How to connect Groove + 2nd wifi router to free wifi with captive portal, like a travel router?

Hi, everyone!

I’m experienced with LINUX, Cisco ASA, and small office networks but totally new to Mikrotik.

Following a very detailed tutorial posted by Steve Mitchell on the Seabits forum, I built this setup for a friend’s boat:

Marina wifi (source) - - - mast-mounted Mikrotik Groove52ac quickset as CPE (specifically station mode) === interior wifi router (set up as typical wifi router) - - laptops + phones

The marina wifi issues an IP to the Groove52ac via DHCP, the Groove52ac issues an IP to the interior wifi router via DHCP, and the interior wifi router issues an IP to the laptop via DHCP. There is NAT at every step too, and the Groove52ac is doing MAC masquerading.

The overall behavior is basically like a pocket travel router but split into two devices to be mounted on a vehicle such as a boat or RV, with the Groove52ac mounted outside and the second wifi router mounted inside.

The current setup as described works great–until we run into a source with a captive portal. Usually the captive portal is very simple: check a box to indicate agreement with the terms of service, then click a button, and they let the device through. Sometimes they require a password and sometimes not, either to connect to the SSID first or to the captive portal second.

What would I have to do to get the above two-device setup working with captive portals? I have found a handful of forum threads asking about the two-device approach but with no solution; there is one post for a Mikrotik user with an RV that is solved but he has a single device, and a single device solution won’t work for us. We are open to buying a second Mikrotik router, probably an hAP, to serve as the interior wifi router, if doing so helps solve the problem.

The intended behavior is for the user with laptop to use QuickSet to easily connect the Groove52ac to the marina/cafe/hotel wifi with or without a WPA2 password, then attempt to visit any website, and then the captive portal from the source gets passed through the two devices to the laptop or phone, where they can click the checkbox and the button, maybe type in a password, and start browsing the web.

We don’t actually care if one or both of the network devices is set up in routing or bridging mode. Right now the Groove52ac is in station mode and the generic wifi router is in router mode.

We do want to hide four or five endpoint devices behind the two network devices such that the source can’t limit the number of devices (such as hotels do), so at least one of the two devices probably has to be in routing mode with NAT and MAC masquerading going on.

It might not be practical to use the method of first connecting with a laptop or phone, then cloning the MAC address of the laptop/phone into the Groove52ac, since it might be too difficult for the non-techie boat owner to execute. I need to be able to teach him a straightforward flowchart: if this, then do that, if not, then do this.

Thanks in advance for any help!

Not an actual answer to your question, but it seems that at least some captive portals use TTL 1 to prevent further routing:

https://forum.openwrt.org/t/this-hotel-captive-portal-is-killing-me/129202

if it applies, here is an example of modifying the TTL on a Mikrotik:
http://forum.mikrotik.com/t/how-to-set-router-ttl/146028/1
no idea if it can work.

In your current setup, beside the above there may be other issues due to the double NAT (which is probably unavoidable) and the double DHCP (it all may be irrelevant still it seems to me like an unneeded complication.

If you go for changing the router with a Mikrotik (I would suggest an Ax lite if 4 ports - 3 usable are enough) you could try to set the groove and the router on fixed addresses and set a /30 or /32 between them, and have only the router act as DHCP server for the connected devices.

A few years ago existed a kit called Wifiranger Elite AC which essentially was a groove or metal + a small mikrotik router, they had a “custom” graphical interface that made the connection easier, no idea what was used to make it, not if it was compatible with captive portals, but I bet it was, otherwise the “common” users would have been all over the net whining about the issue, of course in the meantime captive portals may well have evolved becoming more difficult to deal with.

Once (hopefully) you manage to solve the problem, you can try using/mis-using/ab-using a Mikrotik skin to simplify as much as possible the UI for the user.

Thanks for the tips, jaclaz!

You are right about it being possible to simplify the double-DHCP servers: I just turned off the DHCP server on the ether1 interface on the Groove52ac and set a static IP on the generic wifi router’s WAN interface. As expected it works fine for the wifi networks without captive portals; there is no difference when testing against the wifi network with the captive portal.

I did end up ordering a Mikrotik hAP ax^2 today in the hopes that I will have more control over the low-level behavior of the second device.

As for TTL, I’m not at that point yet. I’m not able to get the captive portal’s web page to go through the two devices to the laptop where I could click on the button to accept the terms and conditions. I’ll definitely apply the TTL-1 trick when I get there, just in case, so thanks for that link.

I’m thinking I will need to break apart the two-device setup temporarily and focus on getting just the Groove working with the laptop connected directly to the ether1 port, then work my way up to the two-device setup.

Also, while testing I noticed that with the wifi source with captive portal that I am currently testing against, I am unable to get a DHCP lease for the Groove, even though I am connecting successfully to the SSID with the WPA2 password they gave me. It’s a nearby cafe’s UniFi AP with “Guest Hotspot Portal” enabled, and I am able to connect to the SSID with a laptop and get a DHCP lease just fine, so it’s unusual that the Groove won’t get past the DHCP step. I don’t think this is a challenge related to the design goal, but it might be. Maybe what I need to do is find a different, easier captive portal to test against such as the nearby McDonald’s wifi.


I’ll check out that Wifiranger Elite AC product and see what I can learn from it. Thanks again!

Yep, personally I would experiment with just the groove and only later add the second router.
It is difficult enough with a single device, adding a second one in the mix, particularly if you are not very experienced specifically with Mikrotiks (that have their own way to call and do things) is introducing a further layer of complication and possible mistakes.
However, if the issue is the TTL 1, it won’t work even with just one device between the portal and the final user.

I made some progress on this on my own with a UniFi captive portal.

The trick is pretty straightforward, as it turns out. I was actually having problems with the settings on the Groove to get a stable connection without knowing it. Specifically, I was connecting successfully to the SSID using the provided password, BUT I was not able to consistently get a DHCP lease because I had set the channel width to 20/40MHz. When I set it down to 20MHz, I started getting stable DHCP leases, which then allowed me to complete the whole two-router setup.

Unifi AP with free wifi on captive portal → Groove → GL-Inet Slate AX → our endpoint devices.

The trick was to set the Slate AX so that its DHCP server handed out to the DHCP clients the Primary DNS equal to the IP of the UniFi AP. Then, on any one of the endpoint devices (laptop or smartphone), I would visit http://neverssl.com, which would trigger a DNS lookup at the Unifi AP, which would then return the captive portal page with the “Accept Terms” button. Clicking that button would then allow traffic to flow normally until the captive portal’s timeout a few hours later. Some of the endpoint devices connect to each other (such as security cameras and a NAS); for that I used static IP addresses to avoid DNS lookups.

I learned most of these tricks from the Gl-Inet forums for their travel routers. The breakthrough was when I realized that even though the Groove thought it was connected to the SSID, it was not a reliable connection due to the channel width. I had thought the whole time that it was the captive portal intentionally blocking traffic, but it was just a flaky connection that appeared reliable.

I hope this helps someone else. The only issue I have now is that for captive portal SSIDs that have no WiFi password at all, I cannot use QuickSet’s easy Connect/Disconnect tool because it does not allow blank WiFi passwords.