Hello all,

I am trying to plan for some networks where I have to use Mikrotik CCRs as hotspot splash page routers and then some non Mikrotik wireless APs that have the client to client isolation. At any time, there will be less than 1000 devices online, and they are mostly long term users (students in a dorm), so with mac cookie set to say 90 days, there wont be much load on the Mikrotik router as for as serving login pages are concerned (other than anyone adding a new device or some guests over) and other than acting as a NAT router, and a DHCP server. The Internet service could be 2Gbps (delivered on a 10Gig fiber). Freeradius on a separate server with user accounts set up on SQL database on it, as well as this server will also host the external splash page, that hotspot router will redirect connecting users to.

Will a CCR like 1009 with dual power supply units and a 10Gig SFP+ slot be good enough for this need?

Also to ensure there is no single point of failure, can I use a redundant setup where the two routers are set up in a VRRP fashion and with same configuration essentially as is the case with Master / slave VRRP routers, but I am not sure if this arrangement can replicate mac-cookies.

Another question I have is in regards to loss of a single radius server. Does mac cookie send a proxy request on behalf of user as soon as it sees a returning device from its mac address? Or it simply does not do any radius authentication for the users who have a mac cookie saved in it? But in that case, what happens to radius accounting, as radius will need to first authenticate and then only accept radius accounting (unless mac cookie implies that router / NAS does not send any disconnect radius accounting to radius for it to remove the user.

Thanks for your help and guidance in this regard.

Wanted to add that if need be, I can stop any Natting / masquerading on the hotspot router and offload NAT to another router and this way Hotspot router is only serving as a dhcp server and a hotspot with external webserver and then routes the traffic over to second router, to overall lessen the load and divide it over two routers.

Will this arrangement work well then for about 1500 devices to be concurrently online (many of them will be in sleep mode / phones and even laptops, so really not connected and others based on my experience will be using average of 300Kbps traffic, while few will be using 10Mbps plus) for overall traffic consumption to be less than 2Gbps.

Thanks

In my lab set up, I have just used a small RB493G (running 6.47.3) and what I find is that with hotspot client doing a speed test (no other client / other traffic), CPU shoots up to 70%. Speed of course get closer to 93Mbps (my service is 100Mbps), so not sure if I would have pumped more thru it, what would have happened to CPU.

That is why I was thinking of splitting the functions across two routers and then using CCR1016 (with two power supply units), but not sure if these will be sufficient to support 1000 devices.

Thanks

Beware GDPR with the cookie length.

Thanks. GDPR is not applicable for a school free-WiFi needs in North America. No money and no personal information is collected or used or processed. Hotspot is to be used for students accounts sitting on freeradius to impose some restrictions like simultaneous-use of 3 devices and speedcaps and daily quota etc. Usernames exchanged inside http/https over CHAP are hashed and they don't identify student name or any such details, and on top of that it is not open hotspot. There is WPA2-PSK, making it harder for anyone to intercept. Plus user accounts are not even stored inside router (though mac cookie may store some hash of these for subsequent authentication on behalf of student devices, thus not needing to serve login pages again and again.

Hopefully I can plan to use newer CCR2004 which has just SFP slots, but that is fine. SFP and SFP+ transceivers and DAC cables are not expensive.

Can anyone please advise me on the capacity needs? I did look at the test results for each router and based on typical iMIX packet size of 512bytes these days, throughput available seems to meet and exceed my needs for next 3 years easily. Plus splitting the function into a hotspot router (less of NAT and less of firewall in this piece) plus another CCR that will do the NAT and simple firewall.

Thanks

MAC address is considered personal information, but cool you're in North America so easy.

@neutronlaser, thanks for your interest in my post and hopefully you can also answer my questions for which I am seeking guidance here. I am not looking for GDPR compliance recommendations from the forum and for that there is a different department. On a login splash page, a student clearly consents to school IT collecting such identifiable information (that does not directly link them to the mac address and their accounts on the SQL don't even have their name on it). So I am not at all worried as student has consented to and lawyers have looked into it.GDPR or local North American privacy laws require this due diligence that has been completed.

Can someone please advise me as to the recommended sizing for such network please? I am sure there are many of you who have deployed these for school dorms or campus needs.

Thanks and appreciate any and all recommendations.

Forcing to give information in order to use a service is against a GDPR article but it's ok you are in North America.