I have a RB411 connected to a RB1100.
How do i configure it in such a way that wireless clients connected will be shown a hotspot login page before able to access the internet?
I also need the setup to be able to do the following things.
Wireless clients using the guest login to be able to surf internet only but not access any local machines.
Wireless clients using a diff set of credentials will be able to login and surf the internet as well and access the local intranet/machines.
RouterOS has a hotspot feature built into it and there is extensive documentation on it in the manual. In my experiance you can run the “Hotspot setup wizard” in winbox for the interface that you want and have the hotspot on and have it running in a few seconds. We use it alot for public wifi. http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot
To answer your other question for best practice I would set up a second vlan and/or a second virtual ap for the guest traffic. The only other way I can think of to do this would be to use a managed switch to setup access control on those devices and from a managment side it can be a nightmare. http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
As jrhoades9989 has said, you can set up the hotspot on the 1100, then if you bridge the wireless interface with the Ethernet interface, the 411 basically becomes an access point when the wireless card is placed in the right mode. Note that you need to have at least a level 4 license on the 411 for it to act as an access point, otherwise only one device can associate to it.
As for isolating clients, you need to set that up on the layer 2 network yourself.
1.) Disable default forwarding on the radio card of the 411 to prevent clients from talking to each other over the radio card.
2.) This one really depends on your network setup, hardware, and layout more than anything else. The best solution is to get a managed switch that will do what you need it to, such as port isolation, 802.1Q, DHCP snooping, etc., that the access points connect to if not for the entire network. This will prevent clients from talking to each other over the switch(es). You can try it with VLANs with unmanaged switches, but if the switch doesn’t preserve the VLAN tag when it forwards the packet to it’s destination it does you no good.
It is physically impossible for a layer3 hop to prevent clients from talking to each other over layer2 unless every bit of traffic must go through it to reach another host. In most applications this is not going to be the case, so it is something that you need to setup and invest in on the layer2 network.
For number two, it’s a more complex setup and will require some work and research on your part to get it working properly. Basically what it comes down to, is you need a managed switch that supports VLANs, each access point will have two different SSIDs, one of the access points (virtual or real) will be bridged with a VLAN on the Ethernet interface. This would be replicated across each access point, and you would set up either a separate VLAN interface or real interface on the 1100 with a different subnet, DHCP server, etc for devices that connect to that SSID. There is obviously more to this setup, that would take a while to spell out each step to get it working right, but it is possible.