HotSpot Captive Portal
HotSpot Captive Portal
Section titled “HotSpot Captive Portal”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: use the setup wizard.
# Interactive wizard creates everything/ip hotspot setupThe wizard prompts for interface, IP address, pool, DNS, and creates a user.
Or manual quick setup:
# 1. Configure gateway IP/ip address add address=192.168.88.1/24 interface=ether2
# 2. Create address pool/ip pool add name=hs-pool ranges=192.168.88.10-192.168.88.100
# 3. Configure DHCP/ip dhcp-server add name=hs-dhcp interface=ether2 address-pool=hs-pool/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1
# 4. Create HotSpot/ip hotspot add name=hotspot1 interface=ether2 address-pool=hs-pool
# 5. Create user/ip hotspot user add name=guest password=guest123Verify:
/ip hotspot active printOverview
Section titled “Overview”What this does: HotSpot is a captive portal that forces users to authenticate before accessing the network. It intercepts HTTP traffic and redirects unauthenticated users to a login page.
When to use this:
- Guest WiFi networks
- Public hotspots (hotels, cafes, airports)
- User tracking and accounting
- Bandwidth management per user
Components:
- HotSpot server on interface
- DHCP server for IP distribution
- User database (local or RADIUS)
- Login page (customizable HTML)
Prerequisites:
- Dedicated interface for HotSpot (not a bridge port)
- DHCP server configured
- NAT for internet access
Device Mode
HotSpot can be blocked by device-mode. Check /system/device-mode before configuring.
Configuration Steps
Section titled “Configuration Steps”Step 1: Configure Interface
Section titled “Step 1: Configure Interface”/ip address add address=192.168.88.1/24 interface=ether2 comment="HotSpot Gateway"Step 2: Create Address Pool
Section titled “Step 2: Create Address Pool”/ip pool add name=hs-pool ranges=192.168.88.10-192.168.88.100Step 3: Configure DHCP Server
Section titled “Step 3: Configure DHCP Server”/ip dhcp-server add name=hs-dhcp interface=ether2 address-pool=hs-pool disabled=no/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1Step 4: Create HotSpot Server
Section titled “Step 4: Create HotSpot Server”/ip hotspot add name=hotspot1 interface=ether2 address-pool=hs-pool profile=default disabled=noStep 5: Create User Accounts
Section titled “Step 5: Create User Accounts”/ip hotspot user add name=guest password=guest123 profile=defaultUser Profiles
Section titled “User Profiles”Control bandwidth and session limits:
/ip hotspot user profile add name=basic \ rate-limit=2M/2M \ session-timeout=2h \ idle-timeout=15m \ shared-users=1
/ip hotspot user add name=basicuser password=pass123 profile=basicWalled Garden
Section titled “Walled Garden”Allow access to specific sites before login:
# Allow by hostname/ip hotspot walled-garden add dst-host=*.google.com action=allow
# Allow by IP/ip hotspot walled-garden ip add dst-address=8.8.8.8/32 action=acceptCaptive portal detection domains
Section titled “Captive portal detection domains”Modern devices check specific URLs to detect captive portals. Add these for reliable login page display:
/ip hotspot walled-gardenadd dst-host=connectivitycheck.gstatic.com comment="Android"add dst-host=www.gstatic.com comment="Android"add dst-host=captive.apple.com comment="iOS/macOS"add dst-host=www.apple.com comment="iOS/macOS"add dst-host=detectportal.firefox.com comment="Firefox"add dst-host=www.msftconnecttest.com comment="Windows"add dst-host=www.msftncsi.com comment="Windows"IP-Binding
Section titled “IP-Binding”Bypass or block specific clients without authentication:
# Bypass client by MAC (no login required)/ip hotspot ip-binding add mac-address=AA:BB:CC:DD:EE:FF type=bypassed
# Block client by MAC/ip hotspot ip-binding add mac-address=11:22:33:44:55:66 type=blocked
# Bypass client by IP/ip hotspot ip-binding add address=192.168.88.50 type=bypassed| Type | Effect |
|---|---|
| bypassed | Client skips login, full access |
| blocked | Client cannot connect |
| regular | One-to-One NAT translation |
Server Profile Settings
Section titled “Server Profile Settings”/ip hotspot profile set default \ login-by=cookie,http-chap,http-pap \ html-directory-override=hotspot \ use-radius=noAuthentication methods
Section titled “Authentication methods”| Method | Description |
|---|---|
| http-pap | Plain text password (less secure) |
| http-chap | MD5 hashed password (more secure) |
| cookie | Remember login via browser cookie |
| mac | Authenticate by MAC address |
| mac-cookie | MAC + cookie combination |
| trial | Time-limited trial access |
Login page customization
Section titled “Login page customization”Login pages are stored in the router’s Files menu under /hotspot/ directory:
# Set custom HTML directory/ip hotspot profile set default html-directory-override=my-hotspotKey files to customize:
login.html- Main login pagelogout.html- Logout confirmationstatus.html- Session status pageerror.html- Error messagesalogin.html- Post-login redirect
Access via FTP to edit. Use variables like $(username), $(mac), $(link-login) for dynamic content.
RADIUS Integration
Section titled “RADIUS Integration”For external authentication:
/radius add address=10.0.0.10 secret=radiussecret service=hotspot
/ip hotspot profile set default use-radius=yesVerification
Section titled “Verification”# HotSpot server status/ip hotspot print
# Active sessions/ip hotspot active print
# All connected hosts/ip hotspot host print
# User database/ip hotspot user printTroubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| Login page not appearing | DNS not redirected, HTTPS sites | Verify HotSpot enabled, add walled-garden detection domains |
| Users can’t authenticate | User not in database, RADIUS down | Check /ip hotspot user print, verify RADIUS |
| Frequent disconnections | Aggressive timeout settings | Increase idle-timeout and session-timeout |
| HotSpot on bridge fails | Must be routed interface | Use dedicated interface or VLAN |
| Some sites don’t work | MTU/MSS issues | Add MSS clamping rule |
| IPv6 bypasses HotSpot | HotSpot is IPv4 only | Block unauthenticated IPv6 with firewall |
| iOS shows login, Android doesn’t | Different detection methods | Add Android detection domains to walled garden |
| HotSpot blocked | Device-mode restriction | Check /system/device-mode settings |
| Login popup auto-closes | Android captive portal behavior | Adjust redirect URL in login template |
Common Mistakes
- Don’t put HotSpot on a bridge member port - use the bridge interface directly or a VLAN
- Don’t forget to configure DNS server for clients
- Don’t set idle-timeout too short - users will disconnect frequently
- Don’t forget walled-garden entries for captive portal detection domains
Related Topics
Section titled “Related Topics”- DHCP Server - Required for HotSpot
- RADIUS - External authentication
- User Manager - MikroTik’s RADIUS server