Hi.

I am weighing my options here. The last time I used Mikrotik Routers was for a Point to Point Link, including VPN Tunnelling, and failed attempt at a hotspot, and that was at least 11 years ago!

My customer has a Ubiquity Unifi AP (that was not configured properly), which is giving anybody Unlimited Time, Unthrottled Bandwidth, Uncapped Traffic on their public Hotspot. {I did not set it up, and the controller machine was reloaded with no backup of the controller configuration, so it will need to be reprogrammed from scratch anyway} They are a Restaurant / Vip Lounge, etc. Some people park in the street, or come in, don't order anything, and just suck the bandwidth (with all the traffic they generate, the ping RTT for the 1st hop after the ADSL router goes up from 30ms to 30 seconds or more!).

They have another section that is further away from the Unifi AP, that also needs to be a hotspot.
So I thought something along the lines of :
Remove their Unifi AP (and sell it, to recoup some of the cost).
Install 2 Mikrotik AP's (1 in each section)

The Hotspots will then be configured:
1) Firewalled on the AP so that the hotspot users cannot access the Internal Network. (The Public Hotspot, and their Internal Network Share the same ADSL Line). They can only access the Gateway and the Internet. Also blocking Inter Client Traffic.
2) Hotspot Trial Account for people to use (giving anybody that comes access for 20 minutes, or 50MB, Bandwidth limited to 2Mbps for all the trial users in the pool)
3) Have Regular users (vouchers) generated, that if the customer is staying longer, and is actually spending money, that the waiter gives them a voucher with username/password for additional time/data.

There are just 1 or 2 things ,
1) With the Trial User, will each Mac Address be given it's own traffic limit and time limit (matching what was set in the user manager), or do all trial users share a portion of those limits?
2) In the Licence for Level 4 (which is on the AP's I want to get), you are limited to 200 Active Hotspot Users, and 20 User Manager Active Sessions. If the 20 Active Sessions is exceeded, I expect it will not allow any more connections (until some are released)
. Is each concurrent Trial access considered a seperate active session?
. If the Time/Traffic for the Trial user (or other user) is Exceeded, does the Mikrotik send a Close session to release that Session (so that somebody else can now use one of those 20 sessions)?

Can I get both AP's to use the Usermanager from one of the AP's (so that I can have the same voucher username/passwords.), So that I can just choose one to be my Primary (with the Usermanager, which I presume is radius), then put the details in that usermanager. Then both that AP, and the remote AP can access that data for authentication and accounting.
If that is the case, then maybe I can get the 1 AP with a Level 6 Licence (Unlimited User Manager Sessions), and then have the other AP with Level 4 querying the Usermanager on the level 6 AP. Does that make sense, and do you think it will work?

Is the usermanager just a nice frontend for a builtin radius server? If so, can set up my own radius server on a machine, and then just have it tell the Mikrotik what the users Bandwidth Profile, Traffic Limit, and Time limit is?) Or is there custom information that Usermanager and Mikrotik pass that cannot be replicated easily with a radius server? Then I can also have it centralised, and get away from the Usermanager limitations.

If I were in your situation, I wouldn't use an AP as the hotspot controller.

The fact they can do it does not imply it's automatically the best option, which usually is "leave as much resources free for the device to perform its intended duty", i.e. leave APs as mere 2-layer wired/wireless devices.

You can keep the UniFi if you like, you won't be able to control it from a centralized point (CAPsMAN) as you could with any routerboard, but you can set it up for multiple SSIDs/VLANs and it will keep the config after you unplug the PC. Just create a open SSID on a certain VLAN, and a closed one for the staff.

Then you just need to bring those VLANs to the routerboard, and bridge the open SSID vlan with the rest on a bridge, running hotspot on that bridge.

The minimum I would take:

- RB2011UiAS-RM as hotspot/router if you expect less than 50 simultaneous users. RB1100AHx2 if you expect more than 50 simultaneous users (no limit)
- 2 wAP ACs

Set the UniFI to one channel 1, one wAP AC to 6 and the other to 11, then place them strategically.

From this point onwards you have two choices: manually manage everything, or resort to CAPsMAN.

I think CAPsMAN really provide pluses to the equation: have a look at CAPsMAN [Presentation] then set router as CAPs Manager and the wAP acs as CAPs.

Once you have the CAPs running, you'll have both SSIDs x each range (2,4GHz and 5GHz) on a bridge; run the hotspot over the open SSID/VLAN one, and bridge or route the Staff one.

Is the usermanager just a nice frontend for a builtin radius server? If so, can set up my own radius server on a machine, and then just have it tell the Mikrotik what the users Bandwidth Profile, Traffic Limit, and Time limit is?) Or is there custom information that Usermanager and Mikrotik pass that cannot be replicated easily with a radius server? Then I can also have it centralised, and get away from the Usermanager limitations.

You can use a radius server, no problem, and no limitations whatsoever.

With the advised routers you could equally use user-manager. The less hardware dependencies an installation has, the better uptime... and PCs usually rank really bad vs routerboards, not to mention UPS sizing, power draw, etc
_

Thanks for the reply.
It is quite a bit to digest, so I will be studying your suggestion

Ooor, you could also just start with pcq; or if they're using a ubiquiti router, they have this thing called "smartqueue" which is basically htb+fq_codel.

It would help with latency.