Limit WiFi client internet access by limited time per day

shellton · January 30, 2015, 8:56am

Hi all,

I want to give internet access to our guest by limited time per day . The same MAC can access internet for two hours per same day.
What is easyest way to implement this by mikrotik ?

Regards,
Linas

noib · January 30, 2015, 9:03am

Set up hotspot and auth/accounting to a radius server (linux+freeradius) which can handle that kind of limitation (and many many more).
Maybe embedded Mikrotik usermanager can handle this, i don’t know it very well.

noib · January 30, 2015, 9:04am

Or, even simpler, the hotspot “trial” mode might do the trick.

shellton · January 30, 2015, 9:34am

It’l be better do not use HotSpot . Is it possible to use Address List for time limiting ?

noib · January 30, 2015, 10:16am

if you don’t want to use hotspot, then.. maybe via DHCP
Link the mikrotik DHCP server with a Radius with a 2 hour lease, and configure the radius to respond “no” when the DHCP client tries to renew his lease.

shellton · January 30, 2015, 10:58am

Testing this configuration , seems to be working :

General idea : DHCP lease for 12h , add arp for lease. WIFI interface arp-reply only. New IP is added into two lists : one for Internet access , second for ban

/interface wireless
set [ find default-name=wlan1 ] arp=reply-only band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce disabled=no distance=indoors l2mtu=1600 mode=ap-bridge \
    tx-power=4 tx-power-mode=all-rates-fixed
/ip pool
add name=WiFI ranges=192.168.10.10-192.168.10.100
/ip dhcp-server
add add-arp=yes address-pool=WiFI disabled=no interface=wlan1 lease-time=12h \
    name=WiFi
/system logging action
set 3 src-address=0.0.0.0
/ip address
add address=192.168.10.1/24 interface=wlan1 network=192.168.10.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1 netmask=\
    24
/ip firewall filter
add action=add-src-to-address-list address-list=NewIp address-list-timeout=5m \
    chain=forward out-interface=ether1 src-address=192.168.10.0/24 \
    src-address-list=!TimeOut
add action=add-src-to-address-list address-list=TimeOut address-list-timeout=\
    10m chain=forward out-interface=ether1 src-address=192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.10.0/24 src-address-list=NewIp

shellton · January 30, 2015, 12:09pm

Is it possible to serve simple html page with miktotik ?
I want to publish a simpe page , that is “You have no internet ” .
Then time is out i can make redirect rule to that page.

Regards,

ken86gt · January 30, 2015, 3:25pm

You can use the built in HotSpot. Use HTTP CHAP for the login profile. Give each user their own account. For each user account you can set Uptime limits - for example 2 hours. You can set up a task in the scheduler to turn off and on the hotspot (or even the wifi) at specified time of day- for example you might want to allow access between 10:00-21:00.

If you use the Hotspot you can edit the welcome/log in page to tell users your rules and that they have a time limit. Once they accept the rules and log in they get a popup that will display their time remaining. If they block popups they probably wont see it though.

killscott · June 21, 2016, 11:33am

shellton:

Testing this configuration , seems to be working :

General idea : DHCP lease for 12h , add arp for lease. WIFI interface arp-reply only. New IP is added into two lists : one for Internet access , second for ban

/interface wireless
set [ find default-name=wlan1 ] arp=reply-only band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce disabled=no distance=indoors l2mtu=1600 mode=ap-bridge \
    tx-power=4 tx-power-mode=all-rates-fixed
/ip pool
add name=WiFI ranges=192.168.10.10-192.168.10.100
/ip dhcp-server
add add-arp=yes address-pool=WiFI disabled=no interface=wlan1 lease-time=12h \
    name=WiFi
/system logging action
set 3 src-address=0.0.0.0
/ip address
add address=192.168.10.1/24 interface=wlan1 network=192.168.10.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1 netmask=\
    24
/ip firewall filter
add action=add-src-to-address-list address-list=NewIp address-list-timeout=5m \
    chain=forward out-interface=ether1 src-address=192.168.10.0/24 \
    src-address-list=!TimeOut
add action=add-src-to-address-list address-list=TimeOut address-list-timeout=\
    10m chain=forward out-interface=ether1 src-address=192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.10.0/24 src-address-list=NewIp

Can you please help me?
Sincerely,
Jason.C

cgood · November 17, 2017, 6:21pm

Спасибо, работает, избавился от мозго*** с Hotspot+HTTPS

/interface bridge
add arp=reply-only comment=hotspot name=br1
#
#
/ip address
add address=10.1.30.1/24 comment=hotspot interface=br1 network=10.1.30.0
#
#
/ip pool
add name=dhcp_pool2 ranges=10.1.30.2-10.1.30.254
#
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool2 disabled=no interface=br1 name=dhcp2
/ip dhcp-server network
add address=10.1.30.0/24 dns-server=10.1.30.1 gateway=10.1.30.1
#
#
/ip firewall filter
add chain=forward connection-state=established,related
add chain=forward connection-state=new src-address-list=hotspot_permit
add action=reject chain=forward connection-state=new protocol=tcp reject-with=tcp-reset src-address-list=hotspot_deny
add action=add-src-to-address-list address-list=hotspot_permit address-list-timeout=1m chain=forward connection-state=new \
    src-address=10.1.30.0/24 src-address-list=!hotspot_deny
add action=add-src-to-address-list address-list=hotspot_deny address-list-timeout=2m chain=forward connection-state=new \
    src-address=10.1.30.0/24
/
#
#
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address-list=hotspot_permit
/
#
#

PS: @blyumazeiko

shellton:

Testing this configuration , seems to be working :

General idea : DHCP lease for 12h , add arp for lease. WIFI interface arp-reply only. New IP is added into two lists : one for Internet access , second for ban

/interface wireless
set [ find default-name=wlan1 ] arp=reply-only band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce disabled=no distance=indoors l2mtu=1600 mode=ap-bridge \
    tx-power=4 tx-power-mode=all-rates-fixed
/ip pool
add name=WiFI ranges=192.168.10.10-192.168.10.100
/ip dhcp-server
add add-arp=yes address-pool=WiFI disabled=no interface=wlan1 lease-time=12h \
    name=WiFi
/system logging action
set 3 src-address=0.0.0.0
/ip address
add address=192.168.10.1/24 interface=wlan1 network=192.168.10.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1 netmask=\
    24
/ip firewall filter
add action=add-src-to-address-list address-list=NewIp address-list-timeout=5m \
    chain=forward out-interface=ether1 src-address=192.168.10.0/24 \
    src-address-list=!TimeOut
add action=add-src-to-address-list address-list=TimeOut address-list-timeout=\
    10m chain=forward out-interface=ether1 src-address=192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.10.0/24 src-address-list=NewIp

Nexon · August 8, 2020, 2:25pm

Is there a solution for this request?
The address-list=TimeOut continously refreshing timeout interval and never timed out, so no connection after address-list=NewIp timed out.