Hi there, I should be receiving around 5 RB450G's in the next few days and I was hoping someone could help me with someone questions please. I've looked on the forum and bought a book on RouterOS - but I can't seem to find the answer to my questions below. I'd be grateful for any help/links or even someone would mind helping with the configuration.
1) Is it possible to use a 3rd party user management / billing system with the hotspot system on the RB? At the moment I'm using Pro-mesh.net (for billing/splash page control) and Open-mesh to manage the nodes. I was wondering if it possible if I can still use Pro-mesh.net to control the user databases/billing.
If it is possible how would I go about setting this up?
2) I will be testing MT's intergrated hotspot system to switch over from the above solution. My setup will be ISP>RB450G>Switch>Access points (EAP-3660). I need to configure the hotspot to allow users to connect to any of the APs and get authorised by RBos hotspot system.
3) Based on the above, how can I ensure that the RB can communicate to the AP's but block any client connected from seeing any other device on the network. Please note that the APs will be connected by ethernet cable.
4) Is it possible to create a billing page with different access plans and bandwidths?
5) Is there way to only allow one log in per username/password, without binding the connection to a MAC address (which prevents spoofing)?
6) What would be the best way to allow local management - if needed (i'm thinking port knocking rules)
7) Is there away I can monitor/manage remotely these hotspots?
8 ) During an internet outage - is it possible to redirect the splash page to an alternative page and force any users connected at the main to that page?
9) Is it possible to create a rule which logs, users MAC address and activity (webpage visits)?
10) Is a SSL certificate really needed when using paypal? (Will users see any message/warnings without it?
11) Are there any major issues when using paypal that I should be aware about?
Is anyone willing to share things they have done to protect their setups from hackers/viruses/trojans
Thank you in advance for your time - sorry if these you feel these questions have already been answered, but I feel that im still unsure on the above.
Re: Hotspot configuration questions and functions
Yes you can use 3rd party user management and Billing. I can't speak to pro-mesh.net or Open-mesh, but we manage hundreds of hotspots with our manger.Hi there, I should be receiving around 5 RB450G's in the next few days and I was hoping someone could help me with someone questions please. I've looked on the forum and bought a book on RouterOS - but I can't seem to find the answer to my questions below. I'd be grateful for any help/links or even someone would mind helping with the configuration.
1) Is it possible to use a 3rd party user management / billing system with the hotspot system on the RB? At the moment I'm using Pro-mesh.net (for billing/splash page control) and Open-mesh to manage the nodes. I was wondering if it possible if I can still use Pro-mesh.net to control the user databases/billing.
If it is possible how would I go about setting this up?
MT's hotspot capabilities work great in this setup. As long as the AP's are in bridge mode and the MT can see the individual users, you'll be fine. We have large hotel hotspots set up with hundreds of access points (3com) behind a mikrotik and it works great2) I will be testing MT's intergrated hotspot system to switch over from the above solution. My setup will be ISP>RB450G>Switch>Access points (EAP-3660). I need to configure the hotspot to allow users to connect to any of the APs and get authorised by RBos hotspot system.
The access points should be set up as "bridges" IE, they provide a wireless layer2 connection to the network. We typically configure the access points to be on a 10.x.x.x subnet, and have the MT hotspot use a 192.168.x.x subnet for DHCP. This way users connected to the AP's wirelessly get 192.168.x.x IP addresses and they can't do an ip scan to find the AP's. Yet we can bypass the AP's IP (10.x.x.x) in the MT for remote management of the AP's.3) Based on the above, how can I ensure that the RB can communicate to the AP's but block any client connected from seeing any other device on the network. Please note that the APs will be connected by ethernet cable.
With a 3rd party management system, yes.4) Is it possible to create a billing page with different access plans and bandwidths?
Yes. Via RADIUS profile attributes.5) Is there way to only allow one log in per username/password, without binding the connection to a MAC address (which prevents spoofing)?
Simple IP filtering or firewall rules should suffice.6) What would be the best way to allow local management - if needed (i'm thinking port knocking rules)
Yes. you can remotely monitor them via an SNMP monitoring server/service, or you can use TheDude on your desktop. As for management, winbox works great, from a sysadmin standpoint, but can be a bit cumbersome if you have any kind of tier1 tech support dealing with hotspot users. We actually wrote our own management inteface into our billing software for easily managing hotspot users.7) Is there away I can monitor/manage remotely these hotspots?
If there is an internet outage, how are users going to be able to connect to any webpage? You could upload a page to the MT itself and create a firewall rule/script that would route all traffic to that page if the internet goes down...8 ) During an internet outage - is it possible to redirect the splash page to an alternative page and force any users connected at the main to that page?
Using a netflows collector, you can monitor IP address usage activity. Using authentication logs to match a MAC address to a given hotspot IP (IE 192.168.x.22). Then look up all of the IP's and ports that the given hotspot IP (192.168.x.22) connected to and passed traffic to. As for recording domains, it doesn't track that.9) Is it possible to create a rule which logs, users MAC address and activity (webpage visits)?
SSL is not required for paypal if users use their paypal account (since they will be on paypals secure site). An SSL certificate is required if using website payments pro and the users enter their CC details on your own webpage.10) Is a SSL certificate really needed when using paypal? (Will users see any message/warnings without it?
Not really, it's personal preference for payment processing. We use both Authorize.net and Paypal for processing payments, depending on the hotspot location.11) Are there any major issues when using paypal that I should be aware about?
Is anyone willing to share things they have done to protect their setups from hackers/viruses/trojans
Thank you in advance for your time - sorry if these you feel these questions have already been answered, but I feel that im still unsure on the above.
If you want, you can contact me via email (aabramson [at] wi-figuys.com) if you want some more in-depth details on securing and remotely managing multiple Mikrotiks in a hotspot environment.
Re: Hotspot configuration questions and functions
Just to expand on a few points .
3.) You will also need to add the subnet to the MikroTik so that if desired you can access the equipment form a remote location, so you will want to set up some filter rules to block one private subnet from talking to the other as well. But since guests will not know what subnet you used for your equipment that makes it a bit harder for them to try.
5.) Yes you can set it up so that only one MAC is allowed to sign in with any one access code via the HotSpot or the Radius Profile for an access code. However this cannot and will not prevent MAC spoofing. There is no way for something at the middle of the network to know the difference between a legitimate user and a spoofer, this is something that the edge of the network (the access points and switches) need to mitigate against. Usually the best way to do it is prevent guests from talking directly to each other over the network by implementing things like VLANs and enabling Station Separation on the access points. This way they at least cannot use your network equipment to scan each other.
7.) There are several choices to manage and monitor equipment, SNMP is great for monitoring and giving you device status. Managing can be done though an API , or using Winbox/WebBox/SSH. It's up to you to choose what one will best meet the needs.
8.) I'm not sure if you would be able to host that page on the Mikrotik itself or not. But the most effective way to do it would be with a script that would check internet access and if it triggers it, enable a redirect rule to a specific local web server.
9.) You can do this with the firewall rules, but it generates a ton of logs and not a lot of useful information since it logs each and every packet sent. A better choice would probably be either using a Proxy service that would log web sites visited for you, and then correlate the IP address of the requests with Radius logs of who logged in and with what MAC/IP they signed in with. Netflows would be something else to look into.
Here is the Wiki page that can get you started on how to secure your router:
http://wiki.mikrotik.com/wiki/Firewall
Choose the one that best fits what you need and offers what you want for security/ease of use and modify it accordingly.
.3.) You will also need to add the subnet to the MikroTik so that if desired you can access the equipment form a remote location, so you will want to set up some filter rules to block one private subnet from talking to the other as well. But since guests will not know what subnet you used for your equipment that makes it a bit harder for them to try
.5.) Yes you can set it up so that only one MAC is allowed to sign in with any one access code via the HotSpot or the Radius Profile for an access code. However this cannot and will not prevent MAC spoofing. There is no way for something at the middle of the network to know the difference between a legitimate user and a spoofer, this is something that the edge of the network (the access points and switches) need to mitigate against. Usually the best way to do it is prevent guests from talking directly to each other over the network by implementing things like VLANs and enabling Station Separation on the access points. This way they at least cannot use your network equipment to scan each other.
7.) There are several choices to manage and monitor equipment, SNMP is great for monitoring and giving you device status. Managing can be done though an API , or using Winbox/WebBox/SSH. It's up to you to choose what one will best meet the needs.
8.) I'm not sure if you would be able to host that page on the Mikrotik itself or not. But the most effective way to do it would be with a script that would check internet access and if it triggers it, enable a redirect rule to a specific local web server.
9.) You can do this with the firewall rules, but it generates a ton of logs and not a lot of useful information since it logs each and every packet sent. A better choice would probably be either using a Proxy service that would log web sites visited for you, and then correlate the IP address of the requests with Radius logs of who logged in and with what MAC/IP they signed in with. Netflows would be something else to look into.
Here is the Wiki page that can get you started on how to secure your router:
http://wiki.mikrotik.com/wiki/Firewall
Choose the one that best fits what you need and offers what you want for security/ease of use and modify it accordingly.
Re: Hotspot configuration questions and functions
Thank you both for your input into hotspots. Its good to know that help is always here. Just to follow on from what has been said;
1) aabramson - could you tell me please what manager you use for your hotspots as it sounds like you've got a 'tried and tested' method for managing them. Have to intergrated your 3rd party management software using HTML/scripts/ some other way?
3) You've both given some good information on the network setup of this; In terms of the NAT rules/firewall rules to allow traffic to passthrough two subnets, without allowing other clients to see each other - how would this be done - if possible can you give examples of the rules please?
8 ) I was hoping to host a local page on the MK unit - so that in event of internet outage all traffic would be directed to that page - I think this would save plenty of calls if the network went down. Would this just be a matter of uploading a page to the unit and setting the firewall rule/script up?
At the moment I don't see any need to allow users to gain access in different locations (so local host, maybe best) - but should the time come where this is required I take it that a seperate radius server would be best to use and have every unit point to that for authorisation.
Also what are the limitations of hotspots being managed/hosted on the RB itself rather than split between host site and RB? At the moment the only features I really need for the users are:
Account management (password/email change), password reminder, new user creation, billing - on a simple splash page (html with images).
Many thanks for your input.
Edit:
I've put in a link to my hosting package for my domain - since I'm not going to be changing that I just though it might be easier to use my hosting package to control the usermanage of hotspots (if it has the tools needed) - I have the Pro package listed.
https://www.register1.net/vds.php
1) aabramson - could you tell me please what manager you use for your hotspots as it sounds like you've got a 'tried and tested' method for managing them. Have to intergrated your 3rd party management software using HTML/scripts/ some other way?
3) You've both given some good information on the network setup of this; In terms of the NAT rules/firewall rules to allow traffic to passthrough two subnets, without allowing other clients to see each other - how would this be done - if possible can you give examples of the rules please?
8 ) I was hoping to host a local page on the MK unit - so that in event of internet outage all traffic would be directed to that page - I think this would save plenty of calls if the network went down. Would this just be a matter of uploading a page to the unit and setting the firewall rule/script up?
At the moment I don't see any need to allow users to gain access in different locations (so local host, maybe best) - but should the time come where this is required I take it that a seperate radius server would be best to use and have every unit point to that for authorisation.
Also what are the limitations of hotspots being managed/hosted on the RB itself rather than split between host site and RB? At the moment the only features I really need for the users are:
Account management (password/email change), password reminder, new user creation, billing - on a simple splash page (html with images).
Many thanks for your input.
Edit:
I've put in a link to my hosting package for my domain - since I'm not going to be changing that I just though it might be easier to use my hosting package to control the usermanage of hotspots (if it has the tools needed) - I have the Pro package listed.
https://www.register1.net/vds.php
Re: Hotspot configuration questions and functions
3.) Lets say you place your guest network on 192.168.10.0/23 and you want your equipment to be on 10.10.10.0/24. What you do is add both of these subnets to a Mikrotik like this. Both of the addresses you add will become the default gateway for that particular subnet.
If you use a bridged interface for the guest network, then be sure to have the bridge set to use the IP firewall. Then in your firewall filter you set up a rule that will prevent people on 192.168.10.0/23 from talking to devices on 10.10.10.0/24. One rule will work for this:
You may need to modify it a bit more to fit your situation and take into account special needs, but that should be all that is needed to prevent guests devices from talking to network equipment through the router itself.
As to prevent guests from seeing or talking to each other, that's going to mainly depend on the kinds of access points and switches you use and what kind of security features they have implemented. We personally use VLANs on switches to prevent computers and devices from talking to each other. We also use a mode on the access points called station separation, other brands of access points will probably have this named differently, but the concept is the same, not to allow people that associate to the same AP to pass traffic over the AP to another client. A lot of switches will also have a port isolation mode too that should meet the need.
8.) I believe that this may be possible, you will still need a set of scripts that will enable the necessary NAT rules when the connection fails and disable them when it comes back up. I'm just not familiar with storing HTML on the MikroTik and I believe it can be very limited in what you can do with the HTML there as well. The main concern that I would have about that is DNS, in my experience the DNS request needs to work first before it will redirect an end user. This is fine if you use the built in DNS proxy service of the MikroTik and it's an entry that is stored in the DNS cache of the box, but if it's not, it will have no way to resolve the domain name and therefore the computer will not try to go to the web site and be redirected to your custom page.
You are correct, having everything point to one central location where you manage your user accounts and authentication makes your life much easier. Instead of having to maintain 20 different sets of data at 20 different locations, now you only need to maintain 1 set of information. It's not a huge issue when you only have a couple of locations, but as you grow it problem with doing things like that grows very fast.
The main thing to be concerned about hosting Usermanager on the same box as the Hotspot is resources. Usermanger can take up a lot of resources and slow everything down. Depending on what board you are planning on using, this may not be an issue, but is something to keep in mind. We haven't ever really used it, so I can't speak to any limitations it may have, but a lot of what you want may be possible with a fair amount of tweaking it to meat your needs. The best thing to do is check out the Wiki page for it and read up on the options and what can be done with it.
Code: Select all
/ip address
add interface="Guest Network" address=192.168.10.1/23
add interface="Guest Network" address=10.10.10.254/24
Code: Select all
/ip firewall filter
add chain=forward action=drop scr-address=192.168.10.0/23 dst-address=10.10.10.0/24
As to prevent guests from seeing or talking to each other, that's going to mainly depend on the kinds of access points and switches you use and what kind of security features they have implemented. We personally use VLANs on switches to prevent computers and devices from talking to each other. We also use a mode on the access points called station separation, other brands of access points will probably have this named differently, but the concept is the same, not to allow people that associate to the same AP to pass traffic over the AP to another client. A lot of switches will also have a port isolation mode too that should meet the need.
8.) I believe that this may be possible, you will still need a set of scripts that will enable the necessary NAT rules when the connection fails and disable them when it comes back up. I'm just not familiar with storing HTML on the MikroTik and I believe it can be very limited in what you can do with the HTML there as well. The main concern that I would have about that is DNS, in my experience the DNS request needs to work first before it will redirect an end user. This is fine if you use the built in DNS proxy service of the MikroTik and it's an entry that is stored in the DNS cache of the box, but if it's not, it will have no way to resolve the domain name and therefore the computer will not try to go to the web site and be redirected to your custom page.
You are correct, having everything point to one central location where you manage your user accounts and authentication makes your life much easier. Instead of having to maintain 20 different sets of data at 20 different locations, now you only need to maintain 1 set of information. It's not a huge issue when you only have a couple of locations, but as you grow it problem with doing things like that grows very fast.
The main thing to be concerned about hosting Usermanager on the same box as the Hotspot is resources. Usermanger can take up a lot of resources and slow everything down. Depending on what board you are planning on using, this may not be an issue, but is something to keep in mind. We haven't ever really used it, so I can't speak to any limitations it may have, but a lot of what you want may be possible with a fair amount of tweaking it to meat your needs. The best thing to do is check out the Wiki page for it and read up on the options and what can be done with it.
Re: Hotspot configuration questions and functions
Thank you for your input. I will give it ago and post how I got on or if I get stuck at any point.
You've given me some really good information there which I can use when converting over.
Thanks again.
You've given me some really good information there which I can use when converting over.
Thanks again.
Re: Hotspot configuration questions and functions
Hiya
I've trying to setup this type of network up at the moment, on a RB450G
I've got my hotspot using Address: 10.5.50.1/24 on a bridged 1 interface (ports 2-5) - the actual hotspot system is working fine (bar the time bug mentioned in another post). But I'm trying to create a secondary network for my AP's; but I can't seem to get it to work correctly.
The secondary network will be based on the range 10.10.10.1/24 - thus far I have created entries for "address list leading to bridged 1" and firewall rules. I've given the APs manual ip address within the range - but they don't have access to internet. The way in which I've actually tested this, was plug my laptop into port 5, give it an ip address of 10.10.10.2, GW 10.5.50.1, DNS (opendns) - trying to browse but not connection is possible.
Based on this how can is ensure that the network 10.10.10.1/24 has access to the internet, but any clients connected to the APs get an address of 10.5.50.1/24 and have to log in?
I've trying to setup this type of network up at the moment, on a RB450G
I've got my hotspot using Address: 10.5.50.1/24 on a bridged 1 interface (ports 2-5) - the actual hotspot system is working fine (bar the time bug mentioned in another post). But I'm trying to create a secondary network for my AP's; but I can't seem to get it to work correctly.
The secondary network will be based on the range 10.10.10.1/24 - thus far I have created entries for "address list leading to bridged 1" and firewall rules. I've given the APs manual ip address within the range - but they don't have access to internet. The way in which I've actually tested this, was plug my laptop into port 5, give it an ip address of 10.10.10.2, GW 10.5.50.1, DNS (opendns) - trying to browse but not connection is possible.
Based on this how can is ensure that the network 10.10.10.1/24 has access to the internet, but any clients connected to the APs get an address of 10.5.50.1/24 and have to log in?
Re: Hotspot configuration questions and functions
Of course they don't have access, they don't have a gateway on the local broadcast domain. Might as well just not configure a gateway on them. What you're doing makes little sense.10.10.10.2, GW 10.5.50.1
Trunk VLANs to the APs, use one VLAN for management and the other on the radio for client connectivity.
Re: Hotspot configuration questions and functions
Sorry, that was actually I typo I did put the correct GW in the configuration.
I was trying to figure out how you've managed to connect the AP's. But based on your post, I'm still not understanding.
At the moment the configuration is:
ISP>RB450G (port1) > Hotspot on Bridge (ports 2-5) > Client 10.5.50.X
Please can you explain how I'd go about setting it up.
Thank you
I was trying to figure out how you've managed to connect the AP's. But based on your post, I'm still not understanding.
At the moment the configuration is:
ISP>RB450G (port1) > Hotspot on Bridge (ports 2-5) > Client 10.5.50.X
Please can you explain how I'd go about setting it up.
Thank you
Re: Hotspot configuration questions and functions
Are the APs you are using VLAN capable?
Re: Hotspot configuration questions and functions
Hi,
Yes they are:
Yes they are:
• WEP Encryption-64/128/152 bit
• WPA Personal (WPA-PSK using TKIP or AES)
• WPA Enterprise (WPA-EAP using TKIP)
• 802.1x Authenticator
• Hide SSID in beacons
• Multiple SSID with 802.1q VLAN tagging (up to 4 SSIDs)
• MAC Filter
• L2 isolation
• Wireless STA (Client) connected list
Re: Hotspot configuration questions and functions
In order for the access points to have access to the internet, you need need a NAT rule as well for that subnet. However if you are going to do some port forwarding to monitor and manage the devices remotely via SNMP, HTTP, etc, then you don't need the NAT rule, you just need to set up some port forwarding rules. Very rarely should network equipment need direct access to the internet, unless you are sending SNMP traps, or using a Radius server for devices to check against.
In hotspot set the equipment up with a bypass, set up their to-address as the same as their real address, then use a dst-nat rule to forward traffic to them. Something along the lines of:
If you are using any load balancing, you will probably need to set up a mangle rule to catch incoming connections and mark for routing based off of that connections so that it can reply out of both connections fine.
In hotspot set the equipment up with a bypass, set up their to-address as the same as their real address, then use a dst-nat rule to forward traffic to them. Something along the lines of:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=x.x.x.2 dst-port=40001 to-address=10.10.10.1 to-port=80 protocol=tcp
Re: Hotspot configuration questions and functions
Hi
Thanks for your help once again.
As my hotspot is attached to the bridge, which is taking the port for all the ports.
I've attached a VLAN to that bridge with the IP pool 192.168.1.0/24. My device has static IPs set to them and then I assign the firewall in your previous post to allow the routing.
Any client that connects to that AP, now get the correct IP address 10.5.50.X as expected - all is working fine.
The last thing I'm trying to do now is to somehow get remote/local management to work. Ideally I'd like from a certain IP address (if remote) and knocking/MAC address(if local) to get access to their configuration page. What is the best way of doing this?
Or again, just use VLANs and change the ID's when I need to? (if using VLANS, is it possible to access it when connect via the hotspot?)
Thanks for your help once again.
As my hotspot is attached to the bridge, which is taking the port for all the ports.
I've attached a VLAN to that bridge with the IP pool 192.168.1.0/24. My device has static IPs set to them and then I assign the firewall in your previous post to allow the routing.
Any client that connects to that AP, now get the correct IP address 10.5.50.X as expected - all is working fine.
The last thing I'm trying to do now is to somehow get remote/local management to work. Ideally I'd like from a certain IP address (if remote) and knocking/MAC address(if local) to get access to their configuration page. What is the best way of doing this?
Or again, just use VLANs and change the ID's when I need to? (if using VLANS, is it possible to access it when connect via the hotspot?)
Re: Hotspot configuration questions and functions
You can set the NAT rule to work from only specific IP addresses for port forwarding. Basically you would make an address list, lets call it 'allowed', and in the the NAT rule, use scr-address-list=allowed.
For local you could be looking at a bit more difficult setup depending on what you have in place. Since the VLAN interface on the MikroTik has an address, you can probably still access it through routing. Try removing the filter rules you have set up to protect the APs and see if you can access them. If so, you can put them back in and use an address list that is allowed access that isn't part of the DHCP pool, so a guest won't ever receive the IP that can access the subnet, or you can try it with port knocking as well if you wanted.
MikroTik is not a switch and does not treat VLANs like a switch will. As far as it's concerned any VLAN that you add is just another physical interface that it can use. The only difference between a real interface and a VLAN for a MikroTik is that it expects to see a VLAN tag coming in for that interface and it will tag outgoing traffic for that VLAN.
For local you could be looking at a bit more difficult setup depending on what you have in place. Since the VLAN interface on the MikroTik has an address, you can probably still access it through routing. Try removing the filter rules you have set up to protect the APs and see if you can access them. If so, you can put them back in and use an address list that is allowed access that isn't part of the DHCP pool, so a guest won't ever receive the IP that can access the subnet, or you can try it with port knocking as well if you wanted.
MikroTik is not a switch and does not treat VLANs like a switch will. As far as it's concerned any VLAN that you add is just another physical interface that it can use. The only difference between a real interface and a VLAN for a MikroTik is that it expects to see a VLAN tag coming in for that interface and it will tag outgoing traffic for that VLAN.