is it possible to set route for different user on hotspot ?
ex :
i have 2 backbone A and B
i create 3 user on my radius server and i wanna set routing for user X , Y to backbone A then user Z to backbone B
any clue to do that ?
Here’s what you could try to do
- Set up two different hotspot user profiles (groups), see
http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_hotspot.php?permalink=0.13474025974025974
and set the incoming-packet-mark differently for each profile, let’s say you assign incoming-packet-mark hs_group_a and hs_group_b
-
Assign your hotspot users to either group (locally, or via Radius)
-
Define a mangle rule in the prerouting chain to set a routing-mark depending on the value of the incoming-packet-mark established in step 1), something like this
chain=prerouting packet-mark=hs_group_a action=mark-routing new-routing-mark=to_backbone_a passthrough=yes
- Add two policy routes to your internet backbone links (uplinks) and make the policy depend on the routing marks established in step 3), see
http://www.mikrotik.com/testdocs/ros/2.9/ip/route.php?permalink=0.19462203836028583
–Tom
howto set Attribute for specify profile for user ? i`m using Mikrotik-Group but it seem not worked 
Mikrotik-Group is indeed the correct Radius reply item to send back to the router with the Access-Accept message. The value of Mikrotik-Group should be the name of the profile and a profile with that name needs to already exist under /ip hotspot user profile on the router.
Check your user profiles under /ip hotspot user profile and enable debug output for Radius transactions on your Radius server and also on your MikroTik router.
–Tom
I have the same requirements as detailed above, i.e. I have complementory hotspot users which i want to force via a proxy server and I have commercial hotspot users which I want to route via a diffferent path. I have followed the instructions above.
I have successfully added the users to the user group and a mangle rule is dynamically added to the the hotspot chain as per below:
[admin@AlwaysOnOffice] /ip firewall mangle> print chain=hotspot
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=hotspot action=mark-packet new-packet-mark=Advert_Mark passthrough=yes src-address=10.20.65.25
My problem is that if I look at the counters the Bytes and Packets for this packet mark, it remain zero which means the packets are not being marked and I will not be able to policy route them.
What might be the problem why these packets are not being marked? The ROS version is 3.30.
Try “chain=prerouting” and see if that helps.
It is automatically put into the hotspot chain when the parameters are configured. There is no setting to select a particular chain.
Just a suggestion, as I have never tryed this.
You should be able to specify the ip address for your users using user manager.
Even though it is a single subnet on the hotspot treat it like 2 subnets and asign the users to a secific subnet.
In the firewall rules you can mark-routing based upon subnet.
I solved my problem. For my purposes I also needed the following jump and mark-routing rule in the pre-routing chain:
add action=jump chain=prerouting comment="" disabled=no hotspot=auth jump-target=hotspot src-address-list=""
add action=mark-routing chain=prerouting comment="" disabled=no new-routing-mark=advert_route packet-mark=Advert passthrough=no