hotspot-like functionality on dhcp lease

macns · November 24, 2014, 7:43pm

SHORT DESCRIPTION, DETAILS FOLLOW BELOW
notify client of our webpage when he connects, without hotspot restrictions .. possible?

Hi all,
first of all thanks everyone for your contributions, I’ve been searching around the manual and this forum for a while, and so far I’ve found everything I needed.

Except this time, a client asked for hotspot - like functionality but without the hotspot restrictions.
Basically we don’t want to disrupt the user’s experience when connecting to WiFi, we want them to have a smooth experience, (just like when they connect to their home network)
but on the other hand we’re looking for a way to present them our webpage.

What I mean is we want the clients to get notified through the device’s CNA, because that way they are presented with our external webpage, on which we perform various tasks such as advertising, login etc.
It’s up to them to tap/click on the CNA notification, but Internet connectivity should not be a problem, we want them to be able to connect anywhere they want as soon as they connect to our WiFi network.

Connect anywhere is currently not possible when hotspot is enabled, mainly because of HTTPS - various applications rely on Internet connectivity through HTTPS . I tried SSL decryption but that doesn’t always work.
On top of that, hotspot adds a lot of unnecessary overhead on RouterOS, so it seems too much of work when we just want to display our webpage.

steps I’m currently thinking of:

1. when client connects, a DHCP lease is bound for his address
2. add a firewall filter rule for that address to redirect him to our webpage
3. delete that filter -- (when?)

Is this the right way to go about this?
If yes, what would that fw rule be like?
When do we delete that rule so we don’t disrupt the user’s experience?

Hope all that makes sense, english is not my native language.
Any thoughts/suggestions very much appreciated!

boen_robot · November 24, 2014, 7:49pm

What you can do is use hotspot, but alter the login page so that it has a certain username and password prefilled in HTML form fields.

That way, when the user hits the “Log in” button (which you can rename to something else… say, “Start my internet” or whatever), they’ll log in with that username.

It should go without saying that the hotspot username must be one that has unlimited shared users.

macns · November 25, 2014, 10:54am

thnx boen_robot, though we want to avoid hotspot, for the reasons I described above

to rephrase:
is there a way to redirect ports 80,443 to a specific URL?

/ip firewall nat add 
        chain=dstnat \
        protocol=tcp \
        dst-port=80,443 \
        src-mac-address=00:1E:C2:B2:54:69 \
        action=dst-nat \
        to-addresses=87.43.32.112

fails with error:
failure: srcnat chain can not contain redirect/dnat actions

I guess I’m trying something stupid, but how could I redirect a client to my website without using hotspot?
Looks like a transparent proxy is they way to go, how would I go about that? Help anyone?

boen_robot · November 25, 2014, 10:59am

The reason for not using hotspot that you describe above is that you don’t want users to enter a username and password. But you still want an HTML page displayed just the very first time a user enters, up to a certain point, when their previously established session expires.

Doing a hotspot with an will achieve just that.

macns · November 25, 2014, 11:12am

Yes I’m aware of the shared user set in hidden form attributes, I’ve been using that for a while.
Though as I said, we want to minimize the user’s awareness of a captive network.
We don’t want to disrupt their experience, a CNA notification is fine for that matter.

Maybe I’m missing something, but it seems an overkill to enable hotspot just for that CNA notification when the device connects.
Also note, that upon first dhcp lease on a MAC, that address will be saved(on our external db) and the device will never be notified again when connecting
( ie. when coming back to our store).

We don’t want to force the user into anything in order to get online.
Same thing happens when he’s at home, the first time he enters a key, after that he never has to do anything again, he just connects when he’s in range of his AP/home router. So, we want him to “feel at home”.

EDIT:
with hotspot I could try setting a hotspot IP binding for every returning device, but that would fill up rather quickly, it would be best to offload a service like that to an external server.

macns · December 2, 2014, 12:30pm

So I guess this is not doable .. thanks anyway boen_robot, your help is very much appreciated

macns · December 7, 2014, 12:01pm

I’m now thinking this whole idea differently, so:
is it possible to enable hotspot for a specific client device only?

PS: it would be nice if there’s a documentation on what “enable hotspot” does in detail,
i.e the commands sent to the RouterOS