Setting up hotspot on several interfaces

Hello all. I’m a newbie, as you can expect.

I’ve a hAP lite, dual wifi antennas. I’ve bought this router in order to limit the internet consumption of my kids. I thought that setting up a hotspot with limited traffic volume & connection time would do.
Now I’m trying to set up this hotspot and I’m running into some difficulties. I’ve started from the basic dual wlan config you can set up with “Quick Set”. So far so good. Then I turned to the more advanced “WebFig” to setup my hotspot. I found some guides on the web but they often assumed you’re working with the Terminal (which I’m reluctant to use because of the high potential for messing up everything) or they tried to get you using their private billing/DNS/whatever system that I’m not interested in. And besides, I’m trying to setup a nonstandard hotspot apparently.
I’d like to set up the hotspot to run on both the ethernet ports and one of the two wlans, leaving the other wlan for “privileged access”. However I don’t see how I could do that (there’s a drop-down menu in IP/Hotspot to chose interfaces with bridge/ether1-5/wlan1-2, but no way to group them). But maybe I could “group” the ethernet ports and one wlan by setting up such a bridge, rather than the stock config? Virtual LANs don’t seem adequate for that, right? That’s where my very superficial knowledge of routers begins to be a liability… The idea of grouping is that I want the same user account to cover the use from the ethernet ports (home pc) or the wifi (tablet, phones…); a user-centric system and not a device-centric system.
As I ran into that first difficulty, I decided that for a start I’d try with only wlan1 as interface, as a sanity check but it didn’t work very well either. Actually I only began getting a hotspot login page when I selected “bridge” as interface which hit all wlans obviously (for my wlan1 problem, I may have botched the address reservations. I didn’t seem to help that I set up 10.5.50.1/24 for wlan1 in IP/Adresses. How IP adresses and DHCP range visible in Quick Set relate to what I tried to setup elsewhere is also obscure to me). Anyway, there’s an incompatibility somewhere now because my hotspot config is marked “invalid” (gray italics).
Oh, and I know this is a detail, but I’ve been puzzled by the ether2-master denomination. My WAN connection is on the first port (should be ether1, no?). I don’t get where this “master” comes from, and what it means. Understanding this may help me at other stages.

Three separate questions, I know (but in descending order of generality).
Thanks for any pointer/advice/explanation.

Peter

Let me start with, once you make changes outside of Quickset, do not use it anymore. It relies on basic scripts to make changes and can’t account for changes made out side of the scope of those scripts.

Creating “groups” is bridging in routers. You have a bridge and if you look at the ports tab you will see all the ports that belong to the bridge. If a port belongs to a bridge it is slaved to that bridge and that bridge is master. To create a new “group”, you will need to add a new bridge and then move or add ports to it.

Command line stuff looks daunting, but if you look at it as menu options and settings you can quickly do what the tutorials are asking.

/ip address add ip-address=2.2.2.2/24 interface=bridge2

Quickly becomes: in menu click IP then click Address, then click +, now set ip-Address to 2.2.2.2/24 and interface to Bridge2…

Using Hotspot seems ideal, but it will become PITA to maintain. I suggest that you just crate the separate bridge for the kids. Then use either scheduler to disable/enable these ports or use a firewall rule that has a schedule to drop their traffic.

Thanks for the explanation on bridges, that’s what I needed.

I understand the hotspot may not be the easiest to achieve my aims but there are two things I don’t get:

1. once it is set up, what “maintenance” should I expect? I was intent on letting the thing run automatically with (e.g. weekly) scheduled resets of user time/traffic counters, and forget about it completely.
2. If I understand you well, your solution would limit network availability to defined time slots, or throttle down traffic outside these time slots, right? My problem here is that I’d like to do something more customized for each kid, so that the one that happens to have more free time at home would not have more free League-of-Legends/Fortnite time! So I need a way to ascribe traffic to each person (but it’s clear that a hotspot is a small nuisance for everyday use because there’s always a login screen…)

The maintenance is with login issues. The devices have to be able to open website to use a username/password login or they have to go out to the Internet on port 80 for MAC authentication. Most phone and pc have hotspot helpers to help login to hotspot, but game consoles do not. You will constantly be having to see why a device is not connecting.. I had this once upon a time.


A better solution would be to use just the singular SSID. Then make IP>DHCP-Server>Leases static by click on a lease and then on “Make Static.” (if you want to change the IP, then close and then reopen the lease). Next make an IP>Firewall>Address-List for each kid. Now you can use these address-list in IP>Firewall>Filter for your time rules. You can also use the address-list for IP>Firewall>Mangle in combination with Queue>Tree and limit the bandwidth.

This is a good place to start:
https://wargeeks.org/t/bandwidth-management-using-a-queue-tree-and-pcq/642

OK, I see what you mean. Nevertheless as we’re living in the middle ages, the hotspot may be the most efficient at present. Let me explain: kids have no game console (as amazing as it may seem), but they a share a (rather nice) gaming pc. So the solution of filtering by hardware (MAC) address cannot work for my purposes.

Actually, following your advice and some information on the web I have set up a hotspot that nearly works. Obviously I’m back mostly because of that “nearly”.
So here’s what I did:

• I created a bridge called bridge1
• in Ports, I added interfaces wlan1 and (as a limited test) ether5 to that bridge1
• in IP/hotspots I did the vanilla hotspot creation with users/user profiles.

Then I checked that things were ok: joining wlan1 I was redirected to the hotspot login page, could access the internet, the bandwidth was correct, and I was limited by the usage limits I had set up. Fine.
Then I turned to the home pc, plugged it on ether5, launched a web browser, was redirected to the hotspot login page, could access a first web page (search engine), and then nothing. If I go to the login page, it reports usage in MB, but I haven’t seen more than the initial search result page; all my page downloads are stuck. And from the MikroTik admin console (webfig), my user’s traffic usage is zero. If I go to the Interfaces, I see traffic on bridge1 (and nobody is accessing wlan1). It is as if upload worked, but not download.
When I decided to add ether2-master to bridge1, thinking there lied the problem, then I couldn’t access the router from wlan2 any more.
Any idea what’s going on?

Open new terminal and enter:

/export hide-sensitive file=export.rsc

This will create export.rsc in Files that you can download and open with a text editor. Copy and paste the content..

I suspect the problems are due to a conflict over IP addresses but who am I to have an idea. The fact that it starts working and then stops.

Anyway, here’s the full config file (note that I initially reserved some address ranges for wlan2 but this is useless – I suppose I would need to also change what’s in dhcp-server, but I don’t really care; I also later added ether3 and ether4 to bridge1, so only ether2-master is outside bridge1 --and wlan2):

# apr/13/2018 19:55:55 by RouterOS 6.41.4
# software id = QR8H-LU9F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 71AF0746BB61
/interface bridge
add admin-mac=64:D1:54:86:44:26 auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=hadesprof supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=hephaistosprof supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=france disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=hadesprof ssid=Hades wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=france disabled=no distance=indoors frequency=\
    auto mode=ap-bridge security-profile=hephaistosprof ssid=Hephaistos \
    wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] dns-name=login.cerbere.net hotspot-address=10.5.50.1 \
    html-directory=flash/hotspot login-by=http-chap name=hotprofile
/ip hotspot user profile
set [ find default=yes ] name=admin_profile
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-9 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=hs-pool-9 disabled=no interface=bridge1 lease-time=1h name=\
    dhcp1
/ip hotspot
add address-pool=hs-pool-9 addresses-per-mac=1 disabled=no idle-timeout=none \
    interface=bridge1 name=kerberos
/ip hotspot user profile
add address-pool=hs-pool-9 !idle-timeout !keepalive-timeout name=userprofile \
    shared-users=unlimited transparent-proxy=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge1 comment=defconf hw=no interface=wlan1
add bridge=bridge comment=defconf hw=no interface=wlan2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=bridge1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1 comment=defconf interface=ether2-master network=\
    192.168.88.0
add address=192.168.88.1/24 interface=wlan2 network=192.168.88.0
add address=10.5.50.1/24 comment="hotspot network" interface=bridge1 network=\
    10.5.50.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.1.101.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24
/ip hotspot user
add name=admin
add limit-bytes-total=1000000000 limit-uptime=4h name=jules profile=\
    userprofile server=kerberos
/system clock
set time-zone-name=Europe/Paris
/system scheduler
add interval=1d name=sched_reset_counters on-event=resetcounters policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/02/2018 start-time=00:00:00
add interval=1d name=sched_hades_on on-event=hades_on policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/13/2018 start-time=07:00:00
add interval=1d name="sched_ hades_off" on-event=hades_off policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/13/2018 start-time=21:00:00
/system script
add name=resetcounters owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/tool user-manager user\
    \nreset-counters"
add name=hades_on owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "interface wireless enable wlan1"
add name=hades_off owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "interface wireless disable wlan1"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

On your IP addresses, remove the one on wlan2 and change the for “defcon” to address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

Change both /ip hotspot and /ip hotspot user profile address-pool=none. Device will still get ip from dhcp-server and it’s pool. Setting a address-pool in either place creates a 1:1 NAT between the ip of the client and an ip from those pools. The feature is mainly intended to help devices that have a static ip address be able to connect to the hotspot..

make these changes then reboot and test again.

This seems good, now I can access through the hotspot using an ethernet connection. I’ll finish checking that everything wifi still works as intended next week-end (I’m not home this week), it probably needs some fine-tuning with idle timeouts so that time counters do not increment when the kids are finished, and maybe other unanticipated details. But most of what I wanted to set up seems to be running as desired.

I’m very happy with this little MikroTik router. Nice little box, powerful OS, and above all, great community!
Thanks 2frogs for your help. I could have wasted a lot of time without you.
All the best,

P.

Just a last question, as everything seems to be running correctly (fingers crossed): right now my users will simply have no internet access as soon as they exceed their traffic quota or time quota (first of the two limits, I guess). Is there a simple way to replace this by a ‘soft limit’, that is, throttling rate down? I looked at queues but I haven’t found a way to use queues in my scenario where rate must be controlled independently for each user.
Is there a simple way to implement such a policy?
Thanks again,
P.

https://wiki.mikrotik.com/wiki/Manual:User_Manager

Using User Manager, you can set multiple profiles for each user that will automatically roll over to the next one.

Perfect!
Thanks a lot.

user manager is not supported in hap lite (smips). you need a more powerfull device. you can use hotspot manager instead. (ip-hotspot)