Hotspot issues and functions.

Hi there,
I've tried looking for the following answers, but can't find what I'm looking for. I'm hoping someone can help me out with the following points.
I'd just like to give you an advanced thank you, for helping me out and other readers/users of this information.

1) If the internet is down whilst a user is trying to connect to the hotspot, no matter what OS they are running (OSX/XP/7) it seems they don't get the full settings needed to connect once the internet is back up.

From what I can see, they get their IP, GW, DNS addresses, but (on windows systems) the message "limited conductivity" appears on their connection. Normally, in this situation within a few minutes of the internet connection being up again the OS would detect this and allow the to get to the signup page.
In my hotspot setup, this actually isn't happening, the OS is not trying to correct the issue - and I've tried this with many computers.

So as a work around, what would be the best way to force a re-sync to the hotspot, once the internet comes back online? I'm guessing a netwatch script, which removes all DHCP clients or disables the ports and re-enables them?

Either way, please could someone help me with the coding used to do that.

2) My hotspot gateway ip is 10.5.50.1 - so therefore the signup page should be: 10.5.50.1/user/signup. But if I try and goto that page (locally) If a user hasn't created an account/signed in they get returned with a 404 error. If I put my external IP address in place of the internal one and add that address to the walled garden, they can access the signup that way.
Could someone tell me why trying to access the signup page locally doesn't work. This is also true for the user management (/user). The only page that works locally is /userman.

3) How could I go about writing a script/html code that I could display on the login page that would tell the users if there internet was up or down? Basically I was thinking about using a netwatch function but reports taken out as html results.

4) Am I correct in saying that any client not logged into the hotspot should be faced with a login page - whether their browser is pointing to http://www.mikrotik.com or http://www.mikrotik.com/aboutus.php - because I've noticed in some cases if a client is trying to connect to a page which isn't at the base URL, then their browser returns a 400 error.

5) Is it possible to customise the page which displays 404 error on the router?

6) Say the WAN ip address is 85.45.65.25 - if I type that address in any browser I'm faced with the default Mikrotik router page telling me how to connect - Given that this can be dangerous, I would really like to remove this page or ideally have all requests default to the hotspot page. How can this be done?

7) Following on from another post: - http://forum.mikrotik.com/viewtopic.php?f=2&t=42040

I've got my hotspot using Address: 10.5.50.1/24 on a bridged 1 interface (ports 2-5), but I'm trying to create a secondary network for my AP's; but I can't seem to get it to work correctly -to protect customers from trying to blast/scan for the AP's.

The secondary network will be based on the range 10.10.10.1/24.Based on this how can is ensure that the network APs all get address in the range 10.10.10.1/24, but any clients connected to the APs get an address of 10.5.50.1/24 and have to log in to gain access.

The idea behind this is just to create a layer of protection, separating the equipment from the clients.


Information:

RB450G level 5 licence - v4.9
Local hotspot/radius/usermanager-test v4.9
Dymanic IP address being used for ISP connection.
AP's to be used Engenius 3660 & 9950 (http://www.engeniustech.com/datacom/pro ... spx?id=244)

1) If the internet is down whilst a user is trying to connect to the hotspot, no matter what OS they are running (OSX/XP/7) it seems they don't get the full settings needed to connect once the internet is back up.
From what I can see, they get their IP, GW, DNS addresses, but (on windows systems) the message "limited conductivity" appears on their connection. Normally, in this situation within a few minutes of the internet connection being up again the OS would detect this and allow the to get to the signup page.
In my hotspot setup, this actually isn't happening, the OS is not trying to correct the issue - and I've tried this with many computers.
So as a work around, what would be the best way to force a re-sync to the hotspot, once the internet comes back online? I'm guessing a netwatch script, which removes all DHCP clients or disables the ports and re-enables them?
Either way, please could someone help me with the coding used to do that.

I never heard about such client issue. You have to check Windows settings, currently it sounds as Windows problem.
I do not see the way how router will detect, that bad user needs to be disconnected.

2) My hotspot gateway ip is 10.5.50.1 - so therefore the signup page should be: 10.5.50.1/user/signup. But if I try and goto that page (locally) If a user hasn't created an account/signed in they get returned with a 404 error. If I put my external IP address in place of the internal one and add that address to the walled garden, they can access the signup that way.
Could someone tell me why trying to access the signup page locally doesn't work. This is also true for the user management (/user). The only page that works locally is /userman.

Public IP address should be used for signup.

3) How could I go about writing a script/html code that I could display on the login page that would tell the users if there internet was up or down? Basically I was thinking about using a netwatch function but reports taken out as html results.

When Internet is down, HotSpot page could not be displayed.

4) Am I correct in saying that any client not logged into the hotspot should be faced with a login page - whether their browser is pointing to http://www.mikrotik.com or http://www.mikrotik.com/aboutus.php - because I've noticed in some cases if a client is trying to connect to a page which isn't at the base URL, then their browser returns a 400 error.

HotSpot login page should be provided to the user all the time, he/she is trying to access the any Internet page.

5) Is it possible to customise the page which displays 404 error on the router?

No.

6) Say the WAN ip address is 85.45.65.25 - if I type that address in any browser I'm faced with the default Mikrotik router page telling me how to connect - Given that this can be dangerous, I would really like to remove this page or ideally have all requests default to the hotspot page. How can this be done?

It is not possible to remove it.
You may use branding and modify the content of the page.

7) Following on from another post: - viewtopic.php?f=2&t=42040
I've got my hotspot using Address: 10.5.50.1/24 on a bridged 1 interface (ports 2-5), but I'm trying to create a secondary network for my AP's; but I can't seem to get it to work correctly -to protect customers from trying to blast/scan for the AP's.
The secondary network will be based on the range 10.10.10.1/24.Based on this how can is ensure that the network APs all get address in the range 10.10.10.1/24, but any clients connected to the APs get an address of 10.5.50.1/24 and have to log in to gain access.

The best solution to separate these two networks and run two different HotSpot for each network.

1)

I never heard about such client issue. You have to check Windows settings, currently it sounds as Windows problem.
I do not see the way how router will detect, that bad user needs to be disconnected.

Well thats just it, its not just Windows machines as mentioned. Could this be someone I've done wrong in the configuration? Given in this example the internet will have come down, is there not away I can force a reconnect of all users?

2)

Public IP address should be used for signup.

Is this the only way in which this can be done? If possible could you kindly explain, why this is the case (just curious really)


3)

When Internet is down, HotSpot page could not be displayed.

Is there anything that can be done about this?

4)

HotSpot login page should be provided to the user all the time, he/she is trying to access the any Internet page.

Yes, I've asked them to refresh the pages but some times its still not displayed. I've managed to create the issue on my Mac aswell. I'll do some more testing to figure why this is. As it only occurs when not going to the base URL i.e. google.com / bbc.co.uk



6)

It is not possible to remove it.
You may use branding and modify the content of the page.

Is there any guides on how to do this please, or who should I contact regarding this? Also is it possible simply to block the page from being displayed, whilst allow the hotspot to work still?

7) Following on from another post: - viewtopic.php?f=2&t=42040
I've got my hotspot using Address: 10.5.50.1/24 on a bridged 1 interface (ports 2-5), but I'm trying to create a secondary network for my AP's; but I can't seem to get it to work correctly -to protect customers from trying to blast/scan for the AP's.
The secondary network will be based on the range 10.10.10.1/24.Based on this how can is ensure that the network APs all get address in the range 10.10.10.1/24, but any clients connected to the APs get an address of 10.5.50.1/24 and have to log in to gain access.

The best solution to separate these two networks and run two different HotSpot for each network.

I don't think I made myself very clear, all the clients (end users) will be accessing the network via wireless APs - but I would like to protect these as much as possible by placing them on seperate network, whilst any clients that do connect to them get an address from the hotspot. This would also allow remote management into each device (I'm hoping).

Btw from one of my other posts - here are some bugs:

I believe I've found a bug (not sure if the team are aware but here it is). This test is based on Hotspot/radius/user manager all on the same router.

Create a profile with say 30 seconds of access time and payment for it.
Get a user to sign up to that package and allow them to log on.

As long as the user remains active (for the duration set) they will not get logged out after their 'credit time' has expired.
But if you logout as the user, and try to log in, you will find that you can no longer gain access.

Can anyone think of a way to get around this issue?

Also another issue (not sure if its meant to be like this):
You cant delete pass payment records.

Thanks

1)

Well thats just it, its not just Windows machines as mentioned. Could this be someone I've done wrong in the configuration? Given in this example the internet will have come down, is there not away I can force a reconnect of all users?

Disable/enable HotSpot server, which sounds like bad solution.


2)

Is this the only way in which this can be done? If possible could you kindly explain, why this is the case (just curious really)

Yes, currently you cannot use local IP address for signup/user-page in User Manager (implementation).

3)

Is there anything that can be done about this?

No, currently there is nothing we can do.

4)

Yes, I've asked them to refresh the pages but some times its still not displayed. I've managed to create the issue on my Mac aswell. I'll do some more testing to figure why this is. As it only occurs when not going to the base URL i.e. google.com / bbc.co.uk

Make sure that dns-name is FQDN (if it is used), like www.hotspot.com instead of myhotspot.


6)

Is there any guides on how to do this please, or who should I contact regarding this? Also is it possible simply to block the page from being displayed, whilst allow the hotspot to work still?

Contact MikroTik support about it (support@mikrotik.com)

I don't think I made myself very clear, all the clients (end users) will be accessing the network via wireless APs - but I would like to protect these as much as possible by placing them on seperate network, whilst any clients that do connect to them get an address from the hotspot. This would also allow remote management into each device (I'm hoping).

Wireless AP is separate interface on the router, wireless AP are added to the bridge, wireless AP is connected to the Ethernet of HotSpot router?

Create a profile with say 30 seconds of access time and payment for it.
Get a user to sign up to that package and allow them to log on.
As long as the user remains active (for the duration set) they will not get logged out after their 'credit time' has expired.
But if you logout as the user, and try to log in, you will find that you can no longer gain access.
Can anyone think of a way to get around this issue?
Also another issue (not sure if its meant to be like this):
You cant delete pass payment records.

Yes, this workflow is correct, when local HotSpot database is used or RADIUS server used for authentication (which does not support RADIUS incoming messages). When RADIUS support such kind of messages, you can send packet from RADIUS server to tell the HotSpot client to be disconnected, when local HotSpot database used or RADIUS without support, the only way to do it - remove user from /ip hotspot active table.

1)

Disable/enable HotSpot server, which sounds like bad solution.

Ok, is there not away I can force all active users / and ip assignments to be dropped?


Point 2 & 3 - It would be nice to be able to thoses, but maybe in future developments?


4)

Make sure that dns-name is FQDN (if it is used), like http://www.hotspot.com instead of myhotspot.

Is there anyway create a rule which forces this to occur? Normally the browsers should add this, but it could be the case its not.

Wireless AP is separate interface on the router, wireless AP are added to the bridge, wireless AP is connected to the Ethernet of HotSpot router?

In my case is the seperate device - connected via ethernet cable to a switch or directly into one of the ports

Yes, this workflow is correct, when local HotSpot database is used or RADIUS server used for authentication (which does not support RADIUS incoming messages). When RADIUS support such kind of messages, you can send packet from RADIUS server to tell the HotSpot client to be disconnected, when local HotSpot database used or RADIUS without support, the only way to do it - remove user from /ip hotspot active table.

Ah that makes sense - so its a limitation of RouterOS at the moment, and the only way to resolve this is to use another radius server.

1) In the same way, clear /ip hotspot active or /ip hotspot host

2)-3) I just can forward them to the developers.

4) I do not understand the question, please explain it.

5) New User Manager supports CoA.

Thank you Sergejs for your replies. You been a great help with that.

1) Easy enough, I can script that in what I want - (on a side note, the good thing about ROS once you can understand the logic behind the system and functions, it can be fairly easy to put in place)

2 & 3) Great, if you could please, that would great and I know many other would like these functions & it would make managing smaller hotspot locations much easier.

4) Never mind, that I've actually adjusted a few things and the issues doesn't seem to be occuring.

5) Is there any instructions on how to get this to work or is it just tick the box and it works?

P.S I sent an email yesterday regarding the 'front' page of the router.

5) New User Manager supports CoA.

Can you explain what CoA does and how I'd go about setting this up please, as there is no documents on this.

CoA is Change of Authorization messages, it allows to change specific settings (for example bandwidth limitation) without logout/login procedure for the client.

CoA is Change of Authorization messages, it allows to change specific settings (for example bandwidth limitation) without logout/login procedure for the client.

Well I have the option enabled on UM but it doesnt seem to be doing anything - users still go over time. Is there anything else that needs to be configured?

/radius incoming should be enable on the router too.

I've have this turned on but I can't see any requests for CoA in UM or on the RB Radius stats.

I'm using UM-test-4.10.

Sniff traffic and see if it's sent by the RADIUS server and received (on a packet level) by the client.

Hmm ok - it seems it working ok now. I think a reboot was needed to bring it alive? But it's kicking the user out on time now.

Is there anyway to give the user a message of what has happened either through HTML webpage on logout or some other method?

Not that I know of. As far as I can tell after logout the client is indistinguishable from any other client that isn't logged in (i.e., a client that never logged in at all and shouldn't be shown such a page).

Ok thanks for your input on that - when I get some spare time I'll look into a few ideas on how it 'might' be possible to do using work arounds.