PPPoE vs Hotspot

Hi everyone,

First i want apologise for my bad english.. its not my native language!

I recently buy my first Mikrotik and due to all this possibilities it offers im a little lost what choose.

My needs:

We have 4 apartments for rental daily basis, all in the same building, we receive turists on vacantion! Each one usualy have 7 devices (most smartphones).
I have 2 wireless access points installed covering the area (each one cover 2 apartment)… and.. i offer yet wifi coverage on neighbour outdoor (beach) with ubnt nano M2…
So my mikrotik RB750Gr3 have 4 ethernet cables.. 2 for APs, 1 for outdoor Ubnt and 1 for link internet.

I need to organise this potencial 28 simultaneous devices, given privacy, isolation and fair link on the network.
I think in one solution but I want your opinion if this is the better choice!

1 - separate the hosts, in 4 networks… Example: devices in Apt 301 receiving IP 192.168.31.XX, devices in Apt 401 receiving IP 192.168.31.XX
(this should garantee the security, isolating each apartament in one network, and i can apply bandwith control over the apartment/network.. so if one client is downloading something big, he will strangle the internet only for the people who are with wim. Dont leaving other apartments with a poor internet.

2 - to arrange that, i think only whit PPPoE i could put them in the correct network right? Hotspot dont allow me to define diferent networks based on the user login, im right?
3 - to secure the outdoor Ubnt, i think its better PPPoE over the Hotspot right?
4 - Create 1 PPPoE User for each individual in each apartment its not a helpfull option because i have the same situation in a hotel… my clients change every 7 days… imagine change all this users inside de router 4 times each week (1 for each apartment) so i’m between two ideas..

A) PPPoE with a single user for each apartment (multiple connections allowed, implementing a hotspot inside PPPoE, with a internal page where the clientes could create their own users, saving their information, but i really dont know if i whoud have any real advantage with this… the only real good thing would be showing a information page (ex. my website) before they start navigation)
B) leave only the PPPoE again with a single user for each apartment (multiple connections allowed), and make more simple the use for my clients

What you recomend me??

Other thing that im afraid, is leaving the Outdoor Wireless expose to a bruteforce attack… I think in two possible solutions.. but i cant find any help over the internet whit tis two.

A) Theres any way i can block MAC address after 5 times trying wrong PPPoE login? Automaticaly?

B) Any way I can… create a White list of MACs based on the PPPoE successfull logins originated in the two APs inside the building… And make de Outdoor AP, only allow access to PPPoE to this whitelist access??? This would demand client first login be inside, only after that he would be allowed to use outdoor!!! Also automatically!!!

And a last help… How i make the 3 APa demand PPPoE auth using PPPoE server in Mikrotik… What i have to select in the Wireless Security in their configuration???

Thank you very much..
Tiago

why you want use pppoe? Use Capsman - network manager for this situation. For customers authentication you can use integrated Hotspot feature.

https://wiki.mikrotik.com/wiki/Manual:CAPsMAN
https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot

ad 1. you should make separated wireless network for network hosts, separated hosts network can have traffic shapper
ad 2. ignore pppoe … customers should use separate wireless network
ad 3. I prefer replace ubnt and make wireless network only from mikrotik => capsman can be used
ad 4. use hotspot - example - you can define random user/pass account and create bussiness card with this ID

Thank you ofr your time trying help me! But I already have the AP’s and i cant afford buy a new ones at this time! And, as much good as CAPsMAN was…what i read in your links is that i would need all hardwares with RouterOS… and this in not an option for now.

Answering you.. like I said.. pppoe sounds a better option due the security needed for Outdoor AP. And.. the fact i can set the IP and Network (192168.XX.YY) according to the login used.. and wiyh that, have diferente networks inside one infrastructure. (I cant put one wireless AP for each Apartment, and I think its valid have only one SSID that supports everyone!

So.. my doubt persist! =)

I would say neither PPPoE nor Hotspot. I work for an ISP that uses PPPoE to service customers, and it works great for us. For you I think it is completely the wrong option. PPPoE setups usually assume that the end customer has a router of their own. Smartphones do not usually even have PPPoE stacks in them, so the only way your tenants would be able to get their smartphones to connect would be if the tenant plugged in their laptop, connected it to your PPPoE, and shared the Internet from their laptop to their phones (creating their own access point essentially). This is too complicated. With a fixed number of customers, hotspot is also unnecessary.

Just create four different VLANs and four different SSIDs and use RADIUS authentication for wireless. If you only have four apartments, then you have a fixed number of SSIDs/VLANs to configure. It is not difficult. PPPoE would make sense perhaps if you had hundreds of apartments, but for four it is complete overkill.

you can do it simply of cause, make separated network for every access point and write strict firewall

pppoe is overkill
hotspot is not necessary, but if you want block some users dynamicly, its preferred way. With hotspot you can make data quotas per mac address and more and more. You don’t need many users account, hotspot user can be logged in with single click.

Hi Tiagod,

I have been reading your post and it seems interesting to me... I can help on this topic!

I need to organise this potencial 28 simultaneous devices, given privacy, isolation and fair link on the network.

28 simultaneous devices is not a issue at all for your RB750Gr3...

1 - separate the hosts, in 4 networks... Example: devices in Apt 301 receiving IP 192.168.31.XX, devices in Apt 401 receiving IP 192.168.31.XX
(this should garantee the security, isolating each apartament in one network, and i can apply bandwith control over the apartment/network.. so if one client is downloading something big, he will strangle the internet only for the people who are with wim. Dont leaving other apartments with a poor internet.

... in your topology, network segmentation doesn't helps you that much! I would suggest Hotspot feature... and something else...

Hotspot Feature does many of your requests natively...

• "IP --> Hotspot --> User Profiles" you will find parameter "Rate Limit (rx/tx)" which will be applied per each CPE logged in (smart phone, table, computer, etc...)
• you can also control how many CPEs would connect per user/password generated!
• isolate each user... well, I never thought about! my fault! but if Hotspot doesn't do it then we can implement an easy "Firewall" or "Bridge Filter Rule" to fix this!!
  
  
  

4 - Create 1 PPPoE User for each individual in each apartment its not a helpfull option because i have the same situation in a hotel.... my clients change every 7 days... imagine change all this users inside de router 4 times each week (1 for each apartment) so i'm between two ideas..

Once again, Hotspot Feature fits much more better then PPPoE... and is not needed end user configuration
You create "Hotspot User" and set on it the "User Profile" for bandwidth control...

Hint: you can even setup "Limit Uptime" to disable Hotspot User at checkout time...

A) PPPoE with a single user for each apartment (multiple connections allowed, implementing a hotspot inside PPPoE, with a internal page where the clientes could create their own users, saving their information, but i really dont know if i whoud have any real advantage with this... the only real good thing would be showing a information page (ex. my website) before they start navigation)

I got lost... I don't understand your idea... for my understanding you might be the one to create users...
Anyway, if you wanna allow users to create their own account you need Radius Server (external to Mikrotik) to do the job...

Hint: I have developed an Windows application to generate Hotspot users... you can do the same! and then you avoid setup external Radius Server!... I was forced to develop this as turnKey project for a Hotel... you don't need it at all... just keep generating users by yourself at the checkin!

B) leave only the PPPoE again with a single user for each apartment (multiple connections allowed), and make more simple the use for my clients

• "IP --> Hotspot --> User Profile" you will find parameter "Shared Users" which will be applied per each Hotspot User created...
  
  
  
  

Other thing that im afraid, is leaving the Outdoor Wireless expose to a bruteforce attack... I think in two possible solutions.. but i cant find any help over the internet whit tis two.

A) Theres any way i can block MAC address after 5 times trying wrong PPPoE login? Automaticaly?

I never thought about... I do it for the uplink, not for Hotspot!

And a last help... How i make the 3 APa demand PPPoE auth using PPPoE server in Mikrotik... What i have to select in the Wireless Security in their configuration????

Because you wanna keep actual APs, they might be "open", and configured as Bridge towards RB750Gr3.
Hotspot Feature will show up the website where users should login...

Keep in touch, good luck

DaniMateus
danimateus@gmail.com