You are on page 1of 19

Ií> µl: l;

Nikrotik
Hotspot
Gateway
a I ÇI ¤o>_: _l.ag: _jI _I u C>;o_I oI HotSpot Gateway
_I Document revision 4.2 {Tue Jul 04 2006) _ola g oI_ Çlo.æI_
Ç_Ií:I Mikrotik Hotspot Gateway O]_g ÇI_; 2.9 uaI _I_8I µ_: .
_; _.a,; lo.æI_ _jI og>: jío g Ç_Ií:I oI_ uj_ Hotspot o_Io ¤,S: .
www.PersianAdmins.com
:Hotspot
Hotspot _oçoc _.¸..> ¤Ls. :, ..l _I.lí .¸ç± ¤. ¤í _,l±¸.ç,,olí çl¸.
i.l ei. _±.o ¤î.. ¤. ,,. _. l, . ¿ºl¡ ¸> Hotspot ¸l..cl çl¸. _.lîol
_>.. ) (Authenticate >ç>¡ ¤. ¤î.. ¤. Ul±.l .¡> cl¸.¸lí o >¸¡l _ .
_l> _í¸,¡ Hotspot ¸.¸lí .o. _l> .lo,L.. l, ¡ ¸l¸ºl ,¸. ¤. _..li. ¸l,.
¸..,. .Iç¡. .cl. ¤í ..l >ç. _o _Içoao cl¸.¸lí çl¸. . ¸> ..l _ºlí Lsº
:, ¸.¸lí .o. !nternet Browser i.l. ¤..l> >ç>¡ . _..lç>¸> ¸í¸¡¸o c>¸í¸l. l.
¤. .¡ ¤>s± Ul.¸l ¸. _...o Hotspot ..¸º >ç. _o e>l Hotspot ..lç>¸> ,lo.
_¸º _,¸ ¤>s± ¤. l¸ l± ) Servlet page or Login Page ( Redirect i.í _o . )
..l ¸,,a. _.lº _¸º _,¸ ¤>s± ( . ..lç>¸> ,¸º _ol. Vçoao _¸º _,¸ ¤>s±
¸.¸lí ¡ ..l ¸î,> ei. _±l±.>l çl±¸,¿ l, .la,I.. .>¸ç.¸ . _>.. ¸l..cl ¸l ia.
>I> ¤>s± ¤. ¸.¸lí elç Redirect >ç. _o . ¤>s± ¸l ..l _ºlí ,± _¡¸> çl¸.
status .¸ç± ¤. ¤í Popup >ç. _o ¸l. Logout i..í .l>..l l¸ .
:,.¡¸î,o ¤í _.l.lîol Hotspot i.í _o ,±l¸º :
¡ :,.¡¸î,o >ç> 硸 ei. >l>,l _I>o _,.l.,> ¸l e>ls..l l. cl¸.¸lí _>..¸l..cl
l, Radius ¸¡¸.
cl¸.¸lí _.¸.l.> ¡ :,.¡¸î,o >ç> 硸 ei. >l>,l _I>o _,.l.,> ¸l e>ls..l l.
l, Radius ¸¡¸.
,..,. Walled-garden ) _>.. ¸l..cl c¡i. l± .,l. ¸l _±a. ¤. _.¸..> (
gj_a Ç_Ií:I oI_ Çlo.æI_ :
¡ ei. e>l> _,±ç. ¿,¸. çlo.±l¸ :, ç¸li.l el¸ çl¸. :,.¡¸î,o >ç> çlo.±l¸ ¸>
l¸ ¡ _.¸¸ _¡¸ ¸l _,. ..l ei. ¤.º¸í :oí ¸..,. .l>,±ç. çl¸. _. . _o
¸,. ¤.l.o .º¸í ,±lç> _,¸ ¸> l¸ _¡¸ _,o± . _,. ¡ ¿,¸. ç¸li.l el¸ li..l _¸
.I.>o çl± .o.º _,±ç. .
¸l ¸lí _í>l. çl¸. >ç. _o ¤,±ç. winbox i,.í e>ls..l . l. l¸ .l>,±ç. _±a.
e>ls..l winbox l. l¸ _±a. ¡ command ,±lç> ¤.l¸l >l> .
i..l. ei. .±. ç¸li.l el¸ ¸l _.º i,l. ¤í _,l± _,î¸ :
Packages re•uired: hotspot€ dhcp
ç¸li.l el¸ ¸l _.º i,l. ¤í _,l± _,¡¸. Hotspot i,.l. e>¸í Ulaº :
• - _,¡¸. ‚ƒS i.olí ¸l e>ls..l l. „ip dns
… - _,¡¸. ‚H†P
‡ - _,¡¸. connection tracking ) „ip ˆirewall connection tracking set
enabled‰yes (
ç¸li.l el¸ çl¸. Hotspot i,¸l> ¸l,. ¤î.. .¸lí ¡> _ºli> ¤. ) interˆace ( _î, Public
i,l. ¡ ..l _±.o ..¸..,l ¤. ¤í l. RA‚ŠS ¡ ¸¡¸. ‚ƒS i.l. ¤..l> ‹l..¸l ¸¡¸.
_o¡> Local ¤í ¸.¸lí çl± Hotspot i.ç. _±.o cl ¤. . ¸± 硸 !nterˆace ¸ clîol el
:, Lsº ç¸li.l Hotspot >¸l> >ç>¡ ¸¡¸. . i>l¡ cl ¸> i,.lç. _o _¸ Hotspot çl±
硸 i,.l. ¤..l> _sI.>o !nterˆace ¤.líli> çl± . el¸ çl¸. ..l _,±ç. ¤. ,¸V
ç¸li.l Hotspot >ç. e>ls..l ,,. _. ¤î.. .¸lí ¸l lo.> ..,. ç¸l,. ,,. _.
.í _±¡ ,..,. ¤. ¤î.. .¸lí :, i,.lç. _o ¸± ¡ i, AP _±.o cl ¤. i,I,lo l¸
i,.í . i,.l.. ç¸lí¸l. cl¸î. . ,,. _. ¤î.. çl± .¸lí >¸ço ¸> Lsº ç¸lí¸l.
¤. _±.o NŒ (Nikrotik Router •S) ..l ,¡o .
c>¸í Ulaº çl¸. Hotspot 硸 !nterˆace Local :, ¸l i,l. Address Pool l. ¤.l.o
‚H†P i,.í e>ls..l ei. ç¸li.l el¸ ¸¡¸. .
„ip hotspot add interˆace‰local address-pool‰dhcp-pool-•
..l _ºlí ç¸li.l el¸ çl¸. .,l¡. ¸> :, ¸.¸lí i,.í >l>,l :
„ip hotspot user add name‰admin
cç.íl Hotspot ..l ei. ç¸li.l el¸ .
.lo,L.. i,l. ..,Ží .o. ¸> Œ†P„!P i,±> ,l>.l l¸ . ,,L.. _¸º _,¸ .¸ç± ¤.
l 硸 :, _.º¸í çl¸. _,o± ¡ >¸l> ¸l¸º :,.loç. !P ¸l NŒ ¤,±ç. _I¡ i.í _o .,lsí
¸l i.l. çl.¡¸ >¸ço ¸> ¸.¡. .,¸,io çl¸. >ç. _o !P i,.í e>ls..l :,.l..l . :,
!P _.¸ ¸> !nterˆace Local .i,±> _l±.>l ..,Ží ¤î.. .¸lí ¤. ‚ƒS ¡ Gateway
¸¡¸. NŒ i,±i. l¸ . c>¸í ¸l. l. i,.lç.,o ¤. ¤í ¸.ç,,olí :, 硸 ¸í¸¡¸o !nterˆace
local i,ç. _•oLo •ç±ço _,l ¸l ..l ei. _±.o . _,çíiol.ç> ¤>s± i,l.
Hotspot i,l¸> _,lo. ¤. .
¸. _..o U¡¸ :, cl¸.¸lí Ul±.l ,lî.± ¸> _¸º _,¸ .¸ç± ¤. ƒAŒ .o.º ¸> ip
ˆirewall„ƒat >ç. _o >l>,l :,ol.,l> .¸ç± ¤. . .. >l>,l .¸ç± ¸> i,l. ci
!nterˆace Public l¸ ƒat i,.í .
ip ˆirewall nat‘ add chain‰srcnat action‰mas•uerade out-interˆace‰Public
uj_jío Hotspot
¸l e>ls..l l. l¸ .,¸,io .o.º winbox >l> ,±lç> _,±ç. .
i. i±lç> _¸> _I±l cl.¸ ¤. _.º ¸l,.. l, ¡ e>l. .l>,±ç. .
¸l¸ºl ,¸. ¸> winbox çç.o ¸l !P .o.º Hotspot i,.í .l>..l l¸ .
¸¡¸. :, l>.,l ¸> _o Ul’o çl¸. Hotspot ,l. l. wireless 硸 !nterˆace wireless ¡
l. address pool ¤±>.o l. wireless ,l e>¸í >l>,l .
¤.,¸í setup ¸¡¸. ç¸li.l el¸ çl¸. e>l. >¸l¸,¡ :, Hotspot i.í _o >l>,l . ¸>
¤í _.¸ç± l¸ ¸¡¸. ¸ç.± ç¸li.l el¸ . e>ls..l ¤.,¸í _,l ¸l i,.lç. _o i,l e>¸î
i,.í . .,l¡. ¸> ¡ e>¸í Ulç. lo. ¸l l¸ ç¸li.l el¸ çl¸. ,¸V .lcŽ“l ,lo. ¤.,¸í _,l
>¸í i±lç> ç¸li.l el¸ l¸ ¸¡¸. .
address pool of network (name) - !P address pool ˆor the HotSpot network
dns name (text) - ‚ƒS domain name oˆ the HotSpot gateway (will be statically
conˆigured on the local ‚ƒS proxy
dns servers (!P address€”!P address•) - ‚ƒS servers ˆor HotSpot clients
hotspot interface (name) - interˆace to run HotSpot on
ip address of smtp server (!P address– deˆault: 0.0.0.0) - !P address oˆ the SNŒP
server to redirect SNŒP re•uests (Œ†P port …—) to
0.0.0.0 - no redirect
local address of network (!P address– deˆault: 10.5.50.1J24) - HotSpot gateway
address ˆor the interˆace
masquerade network (yes ˜ no– deˆault: yes) - whether to mas•uerade the
HotSpot network
name of local hotspot user (text– deˆault: admin) - username oˆ one automatically
created user
passphrase (text) - the passphrase oˆ the certiˆicate you are importing
password for the user (text) - password ˆor the automatically created user
select certificate (name ˜ none import-other-certiˆicate) - choose SSL certiˆicate
ˆrom the list oˆ the imported certiˆicates
none - do not use SSL
import-other-certificate - setup the certiˆicates not imported yet€ and ask this
•uestion again
¤.,¸í Proˆiles i.í _o >l>,l .I.>o çl±¸¡¸. clo¸o± .lo,L.. çl¸. _.lîol . çl¸.
i,.í _o >l>,l .I.>o .lo,L.. l. _,lº¡¸¸ i.¿ lo. Ul’o . .I.>o çl±¸¡¸. _,.
Hotspot ç¸l,. ¡ i,±> _o •l>¸l i.l. _,lo ¤í ,lií ¸± ¤. l¸ ¸± ¤.líli> ,,L.. ¤.
_.l.l ¡ çi,Ií .lo,L.. ¸l ç¸l,.. cl çlç. ..l> i,±lç>. ¸¡¸. Hotspot ¸>
.º¸í i±lç> ,l>.l l> _,o± .
_,lº¡¸¸ ¤.ço. çl¸. deˆault ,,.í _o _.¸¸. l¸ :
Submenu level: Jip hotspot profile
Property Description
dns-name (text) - ‚ƒS name oˆ the HotSpot server. Œhis is the ‚ƒS name used as
the name oˆ the HotSpot server (i.e.€ it appears as the location oˆ the login page). Œhis
name will automatically be added as a static ‚ƒS entry in the ‚ƒS cache
hotspot-address (!P address– deˆault: 0.0.0.0) - !P address ˆor HotSpot service
html-directory (text– deˆault: "") - name oˆ the directory (accessible with ™ŒP)€
which stores the HŒNL servlet pages (when changed€ the deˆault pages are
automatically copied into speciˆied directory iˆ it does not exist already)
http-cookie-lifetime (time– deˆault: 3d) - validity time oˆ HŒŒP cookies
http-proxy (!P address– deˆault: 0.0.0.0) - the address oˆ the proxy server the
HotSpot service will use as a proxy server ˆor all those re•uests intercepted by
Šniversal Proxy system and not deˆined in the Jip proxy direct list. !ˆ not speciˆied€
the address deˆined in parent-proxy parameter oˆ Jip proxy. !ˆ that is absent too€
the re•uest will be resolved by the local proxy
login-by (multiple choice: cookie ˜ http-chap ˜ http-pap ˜ https ˜ mac ˜ trial– deˆault:
cookie,http-chap) - which authentication methods to use
cookie - use HŒŒP cookies to authenticate€ without asking user credentials. •ther
method will be used in case the client does not have cookie€ or the stored username
and password pair are not valid anymore since the last authentication. Nay only be
used together with other HŒŒP authentication methods (HŒŒP-PAP€ HŒŒP-†HAP or
HŒŒPS)€ as in the other case there would be no way ˆor the cookies to be generated in
the ˆirst place
http-chap - use †HAP challenge-response method with N‚— hashing algorithm ˆor
hashing passwords. Œhis way it is possible to avoid sending clear-text passwords over
an insecure network. Œhis is the deˆault authentication method
http-pap - use plain-text authentication over the network. Please note that in case
this method will be used€ your user passwords will be exposed on the local networks€
so it will be possible to intercept them
https - use encrypted SSL tunnel to transˆer user communications with the HotSpot
server. ƒote that in order this to work€ a valid certiˆicate must be imported into the
router (see a separate manual on certiˆicate management)
mac - try to use clientšs NA† address ˆirst as its username. !ˆ the matching NA†
address exists in the local user database or on the RA‚!ŠS server€ the client will be
authenticated without asking to ˆill the login ˆorm
trial - does not re•uire authentication ˆor a certain amount oˆ time
radius-accounting (yes ˜ no– deˆault: yes) - whether to send RA‚!ŠS server
accounting inˆormation on each user once in a while (the ›while› is deˆined in the
radius-interim-update property)
radius-default-domain (text– deˆault: "") - deˆault domain to use ˆor RA‚!ŠS
re•uests. !t allows to select diˆˆerent RA‚!ŠS servers depending on HotSpot server
proˆile€ but may be handˆul ˆor single RA‚!ŠS server as well.
radius-interim-update (time ˜ received– deˆault: received) - how oˆten to sent
cumulative accounting reports.
0s - same as received
received - use whatever value received ˆrom the RA‚!ŠS server
rate-limit (text– deˆault: "") - Rate limitation in ˆorm oˆ rx-rate[Jtx-rate] [rx-
burst-rate[Jtx-burst-rate] [rx-burst-threshold[Jtx-burst-threshold] [rx-
burst-time[Jtx-burst-time]]]] ˆrom the point oˆ view oˆ the router (so ›rx› is client
upload€ and ›tx› is client download). All rates should be numbers with optional škš
(•€œœœs) or šNš (•€œœœ€œœœs). !ˆ tx-rate is not speciˆied€ rx-rate is as tx-rate too. Same
goes ˆor tx-burst-rate and tx-burst-threshold and tx-burst-time. !ˆ both rx-burst-
threshold and tx-burst-threshold are not speciˆied (but burst-rate is speciˆied)€ rx-rate
and tx-rate is used as burst thresholds. !ˆ both rx-burst-time and tx-burst-time are not
speciˆied€ •s is used as deˆault
smtp-server (!P address– deˆault: 0.0.0.0) - deˆault SNŒP server to be used to
redirect unconditionally all user SNŒP re•uests to
split-user-domain (yes ˜ no– deˆault: no) - whether to split username ˆrom domain
name when the username is given in ›user•domain› or in ›domainžuser› ˆormat
ssl-certificate (name ˜ none– deˆault: none) - name oˆ the SSL certiˆicate to use ˆor
HŒŒPS authentication. ƒot used ˆor other authentication methods
trial-uptime (time„time– deˆault: 30mJ1d) - is used only when authentication
method is trial. Speciˆies the amount oˆ time the user identiˆied by NA† address can
use hotspot services without authentication and the time€ that has to pass that the
user is allowed to use hotspot services again
trial-user-profile (name– deˆault: default) - is used only only when authentication
method is trial. Speciˆies user proˆile€ that trial users will use
use-radius (yes ˜ no– deˆault: no) - whether to use RA‚!ŠS to authenticate HotSpot
users
i.¸ _o ¸L. ¤. l>.,l ¸> ¤í l>.,l ¸> ¤í _o¡o _.lî. :
.o.º ¸> General ¤.,¸í Html ‚irectory .¡ çl± _,lº _.º¸í ¸l¸º clîo Login
Page ..l .
çl¸>o çl±¸¡¸. ¤í >¸l> >ç>¡ clîol _,l _,l¸.l.. Hotspot login Page çl±
i..l. ¤..l> _.¡ls.o . ¸> l± _,lº c>¸í _,í eç>. l. i,l. ¤.,¸í _,l ¸l e>ls..l çl¸.
NŒ ¸l e>ls..l l. ™ŒP l, ¡ Winbox i,.l. l..l .
¸> .o.º Rate limit ¸¡¸. :, _í i.l. çl.¡¸ ¤í >¸l> >ç>¡ clîol _,l Hotspot l¸
i,.í >¡i>o .
.o.º ¸> HŒŒP Proxy _,l e>ls..l >¸ço ¸¡¸. _.í¡¸¸ i,.lç. _o Hotspot l¸
i,.í Ÿ>.o .
.I.>o çl± _.í¡¸¸ ¸l i,.lç. _o _¸ .I.>o çl±¸¡¸. çl¸. i,.í e>ls..l .
¸l _±a. Ž’o Hotspot ± l¸ ¸î,> _±a. ¡ i,..¸s. _í ¤. l¸ l ...
.o.º ¸> Login i,.í _o Ÿ>.o l¸ cl¸.¸lí _>.. ¸l..cl •ç. . •ç. ¤. >¡i>o
.l clo¸o± l¸ _¡¸ i.¿ i,.lç. _o ¡ i,..,. _±l> . i,.í .l> .
çl¸. Ul’o çl¸. ¸.¸lí çl± LAƒ ¸l Lsº i,.lç. _o i...± ei. ¤.>l.. ¤í NA†
çl¸. ¡ i,.í e>ls..l lí ¸.¸ çl± Wireless ¸l ŒŒP chap ¤í i,¸l> _..,Ží ¸íl
Windows 98 •ç. ¸l i,¸ç.>o ei. .±. cl 硸 _.ºlo ¡ HŒŒP PAP e>ls..l
i,.í .
¸l ¸íl ,.í _o ¤,±ç. Radius _¡¸ i,.í _o e>ls..l C.,..líl .¡> ¸¡¸. cookie
i,¸li.l,. ¸lí ¸l l¸ .
_¡¸ Œrial ¸. _.lîol çl ¸.¸lí _,l± _,¡¸. ... i±º ¤í ..l Hotspot l¸ lo.
i.¸l> . ..l ,l>.l _.lº ¸î,> çl± .o.º ¸> cl çl± ,,L.. . ¤í i,.l. ¤..l> ¤>ç.
i,l. lo.> _¡¸ _,l l. >¸,í ,l>.l clolç. ¸î,> çl± _¡¸ .
.o.º ¸> Radius ¡ _>.. ¸l..cl çl¸. ¸¡¸. _,l ¤í i,.í _o Ÿ>.o
¸l _.¸.l.> Radius . l, i.í e>ls..l ¤ . ¸l C.,..líl çl¸. ¸íl Radius ¸¡¸.
:,. i,l. i,.í _o e>ls..l Accounting .o.º ,¡o ¤.î. i,.¸. l¸ !nterim Špdate
..l . .lo,L.. _.“ i,l. l¸ .o.º _,l Radius Vl ¡ i,±> ,l>.l >ç> ¸¡¸.
¸.¸lí ..,I ¸l lo. çl± •nline Šser ¸l¸ºl ,¸. ¸> l± Radius ¸> i.ç. _o .i>
¤í _Il> i...± _±.o ¸ç.± .
.o.º Ž.º i,l. .o.º _,l ¸l e>ls..l çl¸. Radius i,.l. e>¸í ,,L.. ¡ Ulaº l¸ .
.o.º ¸> Šsers i,.ç. _o ¸.¸lí çl± _,lº¡¸¸ ¤. l¸ l¡.l ¡ i,.í >l>,l _I>o çl±
¸.¸lí i,±> •l>¸l . _º _,l ¸> _,lº¡¸¸ l _I.º _s. clo± . l¸ i.¸l> ei¡c ¤. .
. io i,l. ¤í _.lî. ¤.,o± ¤í ..l _,l i,±> ¸l¸º ¸L ¸.¸lí ¤. _I>o _,.l.,> çl±
¸.¸lí ¸l ¤í çl± Radius >¸l¡ ¸> ,± ç¸ç, ¸íl _,l¸.l.. i.¸l> .,çI¡l i.ç. _o NŒ
¸> ,± ¡ Radius i.l. ei. .,¸a. ¸¡¸. ¸.¸lí >ç. _o >¸l¡ _I>o _,.l.,> ¸l .
¸l ¤í _,l±¸ç, ¤î.,l ¸î,> Radius º¡¸¸ ¤. i.ç. _o >¸l¡ _,l ‚eˆaul _o e>l> •l>¸l
cl¸.¸lí çl¸. _l> _,lº¡¸¸ >l>,l çl¸. _±l¸ _,l¸.l.. i.ç. Radius >ç>¡
>¸li. ) Vlo.>l (
¤.,¸í c>¸.º l. + c>¸í ¤ºl±l clîol ¸.¸lí i,¸l> l¸ .
HotSpot Users
Submenu level: Jip hotspot user
Property Description
address (!P address– deˆault: 0.0.0.0) - static !P address. !ˆ not 0.0.0.0€ client
will always get the same !P address. !t implies€ that only one simultaneous login
ˆor that user is allowed. Any existing address will be replaced with this one using
the embedded one-to-one ƒAŒ
bytes-in (read-only: integer) - total amount oˆ bytes received ˆrom user
bytes-out (read-only: integer) - total amount oˆ bytes sent to user
limit-bytes-in (integer– deˆault: 0) - maximum amount oˆ bytes user can
transmit (i.e.€ bytes received ˆrom the user)
0 - no limit
limit-bytes-out (integer– deˆault: 0) - maximum amount oˆ bytes user can
receive (i.e.€ bytes sent to the user)
0 - no limit
limit-uptime (time– deˆault: 0s) - total uptime limit ˆor user (pre-paid time)
0s - no limit
mac- address (NA† address– deˆault: 00:00:00:00:00:00) - static NA†
address. !ˆ not 00:00:00:00:00:00€ client is allowed to login only ˆrom that
NA† address
name (name) - user name. !ˆ authentication method is trial€ then user name will
be set automaticly aˆter ˆollowing pattern ›Œ-NA†_adress›€ where NA†_address
is trial user Nac address
packets-in (read-only: integer) - total amount oˆ packets received ˆrom user
(i.e.€ packets received ˆrom the user)
packets-out (read-only: integer) - total amount oˆ packets sent to user (i.e.€
packets sent to the user)
password (text) - user password
profile (name– deˆault: default) - user proˆile
routes (text) - routes that are to be registered on the HotSpot gateway when
the client is connected. Œhe route ˆormat is: ›dst-address gateway metric› (ˆor
example€ ›•œ.•.œ.œ„…+ •œ.œ.œ.• •›). Several routes may be speciˆied separated
with commas
server (name ˜ all– deˆault: all ) - which server is this user allowed to log in to
uptime (read-only: time) - total time user has been logged in
i>o >l>,l i,±> ,l>.l .o.º _,l ¸> i,l. l¸ ¸.¸lí çl¸. _o>> .,>¡ . _,l.lç.
i,..± l¸l> ,± l¸ ¸.¸lí c>ç. _,Ž.l clo¸ c>¸í >¡i>o .
_,lº¡¸¸ deˆault ,,.í _o _.¸¸. l¸ :
HotSpot User Profiles
Submenu level: Jip hotspot user profile
Description
HotSpot Šser proˆiles are used ˆor common user settings. Proˆiles are like user groups€
they are grouping users with the same limits.
Property Description
address-pool (name ˜ none– deˆault: none) - the !P poll name which the users will
be given !P addresses ˆrom. Œhis works like dhcp-pool method in earlier versions oˆ
NikroŒik Router•S€ except that it does not use ‚H†P€ but rather the embedded one-
to-one ƒAŒ
none - do not reassign !P addresses to the users oˆ this proˆile
advertise (yes ˜ no– deˆault: no) - whether to enable ˆorced advertisement popups
ˆor this proˆile
advertise-interval (multiple choice: time– deˆault: 30m,10m) - set oˆ intervals
between showing advertisement popups. Aˆter the list is done€ the last value is used
ˆor all ˆurther advertisements
advertise-timeout (time ˜ immediately never– deˆault: 1m) - how long to wait ˆor
advertisement to be shown€ beˆore blocking network access with walled-garden
advertise-url( multiple choice: text– deˆault:
http:JJwww.mikrotik.comJ,http:JJwww.routerboard.comJ) - list oˆ ŠRLs to
show as advertisement popups. Œhe list is cyclic€ so when the last item reached€ next
time the ˆirst is shown
idle-timeout (time ˜ none– deˆault: none) - idle timeout (maximal period oˆ
inactivity) ˆor authorized clients. !t is used to detect€ that client is not using outer
networks (e.g. !nternet)€ i.e.€ there is ƒ• ŒRA™™!† coming ˆrom that client and going
through the router. Reaching the timeout€ user will be logged out€ dropped oˆ the host
list€ the address used by the user will be ˆreed€ and the session time accounted will be
decreased by this value
none - do not timeout idle users
incoming-filter (name) - name oˆ the ˆirewall chain applied to incoming packets ˆrom
the users oˆ this proˆile
incoming-packet-mark (name) - packet mark put on all the packets ˆrom every
user oˆ this proˆile automatically
keepalive-timeout (time ˜ none– deˆault: 00:02:00) - keepalive timeout ˆor
authorized clients. Šsed to detect€ that the computer oˆ the client is alive and
reachable. !ˆ check will ˆail during this period€ user will be logged out€ dropped oˆ the
host list€ the address used by the user will be ˆreed€ and the session time accounted
will be decreased by this value
none - do not timeout unreachable users
name (name) - proˆile reˆerence name
on-login (text– deˆault: "") - script name to launch aˆter a user has logged in
on-logout (text– deˆault: "") - script name to launch aˆter a user has logged out
open-status-page (always ˜ http-login– deˆault: always) - whether to show status
page also ˆor users authenticated using mac login method. Šseˆul iˆ you want to put
some inˆormation (ˆor example€ banners or popup windows) in the alogin.html page so
that all users would see it
http-login - open status page only in case oˆ http login (including cookie and https
login methods)
always - open http status page in case oˆ mac login as well
outgoing-filter (name) - name oˆ the ˆirewall chain applied to outgoing packets to
the users oˆ this proˆile
outgoing-packet-mark (name) - packet mark put on all the packets to every user oˆ
this proˆile automatically
rate-limit (text– deˆault: "") - Rate limitation in ˆorm oˆ rx-rate[Jtx-rate] [rx-
burst-rate[Jtx-burst-rate] [rx-burst-threshold[Jtx-burst-threshold] [rx-
burst-time[Jtx-burst-time] [priority] [rx-rate-min[Jtx-rate-min]]]] ˆrom the
point oˆ view oˆ the router (so ›rx› is client upload€ and ›tx› is client download). All
rates should be numbers with optional škš (•€œœœs) or šNš (•€œœœ€œœœs). !ˆ tx-rate is not
speciˆied€ rx-rate is as tx-rate too. Same goes ˆor tx-burst-rate and tx-burst -threshold
and tx-burst-time. !ˆ both rx-burst-threshold and tx-burst-threshold are not speciˆied
(but burst-rate is speciˆied)€ rx-rate and tx-rate is used as burst thresholds. !ˆ both rx-
burst-time and tx-burst-time are not speciˆied€ •s is used as deˆault. Priority takes
values •..8€ where • implies the highest priority€ but 8 - the lowest. !ˆ rx-rate-min and
tx - rate-min are not speciˆied rx-rate and tx-rate values are used. Œhe rx-rate-min and
tx- rate-min values can not exceed rx-rate and tx-rate values.
session-timeout (time– deˆault: 0s) - session timeout (maximal allowed session
time) ˆor client. Aˆter this time€ the user will be logged out unconditionally
0 - no timeout
shared-users (integer– deˆault: 1) - maximal number oˆ simultaneously logged in
users with the same username
status-autorefresh (time ˜ none– deˆault: none) - HotSpot servlet status page
autoreˆresh interval
transparent-proxy (yes ˜ no– deˆault: yes) - whether to use transparent HŒŒP
proxy ˆor the authorized users oˆ this proˆile
i.¸l> _,±ç. ¤. ¸l,. .o.º _,l ¸> ¤í _.lî. :
.o.º ¸> General ¤.,¸í Autoreˆresh ¤>s± _.lo¸ ¤¿ ¤í i.í _o Ÿ>.o
popup ¸¡¸ ¤. i.í _o Ÿ>.o l¸ ¸.¸lí .,a±¡ ¤í ¸.¸lí ¤. ei. e>l> _,lo.
>ç. . ¤.,¸í _,l _¸º _,¸ • ..l ¤s,º> ¸.Vl. l, .cl. :, ¤. l¸.l ..l ¸.¡.
i,±> _,l¸ºl . >¸li. ç>l,¸ >¸.¸lí ¤>s± _,l ci. ¸¡¸ ¤. . ¸¡¸. _,,l¸ clo¸ _I¡
,,í ¤í _.l¸.¸lí i.lç. _o ci. ¸l _,¸“ ..¸..,l .>. .i. ¤. i.±> _o ,l>.l
i±> ¸l¸º ¸,.l. >ç. ç¸l. c>¸í C.± .cl. _.> ¡ .
.o.º Advertise ..l _l> çl¡.lo¸ ¸> ¸.¸lí ¤. .la,I.. c>l> cl.. çl¸. .
l,.. .o.º .o.º _,l ç>¸.¸lí ¸ Script _,l ¸l e>ls..l çl¸. ¤í ..±
º . ¡ çl ¤º¸> çl± .,,¸î.l ¤..Il i,.l. LI.o _.,ç. ¤ol.¸. ¤. i,l. .o
¸> _.lî,l¸ ˆorum >¸l> >ç>¡ >çI.l> çl¸. :,.¡¸î,o .
Ulocl cl¸.¸lí _¡¸> ¡ >¡¸¡ clo¸ ¸> l± .,,¸î.l ¤í ..l _,±ç. ¤. ,¸V
i.ç. _o .
.o.º Active ..,I ¸.¸lí lo. ¤. l¸ ¸î,> i,so .lcŽ“l el¸o± ¤. _,Ž.l çl±
i±> _o cl.. . ¤.,¸í c>¸.º l. i,.lç. _o ¤í ...,l ¤.î. l¡.. - ¸.¸lí l¸ l± Kill
i,.í .
.o.º Hosts ¸l _..,I !P el¸o± ¤. l¸ ei. e>l> _l±.>l ¡ Ulaº çl±
NA† i±> _o cl.. .
.¸> A > cl.. ¤í ..l _,l ei.±> cl.. ei.± ¸.¸lí :, ¸.¸lí _,.l.,> e>ç. _I>l>
¡ Authurized ..l ei. .
.¸> ‚ ei.±i.l.. ‚ynamic c>ç. !P ¸.¸lí ..l .
.¡¸> _,l ¤í ..l ,I.o i..lç. _o ,± l. i.ç. e>l> cl.. i..lo A‚
.o.º !P Bindings çl± .o.º _,¸.o¡o ¸l _î, Hotspot i,l,o ¸lo. ¤. .
,l. ¤. _oç¡so i,l. .o.º _,l ç¸,í>l, çl¸. •ne to one nat i,.í :¸> l¸ .
¤í ,,.sí ¸.¸lí l. ‹l..¸l çl¸. Hotspot :, i,l. !P _.¸ ¸> Hotspot i.í .. . _,l çl¸.
>¸li. >ç>¡ _ol¸Il >¸ço ¸.¸lí ¸± i.lç. _o !P Lsº ¡ i.í .. _±lç>I>
‚ƒS€ Gateway ¸¡¸. l¸ hotspot i±i. ) ¸,c ¸> .¸ç±.,l ¤>s± Login e>l> _,lo.
i. i±lç>. . ( ¸± l. Vl> l± ..lç> ¸> _olo. !P ¤. i..l. ¤í Hotspot _o
¡ i..¸ Hotspot ¸ l± ..lç>¸> l ¤. Login Page ¸íl i±> _o •l>¸l ¸.¸lí l. i.lç..
¸¡ ¤I>¸o .,sºço ¡ _ŽL±l ¤. ¡ >¸liî. ¸. ..¸ l¸ > Authenticate _¸ cl ¸l >ç.
Hotspot :, !P ¤. ¸.¸lí _,l ¤í i±> _o _l±.>l !P U>lao !P ¸.¸lí lol¸Il ¤. ..l
cl ¤.l.o . ¤. :,.î. _,l •ne to one nat ..l ¸ç¡.o ). Šniversal †lient ,±
>ç. _o ei,ol. ( _¸ Hotspot ¸± i.lç. _o !P l¸ _.¸>l ..¸,..l¸. .¸ç± ¤.
..l ç>¸.¸lí ¸l,.. .,I.lº _,l ¡ i±> ¸,,a. .
.íl cç l. i,.lç. _o !P bindings i,.í ¸lí . Nac _¸>l ¸.¸lí i,.í Ÿ>.o l¸ Address
¡ i,¸liî. _Il> l¸ Œo Address i,.í _,¸î,l> elç>I> _¸>l l. l¸ . ¸.¸lí ¸± !P ¤í ,±
l. ¸l. i.í .. !P i. i±lç> _±¡ ¤î.. ¤. lo. elç>I> . ,l. ¤. _Iî.o _¸ !P
conˆlict ..l> i,±lç>. .
. ¤í _.¡¸ ¤.çî.,l i±> _o .lç> ¸.¡. ,>ç> ¸L. ¤. ¡ ,.í _o e>ls..l ¤±>. ¤
..l :
.o.º i,.,. _o _î. ¸> ¤í ¸çL.lo± Nac Address _,l ¤. ,l ¤..lií _Il> l¸
..l _îoo ¤í _,I> ¸.¸lí l± NA† i..l. ¤..li. ,.l> ) .¸lí _.>ç. _’o _.Žî.o
i...± Uçoao ¤í ¸¡¸. _,ça. l, ¤î.. ( ¤. _çc ¸> ¸.¸lí !P static _o _l±.>l
_,l ¡ ,±> !P ¤. l¸ !P ¤.l.o Bind ,.í _o . _î.s.l ciol >ç>¡ ¤. ¸l ¸lí _,l !P
i.í _o ç¸,íçI> i.l. çl.¡¸ U¸..í ¸> . _,ça. ¸l ¤î.,l çl¸. !P L.ç. ¸.¸lí ç¸,íçI>
,.í Address ¤. ei. e>l> _l±.>l ¸.¸lí ¸> l¸ Radius _,l¸.l.. ,i.. _o ¸¡¸.
.¸lí ¸ ¸l Lsº !P ¸íl ¡ >¸l> Ul±.l clîol ei. .,¸a. !P ¸l _.> i±> ¸,,a. l¸ >ç>
Login Page i.í ¸ç.c ...lç. i±lç>. ,± .
¸î,> ,¡o ¤.î. Œype Ul±.l ¸.¸lí ¡¸ c>¸í :,Ií l. ¤í ..l ç ¸± !P ¤í Bind e>¸í
i,.í ,,L.. l¸.l i,.lç. _o i,l . •ç. ¤. type >¸l> >ç>¡ .I.>o :
Regular : ¤í _¸º _,¸ .Il> ¸.¸lí >ç. >¸l¡ l. >ç. _>.. ¸l..cl i,l. .
:Bypassed ¤í ¸.¸lí i.í _o _Ž> _>.. ¸l..cl i,º ¸l l¸ . ¸íl _.a, ¸.¸lí _,l ç
>¸l¡ ..l> l¸ _¸>l _>.. ¸l..cl ¤I>¸o ¸l ¸ií c¡i. >ç.
Blocked : ¤í ¸.¸lí ¸ l ¡ i.í _o ¤íçI. ¸.¸lí >ç. _±¡ i.lç. _o. .
>¸ço ¸> .o.º Service Port ¸L.º¸± .o.º _,l ¸l _,l¸.l.. ,¸li. _Iolí .lcŽ“l
,.í _o .
¸î,> ,¡o .o.º Walled-garden l± .,l. ¤. cl¸.¸lí _.¸..> e¸l>l ¤í ..l
l, !P _>.. ¸l..cl ¤I>¸o ¸l ¸ií c¡i. l¸ ,..,. ¸,io L.ç. ei. .,¸a. çl±
i±> _o . í Ulocl _.lo,L.. i,.lç. _o Ž’o .,l. ¤. Ul±.l çl¸. cl¸.¸lí ¤í i,.
c>¸í >¸l¡ ¤. ç¸l,. .l.¸l¸í c>¸í :¿ ¡ lo. ¸.¸lí l, ¡ i..l. ¤..li. >¸ç.¸ l, ¡
...
l e>l. .o.º _,l l. c>¸í ¸lí . >¸li. _,±ç. ¤. ç¸l,. ¡ . .
Property Description
action (allow ˜ deny– deˆault: allow) - action to undertake iˆ a packet matches the
rule:
allow - allow the access to the page without prior authorization
deny - the authorization is re•uired to access this page
dst-address (!P address) - !P address oˆ the destination web server
dst-host (wildcard– deˆault: "") - domain name oˆ the destination web server (this is
a wildcard)
dst-port (integer– deˆault: "") - the Œ†P port a client has send the re•uest to
method (text) - HŒŒP method oˆ the re•uest
path (text– deˆault: "") - the path oˆ the re•uest (this is a wildcard)
server (name) - name oˆ the HotSpot server this rule applied to
src-address (!P address) - !P address oˆ the user sending the re•ue
.o.º lol ¡ cookies ¸l _..,I ¤í _íçí çl± _íçí ¡ Ulaº çl± ei. e>l> e¸l>l
.l clo¸ el¸o± ¤. s ± ¤í _“¸. ¤. i±> _o cl.. l¸ l¡.l çl l. _>.. ¸l..cl _¡¸
i,.l. e>¸í .l>..l l¸ _íçí >ç. i±lç> _Il> Vl. _î. i..lo± .¸ç±.,l ¸,c ¸> .
.l>s± c>¸í _±l±.>l Hotspot
.l>s± c>¸í _±l±.>l çl¸. Hotspot _,¸“ ¸l i,l. ™ŒP L.l¸ l, ¡ winbox _±.o
e>¸í Ulocl l¸ .l¸,,a. i,.í >çI.l> l¸ .l>s± ei. ) i> l. i,l. loI.o cl.¸ >¡ HŒNL
i,.li. ( _I±l .l>s± çl> ¤. l¸ .l>s± _,. ¡ i,±> ¸l¸º . .¸ç± ¸> i,.l.. cl¸î.
_,¸î,l> l¸ _¸º _,¸ .l>s± i,.lç. _o _.>l¸ ¤. el...l ¤.çí ¸± ¸¡¸.
i,.í . ¸l i..¸l.c i,±> ¸,,a. i,.lç. _o ¤í _.l>s± :
Available Servlet Pages
Nain HŒNL servlet pages€ which are shown to user:
redirect.html - redirects user to another url (ˆor example€ to login page)
login.html - login page shown to a user to ask ˆor username and password.
Œhis page may take the ˆollowing parameters:
username - username
password - either plain-text password (in case oˆ PAP authentication) or
N‚— hash oˆ chap-id variable€ password and †HAP challenge (in case oˆ
†HAP authentication)
dst - original ŠRL re•uested beˆore the redirect. Œhis will be opened on
successˆull login
popup - whether to pop-up a status window on successˆull login
radius<id> - send the attribute identiˆied with <id‘ in text string ˆorm to
the RA‚!ŠS server (in case RA‚!ŠS authentication is used– lost otherwise)
radius<id>u - send the attribute identiˆied with <id‘ in unsigned ˆorm to
the RA‚!ŠS server (in case RA‚!ŠS authentication is used– lost otherwise)
radius<id>-<vnd-id> - send the attribute identiˆied with <id‘ and
vendor !‚ <vnd-id‘ in text string ˆorm to the RA‚!ŠS server (in case
RA‚!ŠS authentication is used– lost otherwise)
radius<id>-<vnd-id>u - send the attribute identiˆied with <id‘ and
vendor !‚ <vnd-id‘ in unsigned ˆorm to the RA‚!ŠS server (in case
RA‚!ŠS authentication is used– lost otherwise)
md5.js - JavaScript ˆor N‚— password hashing. Šsed together with http-chap
login method
alogin.html - page shown aˆter client has logged in. !t pops-up status page and
redirects browser to originally re•uested page (beˆore he„she was redirected to
the HotSpot login page)
status.html - status page€ shows statistics ˆor the client
logout.html - logout page€ shown aˆter user is logged out. Shows ˆinal statistics
about the ˆinished session. Œhis page may take the ˆolllowing additional
parameters:
erase-cookie - whether to erase cookies ˆrom the HotSpot server on
logout (makes impossible to log in with cookie next time ˆrom the same
browser€ might be useˆul in multiuser environments)
error.html - error page€ shown on ˆatal errors only
Some other pages are available as well€ iˆ more control is needed:
rlogin.html - page€ which redirects client ˆrom some other ŠRL to the login
page€ iˆ authorization oˆ the client is re•uired to access that ŠRL
rstatus.html - similarly to rlogin.html€ only in case iˆ the client is already logged
in and the original ŠRL is not known
flogin.html - shown instead oˆ login.html€ iˆ some error has happened (invalid
username or password€ ˆor example)
fstatus.html - shown instead oˆ redirect€ iˆ status page is re•uested€ but client
is not logged in
flogout.html - shown instead oˆ redirect€ iˆ logout page is re•uested€ but client
is not logged in
ç¸li.l el¸ _,I¡l ¸> ¤í ,ç. ¸íi.o l¸ ¤.î. _,l cl,l¸ ¸> Hotspot .¡> Ul¡¸,lº _,.lçº
Redirect .l>s± c>¸í Login Page _o lo..i.ç. _o >l>,l :,ol.,l> .¸ç± ¤.
,.lçº _,l i,.lç. _ ¤í ,.î,o ¤,±ç. _I¡ i,±> ¸,,a. l¸ _•oLo laºl¡ ¤í _.lo¸ l.
i,.î. l¸ ¸lí _,l i,i.. . .>.o ¸> ¸lí _,l ,l>.l eç>. _,lo. .¸ç± ¸> †ustomizing
HotSpot: ™irewall Section ..l ei. e>l> _,±ç. .
i,.l. _ºço . lc> _lo.Il
herus_deus Olæo_ O_l;o olo UgI _g_ •‡„œ9„…œœ7
www.PersianAdmins.com