Community discussions

 
User avatar
AnnibalAbreu
just joined
Topic Author
Posts: 6
Joined: Sat Jun 01, 2019 9:39 pm
Location: Earth

Mikrotik CHR, SDN or VPN for a hotspot management system

Fri Jun 07, 2019 3:44 pm

Hi,
I am working to build a hotspot business.
I mean, a company that will provide hotspots around the country.
Thus, I am trying to figure out how to remote manage hotspots.
All hotspots are behind the ISP device (ADSL or Cable Modem), which means no easy access to their device configuration.
I can not and I do not want to handle ISP devices.
NO RADIUS involved. Authentication will be done by External Portal only.
Here the basic architecture =>https://drive.google.com/file/d/1jX92SA ... sp=sharing

1) Mikrotik CHR => I thought to set it and connect each hotspot router to it. However, I am afraid it will require port forwarding on the ISP device, as it is in front of the router, right?

2) SDN - software-defined network with Mikrotik- I saw this presentation on MUM Mikrotik - https://mum.mikrotik.com/presentations/ ... 687113.pdf
=> is this easy to build?

3) OpenVPN with Mikrotik - Do I need one VPN per device or per router? I mean, when setting a VPN, do I need one VPN per user or just one VPN per router (all users go together)?

Does anyone know how hotspot companies do it?
What would be the easiest, cheapest, and more effective way to be able to do the following things:
- access Mikrotik Routers from outside the hotspot network without having to change ISP device configuration
- filtering in each router (once ones have access to it) or in the main server
- navigation logging (to register wherever site customers access for legal reasons)
- I want to build it with Mikrotik
- Location-aware delivery of internal or external content
- web based Authentication - social login
- centralized network monitoring
Last edited by AnnibalAbreu on Mon Jun 10, 2019 5:10 pm, edited 3 times in total.
 
vectorsd
just joined
Posts: 3
Joined: Wed Aug 28, 2013 11:56 pm

Re: Mikrotik CHR, SDN or VPN for a hotspot management system

Sun Jun 09, 2019 9:47 pm

A normal hotspot management system, based on mikrotik can do the task well. One which is built on freeradius as well, like HSNM from hosnetworkmanager.net
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik CHR, SDN or VPN for a hotspot management system

Sun Jun 09, 2019 11:39 pm

I'm not sure I can see any advantage in using SDN in this particular network topology. Most of the peripheral Mikrotiks will have just a single uplink to internet, so the configuration will be almost the same for all of them. Forcing all the clients' traffic through your HQ is a bad idea as it would generate a huge amount of hairpin traffic and as you would tunnel it via VPN, it would also reduce the usable MTU for the clients; implementing just the firewall decisions on the HQ machine would still require the initial packet of each connection to be pushed through the HQ machine, or at least held at the Mikrotik until its metadata would make it to the HQ and the decision & flow instruction would come back.

So you do need the VPN connection, but in my opinion not the SDN. From my point of view, the VPN is necessary for management access to the Mikrotik and to allow the Mikrotiks' hotspot application to talk to the RADIUS server (which may be the User Manager), and to let the firewall send the log messages regarding connections being initiated, to be stored at the HQ for LEA purposes. And for these purposes, OpenVPN is enough. Just wait until the verification of server certificate at client side makes it to the current release from the beta one. On the other hand, none of the VPNs providing decent security (OpenVPN once the above mentioned vulnerability is fixed, SSTP, L2TP/IPsec or plain IPsec) requires any special setup at client side ISP equipment if your HQ machine has a public IP, so you are not limited to OpenVPN, and there is also an important moment that RouterOS only supports hardware acceleration of encryption for IPsec. It may not be so important at the peripheral Mikrotiks but the HQ one will have to deal with the aggregate load from all of them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
AnnibalAbreu
just joined
Topic Author
Posts: 6
Joined: Sat Jun 01, 2019 9:39 pm
Location: Earth

Re: Mikrotik CHR, SDN or VPN for a hotspot management system

Mon Jun 10, 2019 5:05 pm

A normal hotspot management system, based on mikrotik can do the task well. One which is built on freeradius as well, like HSNM from hosnetworkmanager.net
Ok, but we want to build our own hotspot management system. It will be more than just it.

Who is online

Users browsing this forum: No registered users and 99 guests