Mikrotik RouterOS

From Social ID Developers
Jump to: navigation, search

The following guide was created using a Mikrotik network with the following components:

  • Router: Mikrotik RouterBoard 450G
  • Firmware: 3.22
  • RouterOS: v6.23

Contents

Requirements

You need to have a Mikrotik RouterBoard with Internet access already configured.

You can reset your RouterBoard and connect the cable with Internet access at the ethernet gateway port (ether1-gateway).

By default, the RouterBoard is configured with automatic address acquisition, so it will get the IP and Gateway from your Internet cable connection and will set up a DHCP Client also.

This guide was created using the WebFig configuration interface, but you can apply the same settings using the Winbox.

Interfaces

By default, the RouterBoard 450G comes with 5 ports and the following interfaces:

  • ether1-gateway
  • ether2-master-local
  • ether3-slave-local
  • ether4-slave-local
  • ether5-slave-local

In this guide, we'll create a new interface (bridge-hotspot) and associate one of the slaves interface to the bridge.

Ethernet

Go to Interfaces and edit one of the interfaces (e.g. ether4-slave-local). Change the following options:

  • Name: ether4
  • Master Port: none

1-setup-interface.png

Bridge

Go to Bridge and click in "Add New". Set the following options:

  • Name: bridge-hotspot

2-add-bridge.png

Bridge Port

Now you need to associate the Ethernet interface to the bridge.

Go to Bridge > Ports tab and click in "Add New". Set the following options:

  • Interface: ether4
  • Bridge: bridge-hotspot

3-add-port-to-bridge.png

Radius

Go to Radius and click in "Add New". Set the following options:

  • Enabled: checked
  • Service: Hotspot
  • Address: the RADIUS server IP according to your environment/region
  • Secret: the provided RADIUS client secret
  • Authentication Port: 1812
  • Accounting Port: 1813

4-add-radius-server.png

Hotspot

Go to IP > Hotspot.

Mikrotik offers a wizard (Hotspot Setup) to create almost all resources related to the Hotspot.

Hotspot Setup

Click in "Hotspot Setup".

Choose the "bridge-hotspot" as the "Hotspot Interface":

5-hotspot-setup-interface.png

Set "Local Address of Network" as 10.5.50.1/24:

6-hotspot-setup-network.png

Let the default value (10.5.50.2-10.5.50.254) for "Address Pool of Network":

7-hotspot-setup-pool.png

Set "Select Certificate" as "none":

8-hotspot-setup-certificate.png

Set the "IP Address of SMTP Server" as "0.0.0.0":

9-hotspot-setup-smtp.png

Set the DNS servers:

  • 10.5.50.1
  • 8.8.8.8 (optional)
  • 8.8.4.4 (optional)

10-hotspot-setup-dns.png

Set the "DNS Name" as "social-id-hotspot-dns":

11-hotspot-setup-dns-name.png

And create the default Hotspot user:

12-hotspot-setup-user.png

You can remove this user later.

Now you have your Hotspot resources created. You'll need to change some settings in the following steps.

User Profile

Go to IP > Hotspot > User Profiles. Edit the default entry and change the following options:

  • Session Timeout: 00:30:00
  • Idle Timeout: clear this entry
  • Shared Users: clear this entry

13-edit-user-profile.png

Server Profile

Go to IP > Hotspot > Server Profiles. Edit the hsprof1 entry and change the following options:

  • Login By: check only "HTTP PAP" option
  • Use RADIUS: checked
  • MAC Format: XX:XX:XX:XX:XX:XX (default option)
  • Accounting: checked (default option)

14-edit-server-profile.png

15-edit-server-profile-radius.png

Hotspot Server

Go to IP > Hotspot > Servers. Edit the hs-bridge-hotspot and change the following options:

  • Idle Timeout: set the desired timeout (e.g.: 00:05:00)
  • Addresses Per MAC: 1

16-edit-hotspot-server.png

Walled Garden

Allow Social-ID NOW platform URLs and social network URLs by configuring the Walled garden.

Go to IP > Hotspot > Walled Garden. For each Walled Garden for the Social Login domain you need to use, create an entry in the Walled Garden.

For example, to add *.socialidnow.com, click in "Add New" and set the following options:

  • Dst. Host: *.socialidnow.com

17-add-walled-garden.png

At the end, you'll have something like this:

18-walled-garden-list.png

Files

When you create a hotspot on Mikrotik, it automatically adds all the files and directories, creating an "internal" portal hosted on Mikrotik, so when a client connects to the network, it is redirected to this portal.

If you lose this files, you can recreate them by going into IP > Hotspot > Hotspot Server, click to edit your server and then click in the button "Reset HTML". The file structure is similar to this:

19-files.png

The Social-ID Wi-Fi portal is an external portal, in the cloud. So you need to redirect the internal login page to the external one hosted by Social-ID Platform.

You must replace your hotspot/login.html file by:

 <html>
   <head>
     <title>Login</title>
     <meta http-equiv="refresh" content="0; url=http://wifi.socialidnow.com/portals/<portal-name>/auth?client_mac=$(mac)&client_ip=$(ip)&login_url=$(link-login-only)" />
     <meta http-equiv="pragma" content="no-cache">
     <meta http-equiv="expires" content="-1">
   </head>
   <body>
   </body>
 </html>

Where <portal-name> must be replaced by your portal name.

To replace this file you can use a FTP client to connect to Mikrotik appliance.

Wireless Gateway

Mikrotik offers products in the Wireless and Ethernet Routers categories, both running RouterOS.

If you have a Wireless appliance, you can just configure the Wireless Interface to the Bridge, and your Wireless network will be ready to manage user authentication by the Hotspot server.

If you have an Ethernet Router, you can use it as a gateway to manage Hotspot services. Connect an AP from any vendor to the configured Hotspot Interface, so all clients connected to the AP will be required to authenticate through Mikrotik Hotspot Server. To create this guide we set up a Cisco Aironet AP, with open authentication, and connected to the Mikrotik's ether4 port, that is a slave for the hotspot bridge.

Security

Don't forget to follow some simple security guidelines:

  • Set a strong password for any admin user.
  • Review firewall rules (IP > Firewall).
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox