Hi there, I should be receiving around 5 RB450G's in the next few days and I was hoping someone could help me with someone questions please. I've looked on the forum and bought a book on RouterOS - but I can't seem to find the answer to my questions below. I'd be grateful for any help/links or even someone would mind helping with the configuration.
1) Is it possible to use a 3rd party user management / billing system with the hotspot system on the RB? At the moment I'm using Pro-mesh.net (for billing/splash page control) and Open-mesh to manage the nodes. I was wondering if it possible if I can still use Pro-mesh.net to control the user databases/billing.
If it is possible how would I go about setting this up?
Yes you can use 3rd party user management and Billing. I can't speak to pro-mesh.net or Open-mesh, but we manage hundreds of hotspots with our manger.
2) I will be testing MT's intergrated hotspot system to switch over from the above solution. My setup will be ISP>RB450G>Switch>Access points (EAP-3660). I need to configure the hotspot to allow users to connect to any of the APs and get authorised by RBos hotspot system.
MT's hotspot capabilities work great in this setup. As long as the AP's are in bridge mode and the MT can see the individual users, you'll be fine. We have large hotel hotspots set up with hundreds of access points (3com) behind a mikrotik and it works great
3) Based on the above, how can I ensure that the RB can communicate to the AP's but block any client connected from seeing any other device on the network. Please note that the APs will be connected by ethernet cable.
The access points should be set up as "bridges" IE, they provide a wireless layer2 connection to the network. We typically configure the access points to be on a 10.x.x.x subnet, and have the MT hotspot use a 192.168.x.x subnet for DHCP. This way users connected to the AP's wirelessly get 192.168.x.x IP addresses and they can't do an ip scan to find the AP's. Yet we can bypass the AP's IP (10.x.x.x) in the MT for remote management of the AP's.
4) Is it possible to create a billing page with different access plans and bandwidths?
With a 3rd party management system, yes.
5) Is there way to only allow one log in per username/password, without binding the connection to a MAC address (which prevents spoofing)?
Yes. Via RADIUS profile attributes.
6) What would be the best way to allow local management - if needed (i'm thinking port knocking rules)
Simple IP filtering or firewall rules should suffice.
7) Is there away I can monitor/manage remotely these hotspots?
Yes. you can remotely monitor them via an SNMP monitoring server/service, or you can use TheDude on your desktop. As for management, winbox works great, from a sysadmin standpoint, but can be a bit cumbersome if you have any kind of tier1 tech support dealing with hotspot users. We actually wrote our own management inteface into our billing software for easily managing hotspot users.
8 ) During an internet outage - is it possible to redirect the splash page to an alternative page and force any users connected at the main to that page?
If there is an internet outage, how are users going to be able to connect to any webpage? You could upload a page to the MT itself and create a firewall rule/script that would route all traffic to that page if the internet goes down...
9) Is it possible to create a rule which logs, users MAC address and activity (webpage visits)?
Using a netflows collector, you can monitor IP address usage activity. Using authentication logs to match a MAC address to a given hotspot IP (IE 192.168.x.22). Then look up all of the IP's and ports that the given hotspot IP (192.168.x.22) connected to and passed traffic to. As for recording domains, it doesn't track that.
10) Is a SSL certificate really needed when using paypal? (Will users see any message/warnings without it?
SSL is not required for paypal if users use their paypal account (since they will be on paypals secure site). An SSL certificate is required if using website payments pro and the users enter their CC details on your own webpage.
11) Are there any major issues when using paypal that I should be aware about?
Not really, it's personal preference for payment processing. We use both Authorize.net and Paypal for processing payments, depending on the hotspot location.
Is anyone willing to share things they have done to protect their setups from hackers/viruses/trojans
Thank you in advance for your time - sorry if these you feel these questions have already been answered, but I feel that im still unsure on the above.
If you want, you can contact me via email (aabramson [at] wi-figuys.com) if you want some more in-depth details on securing and remotely managing multiple Mikrotiks in a hotspot environment.