Winflare
Mikrotik Hotspot and guest Wlan

How to create a Hotspot for Wlan and guest Wlan with Mikrotik using VLAN

We had a recent customer requirement for a guest Wlan with Hotspot functionality so I thought why not share the configuration with the community. In my test lab I am using Mikrotik RB1200 as the base router and Hotspot provider and Mikrotik RBcAP2n as Wlan AP but you can use any combination as long as the needed functionality is provided.

I am going to assume you have some base knowledge about Mikrotik devices and networking so I will not go into extra detail about those parts.

First of all lets connect everything. I use ether1 as my WAN port. ether2 to 10 are LAN Ports (RB1200 has only 10 ethernet ports).
Connect your Internet router to your ether1 and your computer to ether 10. Connect your Mikrotik Wireless AP to one of the other ports in my case its the RBcAP2n also called the “Ufo”.

Now connect to your base router and delete the configuration under System – > Reset Configuration (If you have a configuration you might need please make a backup first). Once the configuration has been reset connect to your router again by using the MAC Address and delete the initial configuration and reconnect.

You should have a blank router now.

All options are available trough the GUI but we are going to use the Terminal.

Mikrotik base router configuration

1) Open up Terminal and set the device identity:

/system identity set name=Baserouter

2) Now lets create a bridge:

/interface bridge
add mtu=1500 name=TestNetwork protocol-mode=none

I call mine “TestNetwork” but you can name it whatever you want.

3) I like to comment my interfaces so lets comment ether1 and ether2

/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="LAN 2-10"

4) The next step is to create a vlan interface add an ID, and attach the interface to our bridge

/interface vlan
add interface=TestNetwork name=VLAN999 use-service-tag=yes vlan-id=999

The name of the vlan interface in my test is “VLAN999” with the ID “999”

5) You have the option to either switch or bridge the ports together. Bridging the ports uses software to link the ports together it allows you better control over the interfaces, for example setting up firewall between them. The main downside is that it consumes CPU resources. Switching uses the switch chip so the CPU is not additionally consumed. This is especially recommended on budget Mikrotik devices.

5.a) To bridge, add ports 2 -10 into a bridge (you can freely choose how many and which ports to add based on your device and preferences):

/interface bridge port
add bridge=eMINetwork interface=ether2
add bridge=eMINetwork interface=ether3
add bridge=eMINetwork interface=ether4
add bridge=eMINetwork interface=ether5
add bridge=eMINetwork interface=ether6
add bridge=eMINetwork interface=ether7
add bridge=eMINetwork interface=ether8
add bridge=eMINetwork interface=ether9
add bridge=eMINetwork interface=ether9

5.b) To switch the ports together :

/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
set ether6 master-port=ether2
set ether7 master-port=ether2
set ether8 master-port=ether2
set ether9 master-port=ether2
set ether10 master-port=ether2

and don’t forget to add at least one LAN port to the VLAN bridge so there is a connection between VLAN and LAN. In my case I will add the ether2 interface.

/interface bridge port
add bridge=TestNetwork interface=ether2

6) Now lets create a DHCP Client on our WAN port (assuming we have a DHCP Server on the Internet router) which is in my case ether1

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether1

7) Assign static IP Addresses to our Bridge and VLAN Interface. I am going to use the networks 10.10.10.0/24 for LAN and 172.27.71.0/24 for guests.

/ip address
add address=10.10.10.5/24 interface=TestNetwork network=10.10.10.0
add address=172.27.71.5/24 interface=VLAN999 network=172.27.71.0

8) Now lets create a hotspot profile with the static IP of the vlan interface and a dns-name (I use login.hotspot.com but you can choose whatever you like).

/ip hotspot profile
add dns-name=login.hotspot.com hotspot-address=172.27.71.5 name=hsprof1

9) Create two DHCP Pools for LAN and Guests with 79 usable addresses (again choose whatever range you need, I like to leave the first 20 addresses for printers, servers, other network devices and so on).

/ip pool
add name=lan ranges=10.10.10.21-10.10.10.100
add name=guests ranges=172.27.71.21-172.27.71.100

10) Create two DHCP Servers for our IP Pools. I have chosen a 1 Day lease for LAN users and 1 hour lease for guests.

/ip dhcp-server
add address-pool=lan disabled=no interface=TestNetwork lease-time=1d \
name=dhcp1
add address-pool=guests disabled=no interface=VLAN999 lease-time=1h name=\
dhcp2

11) Finally create the Hotspot Server and bind it to the vlan interface

/ip hotspot
add address-pool=guests disabled=no interface=VLAN999 name=guesthotspot \
profile=hsprof1

12) Now lets create a guest user profile with unlimited concurrent connections, idle timeout of 30 minutes, keep alive-timeout of 2 hours and rate limit of about 10 Mbit down, 2.5 Mbit up.

/ip hotspot user profile
add address-pool=guests idle-timeout=30m keepalive-timeout=2h name=guestprofile \
rate-limit=2500K/10000K shared-users=unlimited transparent-proxy=yes

13) Create first guest user with the password “internet” and attach to guest profile


/ip hotspot user
add name=guest password=internet profile=guestprofile

14) Create a DNS Rule: (OpenDNS and Google)

/ip dns
set allow-remote-requests=yes servers=208.67.222.222,8.8.8.8

15) Create DHCP Server Network

/ip dhcp-server network
add address=172.27.71.0/24 comment="guest network" gateway=172.27.71.5
add address=10.10.10.0/24 comment="lan" dns-server=192.168.71.5,8.8.8.8 gateway=\
10.10.10.5

16) Create firewall masquerade rule for LAN and guest network to establish internet connection from wan

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.27.71.0/24

We have now finished the base configuration on the main router. Further configurations possibilities are almost limitless and allow for example the configuration of Queues, limit Bandwidth and so on but I wont go into those details to keep the article on topic.

Mikrotik WLAN AP Configuration

1) Connect to your Mikrotik Access Point and blank the configuration like on the main router

2) Now lets create 2 Bridges, one for the normal LAN and one for our guests

/interface bridge
add name=Bridge_LAN
add name=Bridge_Guests

3) Create the vlan interface and assign it to the LAN Bridge

/interface vlan
add interface=Bridge_LAN loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=Guest_VLAN use-service-tag=yes \
vlan-id=999

4) Create Wireless security profiles for LAN users and Guests.

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=LANwifi \
supplicant-identity="" wpa-pre-shared-key=eMatrixreloaded \
wpa2-pre-shared-key=internetkey
add eap-methods="" management-protection=allowed name=guests \
supplicant-identity=""

5) Create LAN and Guest Wlan interfaces with according SSIDs and attached to their security profiles. You can tweak the band and other settings later on.

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
radio-name=MikrotikAP security-profile=LANwifi ssid=MyWifi \
wireless-protocol=802.11
add disabled=no keepalive-frames=disabled \
master-interface=wlan1 mode=ap-bridge multicast-buffering=disabled name=\
wlan2 security-profile=guests ssid=Guest-Wifi wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled

6) To continue add “ether1” and “wlan1” to bridge “Bridge_LAN” and “Guest_VLAN” and “wlan2” to bridge “Bridge_Guests”.

/interface bridge port
add bridge=Bridge_LAN interface=ether1
add bridge=Bridge_LAN interface=wlan1
add bridge=Bridge_Guests interface=Guest_VLAN
add bridge=Bridge_Guests interface=wlan2

7) Assign IP Address to the LAN Bridge

/ip address
add address=10.10.10.6/24 interface=Bridge_LAN network=10.10.10.0

8) Create a DHCP Client on the vlan bridge to test if you are getting the an gusts IP

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=Bridge_Guests

9) Finally add a route for the gusts network trough the guests bridge

/ip route
add distance=1 dst-address=172.27.71.0/24 gateway=Bridge_Guests

That would be the basic configuration to create a Hotspot for guests and transfer it via vlan to your APs. Connect to you guest WLAN and check if you are redirected to your login page. If not try opening a sample website, the redirection should kick in now.

Please bear in mind that the above configuration is far from production usability. You have to configure at least a password for your Mikrotik admin user, create basic firewall rule to block unwanted traffic and so on. Explaining all of that in this article is unfortunately not doable.

Hope the configuration was helpful, let me know what you think in the comments below.

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most discussed

Get your e-mail updates

Sign up and get your news fix directly to your inbox. Nothing more nothing else and definitely no spam.
Name
Email address
We won't share your e-mail or send spam