RouterOS Profiles: PPP, Hotspot, and Wireless Security Configuration

RouterOS Profiles: PPP, Hotspot, and Wireless Security Configuration

Version Info

RouterOS 7.16 | Min: v6.0+ | ⏱️ 30 minutes | 🟡 Intermediate

Tested on: 7.16 7.14 6.49

Version-specific notes

• v7.x: Wireless security moved from /interface wireless security-profiles to /interface wifi security
• v6.39+: Added interface-list property to PPP profiles

TL;DR (Quick Start)

PPP Profile (for PPPoE/L2TP subscribers with 10 Mbps limit):

/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254
/ppp profile add name=plan-10m local-address=10.0.0.1 remote-address=pppoe-pool \
    dns-server=8.8.8.8 rate-limit=10M/10M only-one=yes

Hotspot User Profile (for captive portal with bandwidth tiers):

/ip hotspot user profile add name=basic rate-limit=2M/2M session-timeout=1h shared-users=1
/ip hotspot user profile add name=premium rate-limit=10M/10M session-timeout=8h shared-users=3

Wireless Security Profile (v6: WPA2-PSK):

/interface wireless security-profiles add name=home-wifi mode=dynamic-keys \
    authentication-types=wpa2-psk wpa2-pre-shared-key=YourPassword123

Wireless Security (v7: WPA2/WPA3):

/interface wifi security add name=home-wpa3 authentication-types=wpa2-psk,wpa3-psk \
    passphrase=YourPassword123

Overview

Profiles in RouterOS are reusable configuration templates that apply settings to multiple users, connections, or interfaces. Instead of configuring each connection individually, you define settings once in a profile and reference it everywhere.

Profile types covered:

• PPP Profiles (/ppp profile) - Settings for PPPoE, L2TP, PPTP, SSTP, and OpenVPN connections
• Hotspot User Profiles (/ip hotspot user profile) - Bandwidth limits and session settings for captive portal users
• Wireless Security Profiles (/interface wireless security-profiles) - WiFi authentication and encryption settings

Why use profiles:

• Centralized management - Change a profile once, all users inherit the update
• Consistent configuration - Ensure all connections use the same settings
• Tiered services - Create different service levels (basic, premium, unlimited)
• Simplified troubleshooting - Fewer unique configurations to debug

Common use cases:

• ISP with hundreds of PPPoE subscribers using different bandwidth plans
• Hotel hotspot with time-limited guest access
• Enterprise WiFi with WPA2/WPA3 security across multiple access points

Menu Reference

Profile Type	Menu Path	Purpose
PPP Profile	/ppp profile	PPPoE, L2TP, PPTP, SSTP, OpenVPN settings
Hotspot User Profile	/ip hotspot user profile	Captive portal user settings
Hotspot Server Profile	/ip hotspot profile	Captive portal server settings
Wireless Security (v6)	/interface wireless security-profiles	WiFi authentication
Wireless Security (v7)	/interface wifi security	WiFi authentication (wifiwave2)

---

PPP Profiles

PPP profiles define address assignment, bandwidth limits, and connection behavior for all PPP-based services: PPPoE, L2TP, PPTP, SSTP, and OpenVPN.

Key Properties

Address Assignment

Property	Type	Description
name	string	Profile identifier (required)
local-address	IP or pool	Router-side tunnel IP or pool reference
remote-address	IP or pool	Client-side tunnel IP or pool reference
dns-server	IP	DNS server(s) pushed to clients
wins-server	IP	WINS server for Windows clients

Bandwidth Control

Property	Type	Description
rate-limit	string	Bandwidth limit (see format below)
parent-queue	string	Parent queue for hierarchical QoS
queue-type	string	Queue type (default/pcq/sfq)
only-one	yes/no/default	Allow only one session per user

Session Control

Property	Type	Description
idle-timeout	time	Disconnect after inactivity
session-timeout	time	Maximum session duration
on-up	script	Script executed on connect
on-down	script	Script executed on disconnect

Firewall Integration

Property	Type	Description
incoming-filter	string	Firewall chain for client traffic
outgoing-filter	string	Firewall chain for traffic to client
address-list	string	Auto-add client IP to address list
interface-list	string	Auto-add interface to interface list

Rate Limit Format

The rate-limit property uses a complex format:

rx-rate[/tx-rate] [rx-burst/tx-burst] [rx-threshold/tx-threshold] [rx-time/tx-time] [priority] [rx-min/tx-min]

Example: 10M/20M 15M/30M 8M/16M 10/10 8 5M/10M

Part	Value	Meaning
Normal rate	10M/20M	10 Mbps download, 20 Mbps upload
Burst rate	15M/30M	Burst to 15/30 Mbps temporarily
Burst threshold	8M/16M	Burst when average below this
Burst time	10/10	Burst calculation window (seconds)
Priority	8	Queue priority (1=highest, 8=lowest)
Minimum rate	5M/10M	Guaranteed minimum bandwidth

Simple Rate Limits

For most use cases, you only need the basic format: download/upload. For example, 10M/10M sets a symmetrical 10 Mbps limit. Only add burst parameters if you need temporary speed boosts.

Configuration Examples

Example 1: Basic PPPoE Server Profile

Create a 10 Mbps symmetrical profile for PPPoE subscribers:

# Step 1: Create IP pool for clients
/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254

# Step 2: Create profile with bandwidth limit
/ppp profile add name=pppoe-10m \
    local-address=10.0.0.1 \
    remote-address=pppoe-pool \
    dns-server=8.8.8.8,8.8.4.4 \
    rate-limit=10M/10M \
    only-one=yes

# Step 3: Create user with profile
/ppp secret add name=customer1 password=secret123 \
    profile=pppoe-10m service=pppoe

Verification:

/ppp profile print where name=pppoe-10m

Expected output:

Flags: * - default
 0   name="pppoe-10m" local-address=10.0.0.1 remote-address=pppoe-pool
     dns-server=8.8.8.8,8.8.4.4 rate-limit=10M/10M only-one=yes

Example 2: Tiered Service Plans

Create multiple profiles for different service tiers:

# Basic plan - 10 Mbps
/ppp profile add name=plan-basic \
    local-address=10.0.0.1 \
    remote-address=pppoe-pool \
    dns-server=8.8.8.8 \
    rate-limit=10M/10M \
    only-one=yes

# Premium plan - 50 Mbps with burst
/ppp profile add name=plan-premium \
    local-address=10.0.0.1 \
    remote-address=pppoe-pool \
    dns-server=8.8.8.8 \
    rate-limit=50M/50M 75M/75M 40M/40M 10/10 \
    only-one=yes

# Business plan - 100 Mbps with minimum guarantee
/ppp profile add name=plan-business \
    local-address=10.0.0.1 \
    remote-address=pppoe-pool \
    dns-server=8.8.8.8 \
    rate-limit=100M/100M 150M/150M 80M/80M 10/10 8 50M/50M \
    only-one=yes

Example 3: L2TP/IPsec VPN Profile

Create a secure VPN profile for remote workers:

# Create VPN address pool
/ip pool add name=vpn-pool ranges=192.168.99.2-192.168.99.100

# Create VPN profile
/ppp profile add name=l2tp-vpn \
    local-address=192.168.99.1 \
    remote-address=vpn-pool \
    dns-server=192.168.99.1 \
    use-encryption=yes

# Enable L2TP server with IPsec
/interface l2tp-server server set enabled=yes \
    default-profile=l2tp-vpn \
    use-ipsec=required \
    ipsec-secret=YourSharedSecret

Example 4: Profile with Connection Logging

Log when users connect and disconnect:

/ppp profile add name=logged-profile \
    local-address=10.0.0.1 \
    remote-address=pppoe-pool \
    on-up=":log info \"PPP connected: user=\$user ip=\$\"remote-address\"\"" \
    on-down=":log info \"PPP disconnected: user=\$user\""

Script variable reference:

Variable	Content
$user	Username
$local-address	Router-side IP
$remote-address	Client-side IP
$caller-id	Client MAC or identifier
$interface	Interface ID (not name)

Variable Syntax

Variables with hyphens require special syntax: $"remote-address" not $remote-address. Additionally, $interface returns an internal ID like *1c, not the interface name. Use /interface get $interface name to get the actual name.

Example 5: Auto-Add to Firewall Address List

Automatically track connected client IPs:

/ppp profile add name=tracked-profile \
    local-address=10.0.0.1 \
    remote-address=pppoe-pool \
    address-list=ppp-clients \
    interface-list=ppp-interfaces

Connected clients are automatically added to the ppp-clients address list and their interfaces to the ppp-interfaces interface list. Use these in firewall rules:

# Allow all traffic from PPP clients
/ip firewall filter add chain=forward \
    src-address-list=ppp-clients action=accept

---

Hotspot User Profiles

Hotspot user profiles define bandwidth limits, session timeouts, and access controls for captive portal users.

Key Properties

Property	Type	Default	Description
name	string	-	Profile name (required)
rate-limit	string	-	Bandwidth limit (same format as PPP)
session-timeout	time	-	Maximum session duration
idle-timeout	time	-	Disconnect after inactivity
keepalive-timeout	time	2m	Client presence check interval
shared-users	integer	1	Simultaneous logins per account
address-pool	string	-	IP pool for this profile’s users
transparent-proxy	yes/no	no	Force HTTP through proxy

Configuration Examples

Example 6: Tiered Hotspot Plans

Create different service levels for a hotel or cafe:

# Free tier - 2 Mbps, 1 hour
/ip hotspot user profile add name=free \
    rate-limit=2M/2M \
    session-timeout=1h \
    shared-users=1

# Guest tier - 10 Mbps, 8 hours
/ip hotspot user profile add name=guest \
    rate-limit=10M/10M \
    session-timeout=8h \
    shared-users=2

# VIP tier - Unlimited, 24 hours
/ip hotspot user profile add name=vip \
    rate-limit="" \
    session-timeout=24h \
    shared-users=5

Create users with profiles:

/ip hotspot user add name=freeuser password=free profile=free
/ip hotspot user add name=guest001 password=g001 profile=guest
/ip hotspot user add name=vip001 password=vippass profile=vip

Example 7: Hotspot with Different Pools

Assign different IP ranges to different user tiers:

# Create separate pools
/ip pool add name=hs-free-pool ranges=10.5.1.2-10.5.1.254
/ip pool add name=hs-vip-pool ranges=10.5.2.2-10.5.2.254

# Create profiles with specific pools
/ip hotspot user profile add name=free \
    rate-limit=2M/2M \
    address-pool=hs-free-pool

/ip hotspot user profile add name=vip \
    rate-limit="" \
    address-pool=hs-vip-pool

---

Wireless Security Profiles

Wireless security profiles define authentication methods and encryption for WiFi networks.

RouterOS v6 (Legacy Wireless)

Menu: /interface wireless security-profiles

Property	Options	Description
name	string	Profile name
mode	none/static-keys-required/dynamic-keys	Security mode
authentication-types	wpa-psk,wpa2-psk,wpa-eap,wpa2-eap	Auth methods
wpa2-pre-shared-key	string	WPA2 passphrase
unicast-ciphers	aes-ccm,tkip	Encryption for unicast
group-ciphers	aes-ccm,tkip	Encryption for broadcast

Example 8: WPA2-PSK Security Profile (v6)

/interface wireless security-profiles add name=home-wifi \
    mode=dynamic-keys \
    authentication-types=wpa2-psk \
    wpa2-pre-shared-key=YourSecurePassword123 \
    unicast-ciphers=aes-ccm \
    group-ciphers=aes-ccm

# Apply to wireless interface
/interface wireless set wlan1 security-profile=home-wifi

RouterOS v7 (WiFi / Wifiwave2)

Menu: /interface wifi security

# Create WPA2/WPA3 transitional profile
/interface wifi security add name=home-wpa3 \
    authentication-types=wpa2-psk,wpa3-psk \
    passphrase=YourSecurePassword123 \
    encryption=ccmp,gcmp

# Apply to wifi interface
/interface wifi set wifi1 security=home-wpa3

WPA3 Compatibility

Use transitional mode (wpa2-psk,wpa3-psk) for compatibility with older devices that don’t support WPA3. This allows WPA3-capable devices to use the stronger protocol while maintaining access for legacy clients.

---

Common Problems and Solutions

Problem 1: Rate Limit Not Applied

Symptoms: Users get full bandwidth despite profile rate-limit setting.

Causes:

1. FastTrack enabled (bypasses queues)
2. Other queues matching traffic first

FastTrack Conflict

FastTrack is enabled by default in many configurations and completely bypasses the queue system. Profile rate limits create dynamic queues, which FastTrack will skip. Either disable FastTrack or exclude PPP traffic from it.

Solutions:

# Disable FastTrack for PPP traffic
/ip firewall filter disable [find action=fasttrack-connection]

# Or set queue position to first
/ppp profile set myprofile insert-queue-before=first

Problem 2: On-Up Script Variable Access Fails

Symptom: Script error or empty variable values.

Cause: Variables with hyphens need special syntax.

Wrong:

on-up=":log info $remote-address"

Correct:

on-up=":log info \$\"remote-address\""

Problem 3: $interface Returns ID Not Name

Symptom: Script gets *1c instead of interface name.

Solution:

on-up={
    :local ifName [/interface get $interface name]
    :log info "Interface: $ifName"
}

Problem 4: Profile Change Not Taking Effect

Cause: Profile settings apply at connection time, not retroactively.

Profile Changes

When you modify a profile, existing connections continue using the old settings. Users must reconnect to receive the updated profile configuration. Plan profile changes during maintenance windows or notify affected users.

Solution: Force reconnection:

# Disconnect specific user
/ppp active remove [find name=username]

# Or disconnect all users of a profile
/ppp active remove [find profile=myprofile]

Problem 5: Multiple Sessions Despite only-one=yes

Cause: only-one=default inherits from service default, which may allow multiple.

Solution: Explicitly set only-one=yes:

/ppp profile set myprofile only-one=yes

Problem 6: Address Pool Exhausted

Symptoms: New connections fail with “no free addresses.”

Solutions:

# Check active sessions for stale entries
/ppp active print

# Increase pool size
/ip pool set pppoe-pool ranges=10.0.0.2-10.0.1.254

# Check for stuck sessions
/ppp active print where uptime>7d

Problem 7: Hotspot shared-users Allows More Bandwidth Than Expected

Cause: Rate limit applies per session, not per account. User with shared-users=3 can get 3x bandwidth.

Solution: Use parent queue with PCQ:

# Create parent queue for aggregate limit
/queue simple add name=hotspot-aggregate \
    target=10.5.0.0/16 max-limit=100M/100M

# Set profile to use parent queue
/ip hotspot user profile set premium parent-queue=hotspot-aggregate

Problem 8: Script Permission Errors

Symptom: On-up script fails silently or can’t access certain commands.

Cause: PPP scripts run as *sys with limited permissions.

Solution: For external API calls, use a scheduler-based approach:

# Create script with full permissions
/system script add name=notify-connect policy=read,write,test,ftp source={
    /tool fetch url="http://api.example.com/notify" mode=http
}

# Call from on-up
/ppp profile set myprofile on-up="/system script run notify-connect"

Problem 9: WPA3 Devices Can’t Connect

Cause: Some older devices don’t support WPA3.

Solution: Use transitional mode:

# v7 syntax
/interface wifi security set mysec authentication-types=wpa2-psk,wpa3-psk

Problem 10: Security Profile Not Applied

Symptom: Wireless interface using wrong security settings.

Solution: Verify the reference:

# Check interface setting
/interface wireless print detail where name=wlan1

# Ensure security-profile matches exactly
/interface wireless set wlan1 security-profile=home-wifi

---

Default Profiles

RouterOS includes built-in profiles:

Profile	Settings	Use Case
default	No encryption, change-tcp-mss=yes	Basic unencrypted tunnels
default-encryption	use-encryption=yes	Encrypted PPTP/L2TP

Verification Commands

# List all PPP profiles
/ppp profile print

# Show profile details
/ppp profile print detail where name=myprofile

# View active PPP sessions with profiles
/ppp active print

# Check dynamic queues from profiles
/queue simple print where dynamic=yes

# List hotspot user profiles
/ip hotspot user profile print

# View active hotspot users
/ip hotspot active print

# Check wireless security profiles (v6)
/interface wireless security-profiles print

# Check wifi security (v7)
/interface wifi security print

Related Topics

• IP Pool - Address pools referenced by profiles
• PPPoE Server and Client - PPPoE configuration using PPP profiles
• L2TP VPN Server - L2TP VPN using PPP profiles
• Hotspot Captive Portal Setup - Hotspot configuration with user profiles
• Bandwidth Limiting with Simple Queues - Manual queue configuration
• WiFi Basic Setup - Wireless interface configuration
• RADIUS - External authentication that can override profiles

Version Notes

Feature	Version	Notes
PPP interface-list property	6.39+	Reduces need for on-up scripts
WiFi security (wifiwave2)	7.x	New /interface wifi security menu
WPA3 support	7.x	Requires wifiwave2 package
Enhanced bridge options	7.x	Better L2 VPN support

Reference

Official Documentation

• MikroTik PPP AAA Documentation - PPP profiles and authentication
• MikroTik Hotspot User Profile - Hotspot user profile configuration
• MikroTik Wireless Security - Security profile settings
• MikroTik WiFi (v7) - WiFi configuration for RouterOS 7

Quick Reference Commands

# PPP Profiles
/ppp profile print                      # List all profiles
/ppp profile print detail               # Show full profile details
/ppp profile add name=X ...             # Create new profile
/ppp profile set X property=value       # Modify profile

# Hotspot User Profiles
/ip hotspot user profile print          # List profiles
/ip hotspot user profile add name=X ... # Create profile

# Wireless Security (v6)
/interface wireless security-profiles print  # List profiles
/interface wireless security-profiles add name=X ...

# Wireless Security (v7)
/interface wifi security print          # List security configs
/interface wifi security add name=X ... # Create security config

# Monitoring
/ppp active print                       # Active PPP sessions
/ip hotspot active print                # Active hotspot users
/queue simple print where dynamic=yes   # Dynamic queues from profiles

Summary

Profiles centralize configuration for consistent, manageable deployments:

1. PPP Profiles - Define addresses, bandwidth, and scripts for tunnel services
2. Hotspot Profiles - Control session limits and bandwidth for captive portals
3. Security Profiles - Configure WiFi authentication and encryption

Key points:

• Profile changes require reconnection to take effect
• Use only-one=yes explicitly to prevent multiple sessions
• Variables with hyphens need special syntax in scripts
• Rate limits create dynamic queues (check FastTrack conflicts)
• v7 uses different menu paths for WiFi security