Hi,
I am working to build a hotspot business.
I mean, a company that will provide hotspots around the country.
Thus, I am trying to figure out how to remote manage hotspots.
All hotspots are behind the ISP device (ADSL or Cable Modem), which means no easy access to their device configuration.
I can not and I do not want to handle ISP devices.
NO RADIUS involved. Authentication will be done by External Portal only.
Here the basic architecture =>https://drive.google.com/file/d/1jX92SAngei5fkwGOSB6KJnlD_ch_DNT9/view?usp=sharing
Mikrotik CHR => I thought to set it and connect each hotspot router to it. However, I am afraid it will require port forwarding on the ISP device, as it is in front of the router, right?
OpenVPN with Mikrotik - Do I need one VPN per device or per router? I mean, when setting a VPN, do I need one VPN per user or just one VPN per router (all users go together)?
Does anyone know how hotspot companies do it?
What would be the easiest, cheapest, and more effective way to be able to do the following things:
access Mikrotik Routers from outside the hotspot network without having to change ISP device configuration
filtering in each router (once ones have access to it) or in the main server
navigation logging (to register wherever site customers access for legal reasons)
I want to build it with Mikrotik
Location-aware delivery of internal or external content
A normal hotspot management system, based on mikrotik can do the task well. One which is built on freeradius as well, like HSNM from hosnetworkmanager.net
I’m not sure I can see any advantage in using SDN in this particular network topology. Most of the peripheral Mikrotiks will have just a single uplink to internet, so the configuration will be almost the same for all of them. Forcing all the clients’ traffic through your HQ is a bad idea as it would generate a huge amount of hairpin traffic and as you would tunnel it via VPN, it would also reduce the usable MTU for the clients; implementing just the firewall decisions on the HQ machine would still require the initial packet of each connection to be pushed through the HQ machine, or at least held at the Mikrotik until its metadata would make it to the HQ and the decision & flow instruction would come back.
So you do need the VPN connection, but in my opinion not the SDN. From my point of view, the VPN is necessary for management access to the Mikrotik and to allow the Mikrotiks’ hotspot application to talk to the RADIUS server (which may be the User Manager), and to let the firewall send the log messages regarding connections being initiated, to be stored at the HQ for LEA purposes. And for these purposes, OpenVPN is enough. Just wait until the verification of server certificate at client side makes it to the current release from the beta one. On the other hand, none of the VPNs providing decent security (OpenVPN once the above mentioned vulnerability is fixed, SSTP, L2TP/IPsec or plain IPsec) requires any special setup at client side ISP equipment if your HQ machine has a public IP, so you are not limited to OpenVPN, and there is also an important moment that RouterOS only supports hardware acceleration of encryption for IPsec. It may not be so important at the peripheral Mikrotiks but the HQ one will have to deal with the aggregate load from all of them.