Has anyone set up a hot spot on some kind of big iron for a 2,000 user application?
I need to provide captive portal splash page for conference -
Looking at Nomadix box, but its going to cost $16,000 for 2,000 user in HA arrangement.
I have done lots of apploications on a RB750, but only 10 or 20 users max.
Yup. Works a heck of a lot better than Nomadix, too.
http://mum.mikrotik.com/presentations/US10/FelixWindt.pdf - that outlines basic details for optimizing Hotspot performance.
You will want to offload authentication (external AAA) unless everyone is going to use the same username and password. The local user database only really scales to about 100 users for efficient look ups - but it is much faster if everyone uses the same account. Post details on your requirements if you need more information.
I would also definitely offload DNS. The built in DNS server isn’t made for lots and lots of concurrent requests. It is very simple to install a Linux/BSD (or anything else) server and run a simple caching forwarder. Alternatively hand out DNS servers on the Internet, either ones you already control, or something close by (ISP).
You will definitely want to run the short circuits outlined, both for authenticated traffic and DNS:
/ip firewall nat
add chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth
add action=accept chain=pre-hotspot dst-port=53 protocol=udp
DHCP can run on the router as long as you pick large enough subnet sizes and long lease times (I would recommend a /16 and 3h lease times for that many users).
Where the HTML should be hosted depends on what needs to be shown to users, if you post details on what your requirements are I can make more recommendations. Basically - if you need to show a login page, and the combined resources of it exceed 100KB, use an external web server. Keep the login.html as light as possible by moving everything you can into files that are referred to (external CSS etc.) so that client processes that will never need those since they can’t do anything with them (like desktop widgets) don’t have to be served that data.
Use PCQ instead of simple queues, simple queues don’t scale to thousands of users. This is the most important part to scale to many users.
I’ve run 1,800 concurrent users with the above optimizations on an RB1100, but it ran at near 90%. An RB1100AH, RB1000, or RB1100AH2 (depending on when you buy) is should handle 2,000 users just fine. Also keep in mind that while you’ll want to plan for the capacity of users given to you in my experience about half of that number will actually connect.
We’re also running 5.0 on Dell P210s (hardware + level 6 license comes to approximately $1,000). We’re still in the testing phase so I haven’t done huge numbers on them yet, but the other day we had 500 concurrent Hotspot users on one and it was running at 5% utilization. Getting the OS installed is a little tricky since you have to remove the hard drive and do it in another machine for some reason, but after that it seems to work flawlessly.
RouterOS will NOT be able to do true HA for this, where if a router fails users transparently go through a standby router. There are no provisions for syncing user state, for one thing. You could possibly use VRRP, but at the very least users would be shown a login screen since the new router wouldn’t know anything about them. True HA is simply not possible on RouterOS for Hotspot applications, the OS doesn’t support it.
I would go for a warm standby. Have another router ready, configured the same way. Have all user traffic come into the main switch where the routers hook up on a VLAN, with the primary accepting that VLAN on a port. The secondary sits on a port that has the VLAN pruned off. Should the primary fail, reconfigure the switch ports to put the VLAN against the second router. Alternatively simply replug cables. Simple is better - the more complicated your failover solution is, the more likely it is going to cause problems with normal processes. You can hard set the MAC address of the inside interface on both routers to the same so that clients don’t have to re-ARP for their gateway, but have to make sure you only ever have one router connected to the inside network (could be a VLAN) at the same time to prevent duplicate MAC address issues.
A variation of this is to have the warm standby not be a captive gateway at all, but to just let people out to the Internet (configure it the same way as the primary but turn off the Hotspot). The idea there is that after a failure customers shouldn’t be bothered with the downsides of the failover and should just get network access.
Well, just found another thread by you: http://forum.mikrotik.com/t/hotspot-with-extreme-number-of-users-and-ha/46335/1
Does anyone have experience using Hot Spot in applications with high numbers of users? I need a solution that will support 2,000 active sessions. The Hot Spot part will be simple - no accounting needed, just simple splash page and “accept use policy” checkbox. I will use the same user account for all logins.
I have done this dozens of times using RB750’s or similar, same set-up, but only 20 or so users max per location.
Running RouterOS on big iron is no propblem either, as we will have a half rack anyway, and can afford a couple of 1U servers or the like.
I will also need HA using VRRP, although I understand that in a situation where the master router fails all users may need to re-authenticate against the redundant router / Hot Spot.
We may be forced to go with a Nomadix solution, but other than the large scale of users, their system offers so many features that we don’t need.
Thanks!
http://forum.mikrotik.com/t/hotspot-with-extreme-number-of-users-and-ha/46335/1
I wish this one had contained the same level of details.
Splash page can be hosted locally.
I would recommend against a VRRP solution. VRRP on RouterOS sometimes simply bugs out, and I think there’s a chance you’d run into problems in production. Killing 2,00 users for no good reason isn’t fun. I’ve done it. I’d rather take my chance that I don’t need the failover and then have it take longer with manual intervention than to risk downtime and have to explain that unwarranted downtime was caused by the HA measures.
That said, VRRP should combine with Hotspots just fine. Configure both routers the same, make sure the Hotspot DNS name resolves to the virtual IP, and configure VRRP on the inside interface. Never tried it though, for the above reasons.
Yes, sorry for the dual posts - I didn’t realize that there would be a lenghty delay for approval, so I thought my first post got lost!
Right now I am definitely leaning towards a single user. In fact, the user credentials will likely be hidden in the splash page anyway, like I have done previously – something like this:
http://www.fortestech.com/hotspot/fvi_login.html
Thanks for the info - I greatly appreciate and I will start to digest and reply with further details.[quote][/quote]
I just got done with a load balancing (Round Robin /24 networks) and VRRP failover setup for a large venue. I just looked at it and it is around 1300 DHCP leases and 800 authenticated users. It took a ton of work to get everything right, mostly in bridge filter rules to keep the hotspots from flooding each other if you do a round robin setup. The VRRP failover with the hotspot works fine as long as you don’t use overly broad masquerade rules. As stated though, user states are not shared between routers. We use Radius and are working on a way to use the MAC authentication to automatically re-authenticate users on failover.
Interesting topic here.
How about for environment of around 7000 users?
How can I go around using Mikrotik?
Thank you.
An update, we have a cloudcore on 6.7 running around 5000 users in the active tab (we aren’t cleaning out idle or dead host sessions for 12 hours) without radius specified queue rules and it is working well. The only issue we have is DNS, the box can’t keep up with the low TTL entries, and it over runs the single core that DNS is using (apparently DNS is not yet multi-threaded).
Krakenant,
Would it be possible to have a chat offline to learn more about how you have managed to achieve such an impressive result in terms of number of active users? We are running a large number of hotspots at various locations across the UK and since we have migrated to CCRs we are experiencing a number of instability issues, mainly device freezes up. If you are still looking for a resolution to using the MAC authentication to automatically re-authenticate users on failover, I am sure we can shed some light on this one.