for 1 day. Under “user profiles” I have 2 profiles: “client” for users that connect with account I made and “guest” for users that connect via trial account. Under client I only defined number of simultaneous users (50), rate limit (1mbit) and nothing else. There is no traffic amount option here, only under “Users”.
Do I have to use Radius in order for each user to get each own traffic quota or not ? Again, I was under the impression that each user gets their own traffic quota via MAC address, no matter how many users on the same username and password.
2.) It depends on what goals you are looking for. If you are looking to completely bypass the hotspot there but still have them on a private IP subnet, then you can either bridge those two ports together and set up a different subnet from the guest network with it’s own DCHP server and NAT rules, or if you are looking for it to be on layer two with the DSL line then you can bridge those three Ethernet ports together and see how that goes. It might get a little trikcy, but that’s all it should take.
Thanks, I’ll try it.
3.) You can set up what’s called an IP Binding for your computer or others with them being bypassed. That is basically what you are looking for.
Tried that and it’s working, thank you. Only thing here that is small issue is that I need to have IP address on my laptop in the same subnet as Hotspot, in order to have internet access and winbox to work properly. Or not ?
4.) Try connecting to it via it’s IP address instead of it’s MAC. That might work better for you. Other than that I would check your wireless connection by trying to ping the MikroTik and the outside world to see if and where you are getting packet loss.
Well, it’s working much better if I log in on Hotspot before I use winbox. That why I wanted this thing under 3, to avoid loging every time I want to use winbox or internet.
Tell me, do I need to assign some IP address to routerboard itself or not ? Because now, only IP addresses I have on it are the ones from Hotspot, nothing else.
5.) Yes you can assign them the same SSID and it will work, the guests computer will automatically display and associate to the one with the strongest signal. The only problem that might come up is if a guest moves out range of one, sometimes computers like to hold onto the association to another access point way too much. The only real reason why you would need to have different SSIDs in a hotspot is so you can make clients associate to only a specific AP if there is a problem with one, or for whatever reason their computer doesn’t like one AP over another. It’s been known to happen, but it is rare. Usually different SSIDs are supposed to denote a different network so having different SSIDs can confuse some people.
Well, now I have 2 same APs (Airlive 5460AP v2) therefore “specific AP problems” are ruled out with that. I guess I could try with same SSID for some time and see are there any problems that way.
BTW, how do I access APs config menu via wireless ? It seems it won’t let me access login page when I go over their given IP in browser (10.5.50.10 and 10.5.50.20) ?
1.) That’s what I would think it should be doing too, but that could be expected behavior if it’s making the assumption that each user will have their own unique user name and password. Radius may be able to get around this if the router interprets each sign in attempt with a certain user name and password as a different user account instead of an over arching one. Please post the results of ‘/ip hotspot export’ and maybe we’ll see something that could be causing it, but I’m thinking it’s probably the reasons why I listed above. We generally don’t care how much an end user downloads or uploads, just the rate that they have.
2.) Technically you shouldn’t need it if the universal NAT on the hotspot is working and you didn’t define an IP address when you made the IP binding, I could be wrong on this point though. However in general, in order to access a non-routeable IP address you need to be in the same subnet as the IP you are trying to access.
3.) Not being bypassed or signed in would do that. That is because your winbox connection is being grabbed and processed by the hotspot rules, which happens very early on in the router. The packet flow diagram will probably help you understand this a bit better. http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
4.) I’m not exactly sure what you are asking here? The 10.5.50.1 IP address is assigned to your router on the LAN interface bridge, the public IP address(es) you have are assigned to the router on the WAN interface. The router will respond to those IP addresses since they are assigned to it. It will route from the LAN to the WAN because that’s what routers do and you have the necessary NAT rule and routes for it to know where to send traffic. So the router does have IP addresses assigned to it.
5.) That could be a number of things. Maybe your access points don’t allow administration over the wireless interface. I also don’t know how your bridge is set up or your filter rules, but if you assigned a horizon to the bridge ports, any traffic going in one interface will not be able to go out another interface. Or if you have explicit drop rules in place to prevent that. My guess with the limited information that I have is it’s a combination of both. Are you looking for a way to locally administer the access points, or remotely administer them? If you are looking for a local administration it might be worth your time into setting up VLANs, where the management interface of the access points would be on one, and the wireless interface of them would be on another. Then if the AP supports that you can set up a special SSID just for yourself that has access to that VLAN that has an encryption key so guests don’t have access to it. Otherwise add another port to the bridge, don’t assign a horizon value for it and plug into that port and see if you can access the equipment that way.
