First thanks to mikrotik for their great products, we work on it since 6 years now and we use them on all our deployments.
Currently we deploy mikrotik CHR as virtual router in our Openstack public cluster and they are great.
One of my customer is currently challenging me with an old crappy solution called Juniper Web auth.
This features simply create a web portal that allow a public user (from wan) to login and then to be granted by this public ip in the firewall.
so the process is simple :
user → web interface → login → user public ip is alowed in the firewall and then user is nated
Im currently trying to recreate that kind of behaviour with mikrotik hotspot but im a bit confused with this solution. (its my first time on it)
Does soemone that well known hotspot can help me to reproduce ?
Ah, using an external captive portal… Yes, possible as well.
Still if you want to go Mikrotik-only - hotspot with on-login script would be a possibility.
Well in fact i did it with hot spot !
The solution was :
Setup hotspot features
Add my head quarter IP to walled-garden ip (to not be disconnected with others features deployement)
Create a hotspot : hotspot1 on wan interface without Adress pool (or router will try to DHCP the end user)
Create a server profiles with some DNS walled.com for the PoC then HTTP PAP only (i know this is not secure but its for the PoC)
Create a user admin linked to hotpsot1
Create a user profile without MAC Cookie and without Transparent proxy
Create a new rules for the ports you wants to allow throught the web interface as hotspot only allow 25 by default, so for exemple for RDP i allowed 3389
NAT the rdp port as usual
And well done you created a web gateway with web auth
Its a simple PoC, next step will be to connect to active directory with radius and to push some html to make it more sexy !