MikroTik - Hotspot Gateway

MikroTik RouterOS™ is a linux base Router with rich of features for wireless network and already widely used by WISP and Hotspot Provider.

Here are major features:

* Firewall and NAT - state full packet filtering; Peer-to-Peer protocol filtering; source and destination NAT; classification by source MAC, IP addresses (networks or a list of networks) and address types, port range, IP protocols, protocol options (ICMP type, TCP flags and MSS), interfaces, internal packet and connection marks, ToS (DSCP) byte, content, matching sequence/frequency, packet size, time and more...


* Routing - Static routing; Equal cost multi-path routing; Policy based routing (classification done in firewall); RIP v1 / v2, OSPF v2, BGP v4


* Data Rate Management - Hierarchical HTB QoS system with bursts; per IP / protocol / subnet / port / firewall mark; PCQ, RED, SFQ, FIFO queue; CIR, MIR, contention ratios, dynamic client rate equalizing (PCQ), bursts, Peer-to-Peer protocol limitation


* HotSpot - HotSpot Gateway with RADIUS authentication and accounting; true Plug-and-Play access for network users; data rate limitation; differentiated firewall; traffic quota; real-time status information; walled-garden; customized HTML login pages; iPass support; SSL secure authentication; advertisement support


* Point-to-Point tunneling protocols - PPTP, PPPoE and L2TP Access Concentrators and clients; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; MPPE encryption; compression for PPPoE; data rate limitation; differentiated firewall; PPPoE dial on demand

* Simple tunnels - IPIP tunnels, EoIP (Ethernet over IP)


* IPsec - IP security AH and ESP protocols; MODP Diffie-Hellman groups 1,2,5; MD5 and SHA1 hashing algorithms; DES, 3DES, AES-128, AES-192, AES-256 encryption algorithms; Perfect Forwarding Secrecy (PFS) MODP groups 1,2,5


* Proxy - FTP and HTTP caching proxy server; HTTPS proxy; transparent DNS and HTTP proxying; SOCKS protocol support; DNS static entries; support for caching on a separate drive; access control lists; caching lists; parent proxy support


* DHCP - DHCP server per interface; DHCP relay; DHCP client; multiple DHCP networks; static and dynamic DHCP leases; RADIUS support


* VRRP - VRRP protocol for high availability


* UPnP - Universal Plug-and-Play support


* NTP - Network Time Protocol server and client; synchronization with GPS system


* Monitoring/Accounting - IP traffic accounting, firewall actions logging, statistics graphs accessible via HTTP


* SNMP - read-only access


* M3P - MikroTik Packet Packer Protocol for Wireless links and Ethernet


* MNDP - MikroTik Neighbor Discovery Protocol; also supports Cisco Discovery Protocol (CDP)

* Tools - ping; traceroute; bandwidth test; ping flood; telnet; SSH; packet sniffer; Dynamic DNS update tool Layer 2 connectivity

* Wireless - IEEE802.11a/b/g wireless client and access point (AP) modes; Nstreme and Nstreme2 proprietary protocols; Wireless Distribution System (WDS) support; virtual AP; 40 and 104 bit WEP; WPA pre-shared key authentication; access control list; authentication with RADIUS server; roaming (for wireless client); AP bridging


* Bridge - spanning tree protocol; multiple bridge interfaces; bridge firewalling, MAC

* VLAN - IEEE802.1q Virtual LAN support on Ethernet and wireless links; multiple VLANs; VLAN bridging


* Synchronous - V.35, V.24, E1/T1, X.21, DS3 (T3) media types; sync-PPP, Cisco HDLC, Frame Relay line protocols; ANSI-617d (ANDI or annex D) and Q933a (CCITT or annex A) Frame Relay LMI types


* Asynchronous - serial PPP dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; onboard serial ports; modem pool with up to 128 ports; dial on demand


* ISDN - ISDN dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; 128K bundle support; Cisco HDLC, x75i, x75ui, x75bui line protocols; dial on demand


* SDSL - Single-line DSL support; line termination and network termination modes


Mikrotik is not free software but cheap software, its mean you need to buy a license for that. You can download full version for trial but only for 24 hours. Now the version is 2.9.5

And you need a PC for Gateway, here the minimum specifications:


* CPU and motherboard – Intel P1 to P4, AMD, cyrix but not multi-processor * RAM - minimum 32 MiB, maximum 1 GB.
* HDD minimal 128MB parallel ATA or Compact Flash, Mikrotik not yet support for SATA and SCSI. (Next Version 3 will support SATA)
*NIC 10/100 (2 unit minimum requirement for Gateway) If you need to active the proxy you need more memory but maximum 1GB, you can add more than 1Gb but only work for 1Gb and use a high performance Processor.

Please download Mikrotik manual
http://www.mikrotik.com/docs/ros/2.9/RouterOS_Reference_Manual_v2.9.pdf



Mikrotik RouterOS installation:


I assume you already download the software from www.mikrotik.com

step 1. Burn you ISO Mikrotik RouterOS using your favorite burning CD software.

step 2. Turn on your PC and setting BIOS for booting from CDROM.

step 3. Insert Mikrotik RouterOS CD and wait for booting. Installation is easy, just follow and check all option for trial.


step 4. When Mikrotik RouterOS ready, you will find a console:
MikroTik v2.95 Login: admin Password: (empty)

default login is admin, and password is …… (empty)

step 5. You can change host name Mikrotik to other, for example MYHOTSPOT
[admin@Mikrotik] > system identity set name=MYHOTSPOT
[admin@MYHOTSPOT] >


step 6. Change default password
[admin@MYHOTSPOT] > password
old password: *****
new password: *****
retype new password: *****

step 7. Print Mikrotik Router interface
[admin@MYHOTSPOT] > interface print

Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R ether2 ether 0 0 1500

There are 2 interface already present ether1 and ether2 … so far is good. If only present 1 or none please change the interface card…maybe driver is not support. Do “interface print” command again

step 8. Giving IP address to ether1 with IP from internet provider example 202.1.1.1 dan ether2 for local network, for example IP 172.16.1.254

[admin@MYHOTSPOT] > ip address add address=202.1.1.1 netmask=255.255.255.248 interface=ether1
[admin@MYHOTSPOT] > ip address add address=172.16.1.254 netmask=255.255.255.0 interface=ether2

step 9. Check IP
[admin@MYHOTSPOT] >ip address print

Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 202.1.1.1/29 202.1.1.0 202.1.1.7 ether1 1 172.16.1.1/24 172.16.0.0 172.16.1.255 ether2

step 10. Fill default Gateway, IP 202.1.1.6
[admin@MYHOTSPOT] > ip route add gateway=202.1.1.6

step 11. Print Routing Table of Mikrotik Routers
[admin@MYHOTSPOT] > ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 172.16.1.0/24 172.16.1.1 ether2 1 ADC 202.1.1.0/29 202.1.1..1 ether1 2 A S 0.0.0.0/0 r 202.1.1.6 ether1

step 12. Ping Gateway IP for testing
[admin@MYHOTSPOT] > ping 202.1. 1.6
64 bytes from 202.1.1.6 : icmp_seq=1 ttl=48 time=25 ms
64 bytes from 202.1.1.6 : icmp_seq=1 ttl=48 time=25 ms
64 bytes from 202.1.1.6 : icmp_seq=1 ttl=48 time=25 ms
64 bytes from 202.1.1.6 : icmp_seq=1 ttl=48 time=25 ms
Make sure there are reply…

step 13. Setup DNS pada Mikrotik Routers
[admin@MYHOTSPOT] > ip dns set primary-dns=202.2.2.2 allow-remoterequests=no [admin@MYHOTSPOT] > ip dns set secondary-dns=202.2.2.3 allow-remoterequests=no

step 14. Melihat konfigurasi DNS
[admin@MYHOTSPOT] > ip dns print
primary-dns: 202.2.2.2
secondary-dns: 202.2.2.3
allow-remote-requests: no
cache-size: 2048KB
cache-max-ttl: 1w
cache-used: 16KB

step 15. Ping yahoo.com
[admin@MYHOTSPOT] > ping yahoo.com 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13) : icmp_seq=1 ttl=48 time=256 ms64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13) : icmp_seq=2 ttl=48 time=278 ms64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13) : icmp_seq=3 ttl=48 time=289 ms64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13) : icmp_seq=4 ttl=48 time=226 ms[admin@MYHOTSPOT] > internet ok.

step 16. Masquerading setting for gateway
[admin@MYHOTSPOT]> ip firewall nat add action=masquerade outinterface= ether1 chain:srcnat

step 17. Check masquerading[admin@MYHOTSPOT]ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat out-interface=ether1 action=masquerade

Done for IP setting.

Now you can download a very good tools “WINBOX” from Mikrotik you just installed. Browse http://172.16.1.1/ and klik download winbox. or visit http://demo.mt.lv/ for internet download.
Install winbox in your other windows PC and take control Mikrotik RouterOS remotely, this tool is easy to use more more advance setting

If you are not have time to trial install, you can see demo first, you can see this in Mikrotik website http://www.mikrotik.com/software.html , download Winbox first and run winbox.exe file.. and fill login demo password: none than enter
















Wait for plugin











Look Mikrotik Windows base setting:

CoovaAP - Turn your Linksys Wireless Router into a hotspot

CoovaAP is an OpenWRT-based Firmware designed especially for HotSpots. As you know, you can inject OpenWRT firmware to the favorite Access Point Router “Linksys WRT54GL ver.1.1 to ver.4” . CoovaAP comes with the CoovaChilli access controller built-in and makes it easily configurable. CoovaAP is perfect for just about any HotSpot application - from WPA Enterprise (with RADIUS accounting) to Free Hotspot with Terms of Service acknowledgment and also commercial HotSpot captive portal applications. Use the embedded Captive Portal for a simple self contained HotSpot or use your own Captive Portal and RADIUS back-end.

Key features of CoovaAp are:

Based on OpenWrt, of course Open Source
Advanced Web-based Configuration
Easy HotSpot Configuration & Status
Embedded Captive Portal
Enhanced ChilliSpot Access Controller
Integrated ChilliSpot with WPA
OpenID Authentication
Centralized ChilliSpot Config (RADIUS)
WiFiDog Access Controller
PPTP VPN Client and Server
OpenVPN Client
Traffic Shaping

You can make integration with Wifidog also and make a centralize account authentication. In this case you only build a server as Wifidog Auth Server than plug to Internet and you can joint all Coova hotspot in any place in the world with any internet connection.
For Download and detailed installation instruction, please visit http://coova.org/wiki/index.php/Installation_Help
Download your Linksys firmware refer to same version and update through Linksys update firmware menu, restart and CoovaAP is ready. Do this update is make the warranty void.
My suggest is using notebook with battery enought when upgrade the firmware, 'cause this in upgrade proses need no any intrub till finish, otherwise your Linksys will not function anymore.

Build Free Wireless Hotspot Community

Before this post, i already suggest you to joint a Wireless Hotspot like http://www.free-hotspot.com/ .

Now i will show you how to create a system or community like that.

What you need is a knowledge of Linux system, and for you 'my friend' who is blank about linux "I'm so sorry" you need to learn first.

You need to browse a very good website first http://www.wifidog.org/ . See the incredible idea and power of opensource in linux system. You can see that you no need to buy any software, all you can download and use it for free. Wifidog idea is make a community portal that you can use for explain your self or just post your advertising.... and a gateway script that you can install to any PC for joint your community portal.

The gateway scripts is also support for Linksys WRTG Wireless Access Point. If you see the idea is same like free-hotspot.com. So I think you can make it..why not?

I'm very interested with wifidog, and still create one...I will show you when done.

www.esahotspot.com is Hotspot Community using wifidog.

Wireless Hotspot Models

Below are Models for Wireless Hotspot Internet.
get from http://dev.wifidog.org/wiki/WirelessCommunityModels

Open community
Users can signup freely (possibly providing some mandatory information, typically an email address). Examples: http://www.ilesansfil.org/

Closed community
When access is to be provided to an existing community of users. Examples: university campus, users of a public library, etc.

Barter model
Users have to provide something in exchange of network access in a hotspot. Typically, bandwidth or access to their own hotspot. Example: Fon, wifree

Paid subscription & WISP
Access is provided when the user subscribe to some monthly service. Residential access from a WISP, an option on their cellular plan, etc.

Models without users
Splash-only
No attempt to maintain unique users is made. The community simply wants to maintain locative or non-locative portals. Example: NYC wireless

Free tokens tied to purchase
Model in which a customer is provided with a one time use password equivalent with some unrelated purchase in a commercial venue (meal, coffee, etc)

Password of the day
Providing users in a venue with a daily changing password, distributed non-electronically (usually written on a whiteboard). The idea is to force users to physically come to the venue to gain access. http://wireless-hotspot-internet.blogspot.com/2007/11/free-hotspot-internet-in-cafe.html

Paid tokens
You buy access for a day or an hour using a credit card. Examples: Most typical commercial hotspot operators.

Prepaid time
Just like prepaid cellphone.

Open access point
Just plugging in an access point with no access control or portal

Portal mechanics
The model chosen will mostly determine the portal mechanic. An ideal captive portal system has three distinct “pages” involved in the connection process.
Welcome page (usually a login page, user does not yet have network access)
Disclaimer page (must be accepted for access, between Welcome and portal page, must be accepted each time or only once)
Portal page (user has network access)

Note that some models can have no Welcome page (Splash-only), or no Portal page (the portal redirects to the page originally requested by the browser once login and disclaimer stages have been completed. Explicit support for Disclaimer page isn't part of wifidog yet. Even once it is, many groups may decide that implicit acceptance is enough (so they will simply put the disclaimer on the login page).

Which one meet your Wireless Hotspot Internet model???

Joint Free Hotspot Community

Free Wireless Internet HotSpots are a great way to attract new customers, increase sales and generate new revenue streams. I think the best way to promote your Hotspot Location is joint to Hotspot Community. And now you can add Your Wi-Fi HotSpot location for FREE!

Let see this link http://www.free-hotspot.com/ , you can joint as Free Hotspot provider and list your Hotspot location and also can see the list of All Free Hotspot that listed from whole world. I think this is a good idea, everybody can find location of Free Hotspot when do traveling.

If you interested to joint http://www.free-hotspot.com/ , you can submit your information soon. What you need to prepare is ADSL internet link ready and by a Wireless Access Point Linksys WRTG54GL /GS and the guy from http://www.free-hotspot.com/ will install the firmware to joint their network. When it's done your Hotspot Location will listed in their website. Simple......

Notes: You only can make A free Hotspot internet without a user authentification, your customer only seen a splash screen.

You can choose other service like http://www.hotspotsystem.com/, they will give you option for Free or pay project, same like http://www.free-hotspot.com/ , they will send a guy for setting up The Wireless Access Point (Linksys WRTG54GL/GS) or you can setup by your self, also simple...you can see the installation video at hotspotsystem.blogspot.com

Build a Free Hotspot Internet in Cafe

Let start with easy hotspot internet system. At this moment let talk abaut Hotspot Internet for a Cafe. This post is reference for who own a cafe. I'm not talking about Internet Cafe (not yet), I mean a Cafe like Starbuck.

Ok...... Mostly cafe give a free internet connection for customer rather than sell a connection voucher. For a Cafe, internet is a good compliment for the customers, and also a very good marketing issue. Cafe owner only invest on simple and cheap device like modem router ($40) and access point ($60). Internet connection is using ADSL broadband, also cheap ($ 75/month), unlimited access with speed up to 384kbps for download.

The scenario is using a ADSL connection and share to many notebook using a wireless connection. What to do is setup ADSL modem with the account and other information that you get from ISP (Internet Service Provider), the important point to setup is username and password, encaptulation (PPOA-LLC or PPOE-LLC), VCI VPI and setting the IP address and dont forget to actived the firewall for security issue. Than setting the router configuration (the router feature embeded in modem) for sharing 1 Public IP (from ISP) to 253 Local IP address. That means we can share up to 253 computer or PDA that support IP Protocol.

Next step is setup one Access Point for Wireless Hotspot Services. The important setting is IP Address (same range with ADSL modem) , SSID dan security like WEP or WPA.

The Customer who want to browsing internet will get a WEP key from cashier, and the should joint the SSID (MyCafe Hotspot .example) and input the WEP key.

In this simple Hotspot Internet Cafe only using a WEP key for security access, i suggest to change it everyday or your customer can login again tomorrow without buy anything from you.

For other security issue like sharing file, i suggest you using a access point that support "client isolation" thats will protect computer that joint the access point to seing each other like Air Live product WL-5470AP http://www.airlive.com/

Total solution you can use Linksys WRTG54GL http://www.linksys.com/ , this product is good and cheap. You will get Router, Firewall, 4 port UTP port, and Wireless Access Point in this unit.