RouterOS Profiles: PPP, Hotspot, and Wireless Security Configuration
RouterOS Profiles: PPP, Hotspot, and Wireless Security Configuration
Section titled “RouterOS Profiles: PPP, Hotspot, and Wireless Security Configuration”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”PPP Profile (for PPPoE/L2TP subscribers with 10 Mbps limit):
/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254/ppp profile add name=plan-10m local-address=10.0.0.1 remote-address=pppoe-pool \ dns-server=8.8.8.8 rate-limit=10M/10M only-one=yesHotspot User Profile (for captive portal with bandwidth tiers):
/ip hotspot user profile add name=basic rate-limit=2M/2M session-timeout=1h shared-users=1/ip hotspot user profile add name=premium rate-limit=10M/10M session-timeout=8h shared-users=3Wireless Security Profile (v6: WPA2-PSK):
/interface wireless security-profiles add name=home-wifi mode=dynamic-keys \ authentication-types=wpa2-psk wpa2-pre-shared-key=YourPassword123Wireless Security (v7: WPA2/WPA3):
/interface wifi security add name=home-wpa3 authentication-types=wpa2-psk,wpa3-psk \ passphrase=YourPassword123Overview
Section titled “Overview”Profiles in RouterOS are reusable configuration templates that apply settings to multiple users, connections, or interfaces. Instead of configuring each connection individually, you define settings once in a profile and reference it everywhere.
Profile types covered:
- PPP Profiles (
/ppp profile) - Settings for PPPoE, L2TP, PPTP, SSTP, and OpenVPN connections - Hotspot User Profiles (
/ip hotspot user profile) - Bandwidth limits and session settings for captive portal users - Wireless Security Profiles (
/interface wireless security-profiles) - WiFi authentication and encryption settings
Why use profiles:
- Centralized management - Change a profile once, all users inherit the update
- Consistent configuration - Ensure all connections use the same settings
- Tiered services - Create different service levels (basic, premium, unlimited)
- Simplified troubleshooting - Fewer unique configurations to debug
Common use cases:
- ISP with hundreds of PPPoE subscribers using different bandwidth plans
- Hotel hotspot with time-limited guest access
- Enterprise WiFi with WPA2/WPA3 security across multiple access points
Menu Reference
Section titled “Menu Reference”| Profile Type | Menu Path | Purpose |
|---|---|---|
| PPP Profile | /ppp profile | PPPoE, L2TP, PPTP, SSTP, OpenVPN settings |
| Hotspot User Profile | /ip hotspot user profile | Captive portal user settings |
| Hotspot Server Profile | /ip hotspot profile | Captive portal server settings |
| Wireless Security (v6) | /interface wireless security-profiles | WiFi authentication |
| Wireless Security (v7) | /interface wifi security | WiFi authentication (wifiwave2) |
PPP Profiles
Section titled “PPP Profiles”
PPP profiles define address assignment, bandwidth limits, and connection behavior for all PPP-based services: PPPoE, L2TP, PPTP, SSTP, and OpenVPN.
Key Properties
Section titled “Key Properties”Address Assignment
Section titled “Address Assignment”| Property | Type | Description |
|---|---|---|
name | string | Profile identifier (required) |
local-address | IP or pool | Router-side tunnel IP or pool reference |
remote-address | IP or pool | Client-side tunnel IP or pool reference |
dns-server | IP | DNS server(s) pushed to clients |
wins-server | IP | WINS server for Windows clients |
Bandwidth Control
Section titled “Bandwidth Control”| Property | Type | Description |
|---|---|---|
rate-limit | string | Bandwidth limit (see format below) |
parent-queue | string | Parent queue for hierarchical QoS |
queue-type | string | Queue type (default/pcq/sfq) |
only-one | yes/no/default | Allow only one session per user |
Session Control
Section titled “Session Control”| Property | Type | Description |
|---|---|---|
idle-timeout | time | Disconnect after inactivity |
session-timeout | time | Maximum session duration |
on-up | script | Script executed on connect |
on-down | script | Script executed on disconnect |
Firewall Integration
Section titled “Firewall Integration”| Property | Type | Description |
|---|---|---|
incoming-filter | string | Firewall chain for client traffic |
outgoing-filter | string | Firewall chain for traffic to client |
address-list | string | Auto-add client IP to address list |
interface-list | string | Auto-add interface to interface list |
Rate Limit Format
Section titled “Rate Limit Format”The rate-limit property uses a complex format:
rx-rate[/tx-rate] [rx-burst/tx-burst] [rx-threshold/tx-threshold] [rx-time/tx-time] [priority] [rx-min/tx-min]Example: 10M/20M 15M/30M 8M/16M 10/10 8 5M/10M
| Part | Value | Meaning |
|---|---|---|
| Normal rate | 10M/20M | 10 Mbps download, 20 Mbps upload |
| Burst rate | 15M/30M | Burst to 15/30 Mbps temporarily |
| Burst threshold | 8M/16M | Burst when average below this |
| Burst time | 10/10 | Burst calculation window (seconds) |
| Priority | 8 | Queue priority (1=highest, 8=lowest) |
| Minimum rate | 5M/10M | Guaranteed minimum bandwidth |
Configuration Examples
Section titled “Configuration Examples”Example 1: Basic PPPoE Server Profile
Section titled “Example 1: Basic PPPoE Server Profile”Create a 10 Mbps symmetrical profile for PPPoE subscribers:
# Step 1: Create IP pool for clients/ip pool add name=pppoe-pool ranges=10.0.0.2-10.0.0.254
# Step 2: Create profile with bandwidth limit/ppp profile add name=pppoe-10m \ local-address=10.0.0.1 \ remote-address=pppoe-pool \ dns-server=8.8.8.8,8.8.4.4 \ rate-limit=10M/10M \ only-one=yes
# Step 3: Create user with profile/ppp secret add name=customer1 password=secret123 \ profile=pppoe-10m service=pppoeVerification:
/ppp profile print where name=pppoe-10mExpected output:
Flags: * - default 0 name="pppoe-10m" local-address=10.0.0.1 remote-address=pppoe-pool dns-server=8.8.8.8,8.8.4.4 rate-limit=10M/10M only-one=yesExample 2: Tiered Service Plans
Section titled “Example 2: Tiered Service Plans”Create multiple profiles for different service tiers:
# Basic plan - 10 Mbps/ppp profile add name=plan-basic \ local-address=10.0.0.1 \ remote-address=pppoe-pool \ dns-server=8.8.8.8 \ rate-limit=10M/10M \ only-one=yes
# Premium plan - 50 Mbps with burst/ppp profile add name=plan-premium \ local-address=10.0.0.1 \ remote-address=pppoe-pool \ dns-server=8.8.8.8 \ rate-limit=50M/50M 75M/75M 40M/40M 10/10 \ only-one=yes
# Business plan - 100 Mbps with minimum guarantee/ppp profile add name=plan-business \ local-address=10.0.0.1 \ remote-address=pppoe-pool \ dns-server=8.8.8.8 \ rate-limit=100M/100M 150M/150M 80M/80M 10/10 8 50M/50M \ only-one=yesExample 3: L2TP/IPsec VPN Profile
Section titled “Example 3: L2TP/IPsec VPN Profile”Create a secure VPN profile for remote workers:
# Create VPN address pool/ip pool add name=vpn-pool ranges=192.168.99.2-192.168.99.100
# Create VPN profile/ppp profile add name=l2tp-vpn \ local-address=192.168.99.1 \ remote-address=vpn-pool \ dns-server=192.168.99.1 \ use-encryption=yes
# Enable L2TP server with IPsec/interface l2tp-server server set enabled=yes \ default-profile=l2tp-vpn \ use-ipsec=required \ ipsec-secret=YourSharedSecretExample 4: Profile with Connection Logging
Section titled “Example 4: Profile with Connection Logging”Log when users connect and disconnect:
/ppp profile add name=logged-profile \ local-address=10.0.0.1 \ remote-address=pppoe-pool \ on-up=":log info \"PPP connected: user=\$user ip=\$\"remote-address\"\"" \ on-down=":log info \"PPP disconnected: user=\$user\""Script variable reference:
| Variable | Content |
|---|---|
$user | Username |
$local-address | Router-side IP |
$remote-address | Client-side IP |
$caller-id | Client MAC or identifier |
$interface | Interface ID (not name) |
Variable Syntax
Variables with hyphens require special syntax: $"remote-address" not $remote-address. Additionally, $interface returns an internal ID like *1c, not the interface name. Use /interface get $interface name to get the actual name.
Example 5: Auto-Add to Firewall Address List
Section titled “Example 5: Auto-Add to Firewall Address List”Automatically track connected client IPs:
/ppp profile add name=tracked-profile \ local-address=10.0.0.1 \ remote-address=pppoe-pool \ address-list=ppp-clients \ interface-list=ppp-interfacesConnected clients are automatically added to the ppp-clients address list and their interfaces to the ppp-interfaces interface list. Use these in firewall rules:
# Allow all traffic from PPP clients/ip firewall filter add chain=forward \ src-address-list=ppp-clients action=acceptHotspot User Profiles
Section titled “Hotspot User Profiles”Hotspot user profiles define bandwidth limits, session timeouts, and access controls for captive portal users.
Key Properties
Section titled “Key Properties”| Property | Type | Default | Description |
|---|---|---|---|
name | string | - | Profile name (required) |
rate-limit | string | - | Bandwidth limit (same format as PPP) |
session-timeout | time | - | Maximum session duration |
idle-timeout | time | - | Disconnect after inactivity |
keepalive-timeout | time | 2m | Client presence check interval |
shared-users | integer | 1 | Simultaneous logins per account |
address-pool | string | - | IP pool for this profile’s users |
transparent-proxy | yes/no | no | Force HTTP through proxy |
Configuration Examples
Section titled “Configuration Examples”Example 6: Tiered Hotspot Plans
Section titled “Example 6: Tiered Hotspot Plans”Create different service levels for a hotel or cafe:
# Free tier - 2 Mbps, 1 hour/ip hotspot user profile add name=free \ rate-limit=2M/2M \ session-timeout=1h \ shared-users=1
# Guest tier - 10 Mbps, 8 hours/ip hotspot user profile add name=guest \ rate-limit=10M/10M \ session-timeout=8h \ shared-users=2
# VIP tier - Unlimited, 24 hours/ip hotspot user profile add name=vip \ rate-limit="" \ session-timeout=24h \ shared-users=5Create users with profiles:
/ip hotspot user add name=freeuser password=free profile=free/ip hotspot user add name=guest001 password=g001 profile=guest/ip hotspot user add name=vip001 password=vippass profile=vipExample 7: Hotspot with Different Pools
Section titled “Example 7: Hotspot with Different Pools”
Assign different IP ranges to different user tiers:
# Create separate pools/ip pool add name=hs-free-pool ranges=10.5.1.2-10.5.1.254/ip pool add name=hs-vip-pool ranges=10.5.2.2-10.5.2.254
# Create profiles with specific pools/ip hotspot user profile add name=free \ rate-limit=2M/2M \ address-pool=hs-free-pool
/ip hotspot user profile add name=vip \ rate-limit="" \ address-pool=hs-vip-poolWireless Security Profiles
Section titled “Wireless Security Profiles”Wireless security profiles define authentication methods and encryption for WiFi networks.
RouterOS v6 (Legacy Wireless)
Section titled “RouterOS v6 (Legacy Wireless)”Menu: /interface wireless security-profiles
| Property | Options | Description |
|---|---|---|
name | string | Profile name |
mode | none/static-keys-required/dynamic-keys | Security mode |
authentication-types | wpa-psk,wpa2-psk,wpa-eap,wpa2-eap | Auth methods |
wpa2-pre-shared-key | string | WPA2 passphrase |
unicast-ciphers | aes-ccm,tkip | Encryption for unicast |
group-ciphers | aes-ccm,tkip | Encryption for broadcast |
Example 8: WPA2-PSK Security Profile (v6)
Section titled “Example 8: WPA2-PSK Security Profile (v6)”/interface wireless security-profiles add name=home-wifi \ mode=dynamic-keys \ authentication-types=wpa2-psk \ wpa2-pre-shared-key=YourSecurePassword123 \ unicast-ciphers=aes-ccm \ group-ciphers=aes-ccm
# Apply to wireless interface/interface wireless set wlan1 security-profile=home-wifiRouterOS v7 (WiFi / Wifiwave2)
Section titled “RouterOS v7 (WiFi / Wifiwave2)”Menu: /interface wifi security
# Create WPA2/WPA3 transitional profile/interface wifi security add name=home-wpa3 \ authentication-types=wpa2-psk,wpa3-psk \ passphrase=YourSecurePassword123 \ encryption=ccmp,gcmp
# Apply to wifi interface/interface wifi set wifi1 security=home-wpa3Common Problems and Solutions
Section titled “Common Problems and Solutions”Problem 1: Rate Limit Not Applied
Section titled “Problem 1: Rate Limit Not Applied”
Symptoms: Users get full bandwidth despite profile rate-limit setting.
Causes:
- FastTrack enabled (bypasses queues)
- Other queues matching traffic first
FastTrack Conflict
FastTrack is enabled by default in many configurations and completely bypasses the queue system. Profile rate limits create dynamic queues, which FastTrack will skip. Either disable FastTrack or exclude PPP traffic from it.
Solutions:
# Disable FastTrack for PPP traffic/ip firewall filter disable [find action=fasttrack-connection]
# Or set queue position to first/ppp profile set myprofile insert-queue-before=firstProblem 2: On-Up Script Variable Access Fails
Section titled “Problem 2: On-Up Script Variable Access Fails”Symptom: Script error or empty variable values.
Cause: Variables with hyphens need special syntax.
Wrong:
on-up=":log info $remote-address"Correct:
on-up=":log info \$\"remote-address\""Problem 3: $interface Returns ID Not Name
Section titled “Problem 3: $interface Returns ID Not Name”Symptom: Script gets *1c instead of interface name.
Solution:
on-up={ :local ifName [/interface get $interface name] :log info "Interface: $ifName"}Problem 4: Profile Change Not Taking Effect
Section titled “Problem 4: Profile Change Not Taking Effect”Cause: Profile settings apply at connection time, not retroactively.
Solution: Force reconnection:
# Disconnect specific user/ppp active remove [find name=username]
# Or disconnect all users of a profile/ppp active remove [find profile=myprofile]Problem 5: Multiple Sessions Despite only-one=yes
Section titled “Problem 5: Multiple Sessions Despite only-one=yes”Cause: only-one=default inherits from service default, which may allow multiple.
Solution: Explicitly set only-one=yes:
/ppp profile set myprofile only-one=yesProblem 6: Address Pool Exhausted
Section titled “Problem 6: Address Pool Exhausted”Symptoms: New connections fail with “no free addresses.”
Solutions:
# Check active sessions for stale entries/ppp active print
# Increase pool size/ip pool set pppoe-pool ranges=10.0.0.2-10.0.1.254
# Check for stuck sessions/ppp active print where uptime>7dProblem 7: Hotspot shared-users Allows More Bandwidth Than Expected
Section titled “Problem 7: Hotspot shared-users Allows More Bandwidth Than Expected”Cause: Rate limit applies per session, not per account. User with shared-users=3 can get 3x bandwidth.
Solution: Use parent queue with PCQ:
# Create parent queue for aggregate limit/queue simple add name=hotspot-aggregate \ target=10.5.0.0/16 max-limit=100M/100M
# Set profile to use parent queue/ip hotspot user profile set premium parent-queue=hotspot-aggregateProblem 8: Script Permission Errors
Section titled “Problem 8: Script Permission Errors”Symptom: On-up script fails silently or can’t access certain commands.
Cause: PPP scripts run as *sys with limited permissions.
Solution: For external API calls, use a scheduler-based approach:
# Create script with full permissions/system script add name=notify-connect policy=read,write,test,ftp source={ /tool fetch url="http://api.example.com/notify" mode=http}
# Call from on-up/ppp profile set myprofile on-up="/system script run notify-connect"Problem 9: WPA3 Devices Can’t Connect
Section titled “Problem 9: WPA3 Devices Can’t Connect”Cause: Some older devices don’t support WPA3.
Solution: Use transitional mode:
# v7 syntax/interface wifi security set mysec authentication-types=wpa2-psk,wpa3-pskProblem 10: Security Profile Not Applied
Section titled “Problem 10: Security Profile Not Applied”Symptom: Wireless interface using wrong security settings.
Solution: Verify the reference:
# Check interface setting/interface wireless print detail where name=wlan1
# Ensure security-profile matches exactly/interface wireless set wlan1 security-profile=home-wifiDefault profiles
Section titled “Default profiles”RouterOS includes built-in profiles:
| Profile | Settings | Use Case |
|---|---|---|
default | No encryption, change-tcp-mss=yes | Basic unencrypted tunnels |
default-encryption | use-encryption=yes | Encrypted PPTP/L2TP |
Verification Commands
Section titled “Verification Commands”# List all PPP profiles/ppp profile print
# Show profile details/ppp profile print detail where name=myprofile
# View active PPP sessions with profiles/ppp active print
# Check dynamic queues from profiles/queue simple print where dynamic=yes
# List hotspot user profiles/ip hotspot user profile print
# View active hotspot users/ip hotspot active print
# Check wireless security profiles (v6)/interface wireless security-profiles print
# Check wifi security (v7)/interface wifi security printRelated Topics
Section titled “Related Topics”- IP Pool - Address pools referenced by profiles
- PPPoE Server and Client - PPPoE configuration using PPP profiles
- L2TP VPN Server - L2TP VPN using PPP profiles
- Hotspot Captive Portal Setup - Hotspot configuration with user profiles
- Bandwidth Limiting with Simple Queues - Manual queue configuration
- WiFi Basic Setup - Wireless interface configuration
- RADIUS - External authentication that can override profiles
Version Notes
Section titled “Version Notes”| Feature | Version | Notes |
|---|---|---|
| PPP interface-list property | 6.39+ | Reduces need for on-up scripts |
| WiFi security (wifiwave2) | 7.x | New /interface wifi security menu |
| WPA3 support | 7.x | Requires wifiwave2 package |
| Enhanced bridge options | 7.x | Better L2 VPN support |
Reference
Section titled “Reference”Official Documentation
Section titled “Official Documentation”- MikroTik PPP AAA Documentation - PPP profiles and authentication
- MikroTik Hotspot User Profile - Hotspot user profile configuration
- MikroTik Wireless Security - Security profile settings
- MikroTik WiFi (v7) - WiFi configuration for RouterOS 7
Quick Reference Commands
Section titled “Quick Reference Commands”# PPP Profiles/ppp profile print # List all profiles/ppp profile print detail # Show full profile details/ppp profile add name=X ... # Create new profile/ppp profile set X property=value # Modify profile
# Hotspot User Profiles/ip hotspot user profile print # List profiles/ip hotspot user profile add name=X ... # Create profile
# Wireless Security (v6)/interface wireless security-profiles print # List profiles/interface wireless security-profiles add name=X ...
# Wireless Security (v7)/interface wifi security print # List security configs/interface wifi security add name=X ... # Create security config
# Monitoring/ppp active print # Active PPP sessions/ip hotspot active print # Active hotspot users/queue simple print where dynamic=yes # Dynamic queues from profilesSummary
Section titled “Summary”Profiles centralize configuration for consistent, manageable deployments:
- PPP Profiles - Define addresses, bandwidth, and scripts for tunnel services
- Hotspot Profiles - Control session limits and bandwidth for captive portals
- Security Profiles - Configure WiFi authentication and encryption
Key points:
- Profile changes require reconnection to take effect
- Use
only-one=yesexplicitly to prevent multiple sessions - Variables with hyphens need special syntax in scripts
- Rate limits create dynamic queues (check FastTrack conflicts)
- v7 uses different menu paths for WiFi security