Skip to content
MikroTik RouterOS Docs

HotSpot

HotSpot

Section titled “HotSpot”

HotSpot is a built-in captive portal functionality in RouterOS that provides network access control through a web-based authentication system. It is commonly used by wireless internet service providers (WISPs), cafes, hotels, and other venues offering guest network access.

Overview

Section titled “Overview”

The HotSpot system provides:

  • Captive Portal — Automatic redirect of unauthenticated users to a login page
  • User Authentication — Local user database or RADIUS integration
  • Billing and Accounting — Time and data volume tracking
  • Access Control — MAC filtering, IP binding, and session management
  • Walled Garden — Unrestricted access to specific sites before login
  • Customizable Login Pages — HTML-based login page with template variables
  • HTTPS Login — Secure credential submission with certificate-based TLS

Use Cases

Section titled “Use Cases”
  • Guest WiFi in cafes, hotels, and airports
  • Public wireless access points
  • WISP customer authentication
  • Corporate guest networks
  • Paid internet access (time-based or volume-based)

How HotSpot Works

Section titled “How HotSpot Works”

Authentication Flow

Section titled “Authentication Flow”
  1. User connects to the wireless or wired guest network
  2. User opens a web browser and attempts to access any HTTP website
  3. HotSpot intercepts the request and redirects to the login page (HTTP or HTTPS)
  4. User enters credentials or clicks through for open access
  5. HotSpot validates credentials against the local user database or RADIUS server
  6. On successful authentication, the user is granted internet access
  7. Session time and data usage are tracked until logout or session timeout

Network Architecture

Section titled “Network Architecture”

HotSpot operates on a dedicated interface or bridge, creating an isolated segment for guest users. The router acts as the default gateway, DNS resolver, and captive portal server for that segment.

Guest Device ── WiFi ── [br-guest] ── HotSpot Engine ── NAT ── WAN ── Internet
                                             
                                        Login Page (HTTP/HTTPS)
                                        DHCP Server
                                        DNS Server

Configuration Paths

Section titled “Configuration Paths”
FeatureCommand Path
HotSpot servers/ip hotspot
HotSpot profiles/ip hotspot profile
User management/ip hotspot user
User profiles/ip hotspot user profile
Active sessions/ip hotspot active
Walled garden (HTTP)/ip hotspot walled-garden
Walled garden (IP)/ip hotspot walled-garden ip
IP bindings/ip hotspot ip-binding
Hosts table/ip hotspot host

Complete Guest WiFi Portal Setup

Section titled “Complete Guest WiFi Portal Setup”

This section covers a complete end-to-end setup for a guest WiFi captive portal.

Step 1: Create Bridge and Add WiFi Interface

Section titled “Step 1: Create Bridge and Add WiFi Interface”
# Create a dedicated bridge for guest traffic
/interface bridge
add name=br-guest comment="Guest HotSpot bridge"


# Add wireless interface to guest bridge
/interface bridge port
add bridge=br-guest interface=wlan1

Step 2: Assign Gateway IP

Section titled “Step 2: Assign Gateway IP”
/ip address
add address=10.5.50.1/24 interface=br-guest comment="Guest gateway"

Step 3: Configure DHCP

Section titled “Step 3: Configure DHCP”
# Create address pool
/ip pool
add name=pool-guest ranges=10.5.50.10-10.5.50.254


# Create DHCP server
/ip dhcp-server
add name=dhcp-guest interface=br-guest address-pool=pool-guest disabled=no


# Configure network options (gateway + DNS pointing at router)
/ip dhcp-server network
add address=10.5.50.0/24 gateway=10.5.50.1 dns-server=10.5.50.1

Step 4: Enable DNS for Guests

Section titled “Step 4: Enable DNS for Guests”
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

Step 5: Run the HotSpot Setup Wizard

Section titled “Step 5: Run the HotSpot Setup Wizard”

The wizard creates the HotSpot server, hotspot IP pool (if needed), and an initial local user:

/ip hotspot setup

The wizard prompts for:

PromptExample Answer
HotSpot interfacebr-guest
Local address of network10.5.50.1/24
Masquerade networkyes
Address pool of network10.5.50.10-10.5.50.254
Select certificatenone (or choose existing cert for HTTPS)
Select SMTP server0.0.0.0
DNS servers1.1.1.1
DNS namelogin.example.com
Create local HotSpot useradmin / password

The wizard automatically creates:

  • A HotSpot server on the specified interface
  • DHCP server (if not already present)
  • Firewall NAT masquerade rule for the HotSpot subnet
  • Walled garden entries for the login page itself

Step 6: Configure NAT for Internet Access

Section titled “Step 6: Configure NAT for Internet Access”

If not created by the wizard, add a masquerade rule manually:

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN \
    comment="Guest HotSpot internet access"

Step 7: Verify the Setup

Section titled “Step 7: Verify the Setup”
# Check HotSpot server is running
/ip hotspot print


# Check DHCP leases
/ip dhcp-server lease print where server=dhcp-guest


# Check hosts detected by HotSpot
/ip hotspot host print


# Check active authenticated sessions
/ip hotspot active print


# Check NAT rule hit count
/ip firewall nat print stats where chain=srcnat

Expected behavior: a guest device connects to the WiFi, gets a 10.5.50.x DHCP lease, any HTTP request is intercepted and redirected to the login page, and after successful login internet access works.

HTTPS Redirect and Certificate Requirements

Section titled “HTTPS Redirect and Certificate Requirements”

By default, HotSpot redirects HTTP traffic to the login page. To enable HTTPS for the login page (so credentials are encrypted in transit), you must assign a certificate to the HotSpot profile.

Why HTTPS Matters

Section titled “Why HTTPS Matters”

Without HTTPS, login credentials are submitted in plain text over the local network. Using HTTPS encrypts the form submission. Note that HotSpot cannot intercept HTTPS destinations transparently — browsers enforce TLS trust and will show certificate errors if the original HTTPS site’s cert doesn’t match. Only HTTP requests trigger smooth captive portal redirects; HTTPS interception requires the browser to accept a trust exception.

Create a Self-Signed Certificate

Section titled “Create a Self-Signed Certificate”

For internal or low-security deployments, a self-signed certificate is sufficient (browsers will show a trust warning):

# Create CA certificate
/certificate
add name=hotspot-ca common-name="HotSpot CA" key-size=2048 \
    days-valid=3650 key-usage=key-cert-sign,crl-sign


# Sign CA certificate
/certificate sign hotspot-ca


# Create server certificate for the login hostname
/certificate
add name=hotspot-cert common-name=login.example.com key-size=2048 \
    days-valid=730 subject-alt-name=IP:10.5.50.1,DNS:login.example.com


# Sign server certificate with the CA
/certificate sign hotspot-cert ca=hotspot-ca

Import a Trusted Certificate

Section titled “Import a Trusted Certificate”

For production deployments, import a certificate signed by a public CA (e.g., Let’s Encrypt):

# Upload certificate files via FTP or drag-and-drop in WinBox Files view
# Then import:
/certificate import file-name=hotspot.crt passphrase=""
/certificate import file-name=hotspot.key passphrase=""

Assign Certificate to HotSpot Profile

Section titled “Assign Certificate to HotSpot Profile”
/ip hotspot profile
set [find name=hsprof1] ssl-certificate=hotspot-cert login-by=https

Key profile parameters for HTTPS:

ParameterDescription
ssl-certificateCertificate to use for HTTPS login page
login-byAuthentication methods: cookie, http-chap, http-pap, https, mac, trial
https-redirectRedirect HTTP clients to HTTPS login page automatically

User Management

Section titled “User Management”

Local Users

Section titled “Local Users”

Create users in the local HotSpot user database:

# Basic user with no limits
/ip hotspot user add name=guest password=guest123


# User with time limit
/ip hotspot user add name=user1 password=pass123 \
    profile=default limit-uptime=1h


# User with data volume limit
/ip hotspot user add name=user2 password=pass456 \
    profile=default limit-bytes-total=500M


# View all users
/ip hotspot user print


# View active sessions
/ip hotspot active print

User Profiles

Section titled “User Profiles”

Profiles define resource limits and billing parameters shared across multiple users:

# Time-limited profile (1 hour sessions)
/ip hotspot user profile
add name="1-hour" \
    session-timeout=1h \
    idle-timeout=5m \
    rate-limit=5M/5M \
    shared-users=1 \
    add-mac-cookie=yes


# Data-limited profile (500 MB)
/ip hotspot user profile
add name="500MB" \
    limit-bytes-total=500M \
    shared-users=5


# Premium unlimited with rate limiting
/ip hotspot user profile
add name="premium" \
    rate-limit="20M/20M" \
    shared-users=1 \
    session-timeout=0 \
    idle-timeout=0

Key profile parameters:

ParameterDescription
session-timeoutMaximum session duration (0 = unlimited)
idle-timeoutDisconnect after period of inactivity
rate-limitPer-session bandwidth limit (rx/tx, supports burst)
shared-usersMaximum simultaneous users sharing one credential
limit-bytes-totalTotal data cap (upload + download)
add-mac-cookieEnable MAC cookie to avoid re-login on same device
on-login / on-logoutScripts to run on session start/end

For the complete parameter reference — including burst rate format, queue integration, firewall marks, advertise, and login scripts — see the User Profiles guide.

RADIUS Integration

Section titled “RADIUS Integration”

For centralized authentication and accounting across multiple HotSpot servers, integrate with a RADIUS server.

Configure the RADIUS Client

Section titled “Configure the RADIUS Client”
# Add external RADIUS server
/radius
add address=192.0.2.10 \
    service=hotspot \
    secret=strong-radius-secret \
    authentication-port=1812 \
    accounting-port=1813 \
    timeout=300ms


# Optional: accounting backup to secondary server
/radius
add address=192.0.2.11 \
    service=hotspot \
    secret=strong-radius-secret \
    authentication-port=1812 \
    accounting-port=1813 \
    backup=yes

Enable RADIUS in HotSpot Profile

Section titled “Enable RADIUS in HotSpot Profile”
/ip hotspot profile
set [find name=hsprof1] \
    use-radius=yes \
    radius-accounting=yes \
    radius-interim-update=received \
    radius-mac-authentication=yes

RADIUS profile parameters:

ParameterDescription
use-radiusEnable RADIUS authentication for this profile
radius-accountingSend RADIUS accounting packets
radius-interim-updateWhen to send interim accounting updates (received, time interval)
radius-mac-authenticationAttempt MAC-based authentication before showing login page
radius-mac-formatFormat of MAC address sent to RADIUS (e.g., XX:XX:XX:XX:XX:XX)
radius-default-domainDomain appended to username in Access-Request

MikroTik RADIUS Attributes (VSAs)

Section titled “MikroTik RADIUS Attributes (VSAs)”

RouterOS sends the following Mikrotik Vendor-Specific Attributes to the RADIUS server:

AttributeValue
Mikrotik-Rate-LimitBandwidth limit returned by RADIUS
Mikrotik-GroupUser group assignment
Mikrotik-Recv-LimitIncoming data limit
Mikrotik-Xmit-LimitOutgoing data limit
Mikrotik-RealmHotSpot DNS name

User Manager Integration

Section titled “User Manager Integration”

RouterOS includes a built-in RADIUS server called User Manager. To use it for HotSpot authentication:

# Enable User Manager and point HotSpot at localhost
/tool user-manager
set enabled=yes


# Add RADIUS entry pointing to User Manager on localhost
/radius
add address=127.0.0.1 \
    service=hotspot \
    secret=um-shared-secret \
    authentication-port=1812 \
    accounting-port=1813


# Enable RADIUS in HotSpot profile
/ip hotspot profile
set [find name=hsprof1] use-radius=yes radius-accounting=yes

FreeRADIUS Configuration Example

Section titled “FreeRADIUS Configuration Example”

For FreeRADIUS, include the MikroTik dictionary and add a user:

/etc/freeradius/3.0/mods-config/files/authorize
guest Cleartext-Password := "guest123"
    Mikrotik-Rate-Limit := "10M/10M",
    Session-Timeout := 3600,
    Reply-Message := "Welcome to guest WiFi"

Walled Garden

Section titled “Walled Garden”

The walled garden allows unauthenticated users to reach specific destinations without logging in — useful for splash page assets, payment portals, or company websites.

RouterOS provides two rule sets: the HTTP walled garden (/ip hotspot walled-garden) for matching plain HTTP by hostname and path, and the IP walled garden (/ip hotspot walled-garden ip) for L3/L4 matching that covers HTTPS and any protocol.

# HTTP: allow a domain (plain HTTP only)
/ip hotspot walled-garden
add dst-host=*.example.com action=allow comment="Company site"


# IP: allow HTTPS destination by IP
/ip hotspot walled-garden ip
add dst-address=192.0.2.50 action=accept comment="Payment gateway"

For full coverage of walled garden parameters, wildcard matching, OS captive portal detection, and dynamic RADIUS-based rules, see the Walled Garden guide.

IP Bindings

Section titled “IP Bindings”

IP bindings control how specific MAC or IP addresses are handled by HotSpot:

# Bypass authentication for a known device (printer, IP phone)
/ip hotspot ip-binding
add mac-address=AA:BB:CC:DD:EE:FF type=bypassed comment="Office printer"


# Block a specific client permanently
/ip hotspot ip-binding
add address=10.5.50.100 type=blocked comment="Abusive device"


# Register a static IP to a specific user
/ip hotspot ip-binding
add address=10.5.50.50 mac-address=11:22:33:44:55:66 user=staff type=regular
Binding TypeBehavior
bypassedSkip HotSpot authentication entirely
blockedDeny all access
regularStandard HotSpot behavior

Customizing Login Pages

Section titled “Customizing Login Pages”

HotSpot login pages are HTML files stored in a directory on the router filesystem.

Default Login Page Files

Section titled “Default Login Page Files”

After setup, HotSpot creates a set of HTML templates:

FilePurpose
login.htmlMain login form
logout.htmlLogout page
status.htmlSession status page
alogin.htmlRedirect page after login
error.htmlAuthentication error page
rlogin.htmlRedirect to original URL after login

Uploading Custom Pages

Section titled “Uploading Custom Pages”

Upload custom HTML files to the router using WinBox (drag-and-drop into Files view), FTP, or SCP:

Terminal window
# Upload via SCP
scp login.html [email protected]:/hotspot/


# Or use the router's FTP server
ftp 192.168.1.1
put login.html /hotspot/login.html

Then point the HotSpot profile to the custom directory:

/ip hotspot profile
set [find name=hsprof1] html-override-directory=/hotspot

Template Variables

Section titled “Template Variables”

HotSpot substitutes these variables in HTML templates at render time:

VariableDescription
$(link-login)Login form action URL
$(link-login-only)Login URL without original destination
$(link-orig)Original URL the user was trying to access
$(link-logout)Logout URL
$(link-status)Status page URL
$(username)Authenticated username (on status/logout pages)
$(ip)Client IP address
$(mac)Client MAC address
$(chap-id)CHAP challenge ID (for HTTP-CHAP logins)
$(chap-challenge)CHAP challenge value
$(session-time-left)Remaining session time
$(bytes-in)Bytes downloaded in this session
$(bytes-out)Bytes uploaded in this session

Example Login Form (HTTP-CHAP)

Section titled “Example Login Form (HTTP-CHAP)”

HTTP-CHAP hashes the password client-side before sending, providing some protection even over plain HTTP:

<form name="login" action="$(link-login)" method="post">
  <input type="hidden" name="dst" value="$(link-orig)">
  <input type="hidden" name="popup" value="true">
  <table>
    <tr><td>Username:</td><td><input type="text" name="username"></td></tr>
    <tr><td>Password:</td><td><input type="password" name="password" id="password"></td></tr>
    <tr><td colspan="2"><input type="submit" value="Log In"></td></tr>
  </table>
</form>

Security Considerations

Section titled “Security Considerations”
Section titled “MAC Cookie”

MAC cookies remember authenticated devices to avoid repeated logins on reconnect. Enable per profile:

/ip hotspot user profile
set default add-mac-cookie=yes mac-cookie-timeout=3d

Trial Mode

Section titled “Trial Mode”

Allow limited free access before requiring authentication:

/ip hotspot user profile
set default trial-uptime=10m trial-user-limit=1

Rate Limiting

Section titled “Rate Limiting”

Apply per-user bandwidth limits to prevent abuse:

# Per-user rate limit in user profile
/ip hotspot user profile
add name=limited rate-limit="2M/5M"


# Override rate limit for specific user
/ip hotspot user
set [find name=vip] rate-limit="20M/20M"

Isolate Guest Traffic from LAN

Section titled “Isolate Guest Traffic from LAN”

Prevent guest users from accessing the internal LAN:

/ip firewall filter
add chain=forward in-interface=br-guest out-interface=!ether1-WAN \
    action=drop comment="Block guests from LAN"

Troubleshooting

Section titled “Troubleshooting”

Common Issues

Section titled “Common Issues”

Users not redirected to login page

  • Verify the HotSpot server is running on the correct interface: /ip hotspot print
  • Confirm the client received a DHCP lease from the hotspot range
  • Check that DNS resolves (client must be able to make a DNS request that triggers redirect)
  • Verify no firewall rules are blocking traffic before HotSpot processes it

RADIUS authentication failing

  • Test connectivity: /tool ping address=<radius-server>
  • Verify the shared secret matches on both sides
  • Check RADIUS logs on the server for rejected requests
  • Confirm the RADIUS server is listening on the expected ports

HTTPS login certificate errors

  • Ensure ssl-certificate is set in the HotSpot profile
  • Verify the certificate CN or SAN matches the HotSpot DNS name (/ip hotspot profile print)
  • For self-signed certs, users must manually accept the trust exception in their browser
  • Import the CA certificate into browsers or use a public CA for seamless experience

Users getting logged out frequently

  • Increase idle-timeout in user profile: /ip hotspot user profile set default idle-timeout=30m
  • Check for IP address changes (DHCP lease expiry shorter than session timeout)
  • Review session-timeout in profile

MAC cookie not working after reconnect

  • Ensure add-mac-cookie=yes in the user profile
  • Check mac-cookie-timeout is long enough
  • Verify the client IP doesn’t change between sessions

Debug Commands

Section titled “Debug Commands”
# View HotSpot server status
/ip hotspot print


# View all active authenticated sessions
/ip hotspot active print detail


# View HotSpot host table (all detected clients)
/ip hotspot host print


# View HotSpot-related log messages
/log print topic=hotspot


# View user statistics
/ip hotspot user print stats


# Test RADIUS reachability
/tool ping 192.0.2.10


# Check certificate details
/certificate print detail where name=hotspot-cert
Section titled “Related Documentation”
  • Walled Garden — Pre-authentication access rules, HTTPS destinations, OS captive portal detection
  • User Profiles — Session limits, bandwidth policies, queue integration, and login scripts
  • RADIUS Integration — Centralised authentication, accounting, MAC auth, VSAs, and FreeRADIUS examples
  • Wireless Interface — WiFi access point configuration
  • CAPsMAN — Centralized wireless management
  • RADIUS — RADIUS client configuration
  • Firewall Filter — Network filtering
  • Certificates — Certificate management