HotSpot
HotSpot
Section titled “HotSpot”HotSpot is a built-in captive portal functionality in RouterOS that provides network access control through a web-based authentication system. It is commonly used by wireless internet service providers (WISPs), cafes, hotels, and other venues offering guest network access.
Overview
Section titled “Overview”The HotSpot system provides:
- Captive Portal — Automatic redirect of unauthenticated users to a login page
- User Authentication — Local user database or RADIUS integration
- Billing and Accounting — Time and data volume tracking
- Access Control — MAC filtering, IP binding, and session management
- Walled Garden — Unrestricted access to specific sites before login
- Customizable Login Pages — HTML-based login page with template variables
- HTTPS Login — Secure credential submission with certificate-based TLS
Use Cases
Section titled “Use Cases”- Guest WiFi in cafes, hotels, and airports
- Public wireless access points
- WISP customer authentication
- Corporate guest networks
- Paid internet access (time-based or volume-based)
How HotSpot Works
Section titled “How HotSpot Works”Authentication Flow
Section titled “Authentication Flow”- User connects to the wireless or wired guest network
- User opens a web browser and attempts to access any HTTP website
- HotSpot intercepts the request and redirects to the login page (HTTP or HTTPS)
- User enters credentials or clicks through for open access
- HotSpot validates credentials against the local user database or RADIUS server
- On successful authentication, the user is granted internet access
- Session time and data usage are tracked until logout or session timeout
Network Architecture
Section titled “Network Architecture”HotSpot operates on a dedicated interface or bridge, creating an isolated segment for guest users. The router acts as the default gateway, DNS resolver, and captive portal server for that segment.
Guest Device ── WiFi ── [br-guest] ── HotSpot Engine ── NAT ── WAN ── Internet │ Login Page (HTTP/HTTPS) DHCP Server DNS ServerConfiguration Paths
Section titled “Configuration Paths”| Feature | Command Path |
|---|---|
| HotSpot servers | /ip hotspot |
| HotSpot profiles | /ip hotspot profile |
| User management | /ip hotspot user |
| User profiles | /ip hotspot user profile |
| Active sessions | /ip hotspot active |
| Walled garden (HTTP) | /ip hotspot walled-garden |
| Walled garden (IP) | /ip hotspot walled-garden ip |
| IP bindings | /ip hotspot ip-binding |
| Hosts table | /ip hotspot host |
Complete Guest WiFi Portal Setup
Section titled “Complete Guest WiFi Portal Setup”This section covers a complete end-to-end setup for a guest WiFi captive portal.
Step 1: Create Bridge and Add WiFi Interface
Section titled “Step 1: Create Bridge and Add WiFi Interface”# Create a dedicated bridge for guest traffic/interface bridgeadd name=br-guest comment="Guest HotSpot bridge"
# Add wireless interface to guest bridge/interface bridge portadd bridge=br-guest interface=wlan1Step 2: Assign Gateway IP
Section titled “Step 2: Assign Gateway IP”/ip addressadd address=10.5.50.1/24 interface=br-guest comment="Guest gateway"Step 3: Configure DHCP
Section titled “Step 3: Configure DHCP”# Create address pool/ip pooladd name=pool-guest ranges=10.5.50.10-10.5.50.254
# Create DHCP server/ip dhcp-serveradd name=dhcp-guest interface=br-guest address-pool=pool-guest disabled=no
# Configure network options (gateway + DNS pointing at router)/ip dhcp-server networkadd address=10.5.50.0/24 gateway=10.5.50.1 dns-server=10.5.50.1Step 4: Enable DNS for Guests
Section titled “Step 4: Enable DNS for Guests”/ip dnsset allow-remote-requests=yes servers=1.1.1.1,8.8.8.8Step 5: Run the HotSpot Setup Wizard
Section titled “Step 5: Run the HotSpot Setup Wizard”The wizard creates the HotSpot server, hotspot IP pool (if needed), and an initial local user:
/ip hotspot setupThe wizard prompts for:
| Prompt | Example Answer |
|---|---|
| HotSpot interface | br-guest |
| Local address of network | 10.5.50.1/24 |
| Masquerade network | yes |
| Address pool of network | 10.5.50.10-10.5.50.254 |
| Select certificate | none (or choose existing cert for HTTPS) |
| Select SMTP server | 0.0.0.0 |
| DNS servers | 1.1.1.1 |
| DNS name | login.example.com |
| Create local HotSpot user | admin / password |
The wizard automatically creates:
- A HotSpot server on the specified interface
- DHCP server (if not already present)
- Firewall NAT masquerade rule for the HotSpot subnet
- Walled garden entries for the login page itself
Step 6: Configure NAT for Internet Access
Section titled “Step 6: Configure NAT for Internet Access”If not created by the wizard, add a masquerade rule manually:
/ip firewall natadd chain=srcnat action=masquerade out-interface-list=WAN \ comment="Guest HotSpot internet access"Step 7: Verify the Setup
Section titled “Step 7: Verify the Setup”# Check HotSpot server is running/ip hotspot print
# Check DHCP leases/ip dhcp-server lease print where server=dhcp-guest
# Check hosts detected by HotSpot/ip hotspot host print
# Check active authenticated sessions/ip hotspot active print
# Check NAT rule hit count/ip firewall nat print stats where chain=srcnatExpected behavior: a guest device connects to the WiFi, gets a 10.5.50.x DHCP lease, any HTTP request is intercepted and redirected to the login page, and after successful login internet access works.
HTTPS Redirect and Certificate Requirements
Section titled “HTTPS Redirect and Certificate Requirements”By default, HotSpot redirects HTTP traffic to the login page. To enable HTTPS for the login page (so credentials are encrypted in transit), you must assign a certificate to the HotSpot profile.
Why HTTPS Matters
Section titled “Why HTTPS Matters”Without HTTPS, login credentials are submitted in plain text over the local network. Using HTTPS encrypts the form submission. Note that HotSpot cannot intercept HTTPS destinations transparently — browsers enforce TLS trust and will show certificate errors if the original HTTPS site’s cert doesn’t match. Only HTTP requests trigger smooth captive portal redirects; HTTPS interception requires the browser to accept a trust exception.
Create a Self-Signed Certificate
Section titled “Create a Self-Signed Certificate”For internal or low-security deployments, a self-signed certificate is sufficient (browsers will show a trust warning):
# Create CA certificate/certificateadd name=hotspot-ca common-name="HotSpot CA" key-size=2048 \ days-valid=3650 key-usage=key-cert-sign,crl-sign
# Sign CA certificate/certificate sign hotspot-ca
# Create server certificate for the login hostname/certificateadd name=hotspot-cert common-name=login.example.com key-size=2048 \ days-valid=730 subject-alt-name=IP:10.5.50.1,DNS:login.example.com
# Sign server certificate with the CA/certificate sign hotspot-cert ca=hotspot-caImport a Trusted Certificate
Section titled “Import a Trusted Certificate”For production deployments, import a certificate signed by a public CA (e.g., Let’s Encrypt):
# Upload certificate files via FTP or drag-and-drop in WinBox Files view# Then import:/certificate import file-name=hotspot.crt passphrase=""/certificate import file-name=hotspot.key passphrase=""Assign Certificate to HotSpot Profile
Section titled “Assign Certificate to HotSpot Profile”/ip hotspot profileset [find name=hsprof1] ssl-certificate=hotspot-cert login-by=httpsKey profile parameters for HTTPS:
| Parameter | Description |
|---|---|
ssl-certificate | Certificate to use for HTTPS login page |
login-by | Authentication methods: cookie, http-chap, http-pap, https, mac, trial |
User Management
Section titled “User Management”Local Users
Section titled “Local Users”Create users in the local HotSpot user database:
# Basic user with no limits/ip hotspot user add name=guest password=guest123
# User with time limit/ip hotspot user add name=user1 password=pass123 \ profile=default limit-uptime=1h
# User with data volume limit/ip hotspot user add name=user2 password=pass456 \ profile=default limit-bytes-total=500M
# View all users/ip hotspot user print
# View active sessions/ip hotspot active printUser Profiles
Section titled “User Profiles”Profiles define resource limits and billing parameters shared across multiple users:
# Time-limited profile (1 hour sessions)/ip hotspot user profileadd name="1-hour" \ session-timeout=1h \ idle-timeout=5m \ rate-limit=5M/5M \ shared-users=1 \ add-mac-cookie=yes
# Data-limited profile (500 MB)/ip hotspot user profileadd name="500MB" \ limit-bytes-total=500M \ shared-users=5
# Premium unlimited with rate limiting/ip hotspot user profileadd name="premium" \ rate-limit="20M/20M" \ shared-users=1 \ session-timeout=0 \ idle-timeout=0Key profile parameters:
| Parameter | Description |
|---|---|
session-timeout | Maximum session duration (0 = unlimited) |
idle-timeout | Disconnect after period of inactivity |
rate-limit | Per-session bandwidth limit (rx/tx, supports burst) |
shared-users | Maximum simultaneous users sharing one credential |
limit-bytes-total | Total data cap (upload + download) |
add-mac-cookie | Enable MAC cookie to avoid re-login on same device |
on-login / on-logout | Scripts to run on session start/end |
For the complete parameter reference — including burst rate format, queue integration, firewall marks, advertise, and login scripts — see the User Profiles guide.
RADIUS Integration
Section titled “RADIUS Integration”For centralized authentication and accounting across multiple HotSpot servers, integrate with a RADIUS server.
Configure the RADIUS Client
Section titled “Configure the RADIUS Client”# Add external RADIUS server/radiusadd address=192.0.2.10 \ service=hotspot \ secret=strong-radius-secret \ authentication-port=1812 \ accounting-port=1813 \ timeout=300ms
# Optional: accounting backup to secondary server/radiusadd address=192.0.2.11 \ service=hotspot \ secret=strong-radius-secret \ authentication-port=1812 \ accounting-port=1813 \ backup=yesEnable RADIUS in HotSpot Profile
Section titled “Enable RADIUS in HotSpot Profile”/ip hotspot profileset [find name=hsprof1] \ use-radius=yes \ radius-accounting=yes \ radius-interim-update=received \ radius-mac-authentication=yesRADIUS profile parameters:
| Parameter | Description |
|---|---|
use-radius | Enable RADIUS authentication for this profile |
radius-accounting | Send RADIUS accounting packets |
radius-interim-update | When to send interim accounting updates (received, time interval) |
radius-mac-authentication | Attempt MAC-based authentication before showing login page |
radius-mac-format | Format of MAC address sent to RADIUS (e.g., XX:XX:XX:XX:XX:XX) |
radius-default-domain | Domain appended to username in Access-Request |
MikroTik RADIUS Attributes (VSAs)
Section titled “MikroTik RADIUS Attributes (VSAs)”RouterOS sends the following Mikrotik Vendor-Specific Attributes to the RADIUS server:
| Attribute | Value |
|---|---|
Mikrotik-Rate-Limit | Bandwidth limit returned by RADIUS |
Mikrotik-Group | User group assignment |
Mikrotik-Recv-Limit | Incoming data limit |
Mikrotik-Xmit-Limit | Outgoing data limit |
Mikrotik-Realm | HotSpot DNS name |
User Manager Integration
Section titled “User Manager Integration”RouterOS includes a built-in RADIUS server called User Manager. To use it for HotSpot authentication:
# Enable User Manager and point HotSpot at localhost/tool user-managerset enabled=yes
# Add RADIUS entry pointing to User Manager on localhost/radiusadd address=127.0.0.1 \ service=hotspot \ secret=um-shared-secret \ authentication-port=1812 \ accounting-port=1813
# Enable RADIUS in HotSpot profile/ip hotspot profileset [find name=hsprof1] use-radius=yes radius-accounting=yesFreeRADIUS Configuration Example
Section titled “FreeRADIUS Configuration Example”For FreeRADIUS, include the MikroTik dictionary and add a user:
guest Cleartext-Password := "guest123" Mikrotik-Rate-Limit := "10M/10M", Session-Timeout := 3600, Reply-Message := "Welcome to guest WiFi"Walled Garden
Section titled “Walled Garden”The walled garden allows unauthenticated users to reach specific destinations without logging in — useful for splash page assets, payment portals, or company websites.
RouterOS provides two rule sets: the HTTP walled garden (/ip hotspot walled-garden) for matching plain HTTP by hostname and path, and the IP walled garden (/ip hotspot walled-garden ip) for L3/L4 matching that covers HTTPS and any protocol.
# HTTP: allow a domain (plain HTTP only)/ip hotspot walled-gardenadd dst-host=*.example.com action=allow comment="Company site"
# IP: allow HTTPS destination by IP/ip hotspot walled-garden ipadd dst-address=192.0.2.50 action=accept comment="Payment gateway"For full coverage of walled garden parameters, wildcard matching, OS captive portal detection, and dynamic RADIUS-based rules, see the Walled Garden guide.
IP Bindings
Section titled “IP Bindings”IP bindings control how specific MAC or IP addresses are handled by HotSpot:
# Bypass authentication for a known device (printer, IP phone)/ip hotspot ip-bindingadd mac-address=AA:BB:CC:DD:EE:FF type=bypassed comment="Office printer"
# Block a specific client permanently/ip hotspot ip-bindingadd address=10.5.50.100 type=blocked comment="Abusive device"
# Register a static IP to a specific user/ip hotspot ip-bindingadd address=10.5.50.50 mac-address=11:22:33:44:55:66 user=staff type=regular| Binding Type | Behavior |
|---|---|
bypassed | Skip HotSpot authentication entirely |
blocked | Deny all access |
regular | Standard HotSpot behavior |
Customizing Login Pages
Section titled “Customizing Login Pages”HotSpot login pages are HTML files stored in a directory on the router filesystem.
Default Login Page Files
Section titled “Default Login Page Files”After setup, HotSpot creates a set of HTML templates:
| File | Purpose |
|---|---|
login.html | Main login form |
logout.html | Logout page |
status.html | Session status page |
alogin.html | Redirect page after login |
error.html | Authentication error page |
rlogin.html | Redirect to original URL after login |
Uploading Custom Pages
Section titled “Uploading Custom Pages”Upload custom HTML files to the router using WinBox (drag-and-drop into Files view), FTP, or SCP:
# Upload via SCP
# Or use the router's FTP serverftp 192.168.1.1put login.html /hotspot/login.htmlThen point the HotSpot profile to the custom directory:
/ip hotspot profileset [find name=hsprof1] html-directory-override=/hotspotTemplate Variables
Section titled “Template Variables”HotSpot substitutes these variables in HTML templates at render time:
| Variable | Description |
|---|---|
$(link-login) | Login form action URL |
$(link-login-only) | Login URL without original destination |
$(link-orig) | Original URL the user was trying to access |
$(link-logout) | Logout URL |
$(link-status) | Status page URL |
$(username) | Authenticated username (on status/logout pages) |
$(ip) | Client IP address |
$(mac) | Client MAC address |
$(chap-id) | CHAP challenge ID (for HTTP-CHAP logins) |
$(chap-challenge) | CHAP challenge value |
$(session-time-left) | Remaining session time |
$(bytes-in) | Bytes downloaded in this session |
$(bytes-out) | Bytes uploaded in this session |
Example Login Form (HTTP-CHAP)
Section titled “Example Login Form (HTTP-CHAP)”HTTP-CHAP hashes the password client-side before sending, providing some protection even over plain HTTP:
<form name="login" action="$(link-login)" method="post"> <input type="hidden" name="dst" value="$(link-orig)"> <input type="hidden" name="popup" value="true"> <table> <tr><td>Username:</td><td><input type="text" name="username"></td></tr> <tr><td>Password:</td><td><input type="password" name="password" id="password"></td></tr> <tr><td colspan="2"><input type="submit" value="Log In"></td></tr> </table></form>Trial Access and One-Click Login
Section titled “Trial Access and One-Click Login”Trial access grants unauthenticated clients a time-limited internet session without entering credentials. This is useful for coffee shops, hotel lobbies, or any venue where a frictionless “click to connect” experience is preferred.
How Trial Works
Section titled “How Trial Works”- Client connects to the HotSpot network
- Browser is redirected to the login page
- Login page shows a “click here for free access” link (via
$(trial)variable) - Client clicks the link — HotSpot logs them in automatically as a trial user
- After the trial period expires, the client is returned to the login page and must register or pay
Configure the Trial User Profile
Section titled “Configure the Trial User Profile”Create a dedicated profile with appropriate limits for trial users:
/ip hotspot user profileadd name=trial \ rate-limit=1M/1M \ session-timeout=30m \ idle-timeout=5m \ shared-users=1 \ add-mac-cookie=noEnable Trial in the HotSpot Server Profile
Section titled “Enable Trial in the HotSpot Server Profile”/ip hotspot profileset [find name=hsprof1] \ trial-uptime-limit=30m \ trial-user-profile=trial \ login-by=http-chap,cookie,trial| Parameter | Description |
|---|---|
trial-uptime-limit | Maximum trial session duration (e.g. 30m, 1h). Set 0 to disable trial. |
trial-user-profile | Profile applied to trial sessions (controls rate limit, timeouts) |
login-by | Must include trial to make the trial link available |
Add the Trial Link to the Login Page
Section titled “Add the Trial Link to the Login Page”RouterOS renders the $(trial) variable as a one-click login URL. Wrap it in $(if trial) so it only appears when trial is available:
<form name="login" action="$(link-login)" method="post"> <input type="hidden" name="dst" value="$(link-orig)"> <input type="hidden" name="popup" value="true"> <table> <tr><td>Username:</td><td><input type="text" name="username"></td></tr> <tr><td>Password:</td><td><input type="password" name="password"></td></tr> <tr><td colspan="2"><input type="submit" value="Log In"></td></tr> </table></form>$(if trial)<p><a href="$(trial)">Click here for 30 minutes of free access — no login required</a></p>$(endif)Per-MAC Trial Tracking
Section titled “Per-MAC Trial Tracking”RouterOS tracks trial usage by client MAC address. After a MAC exhausts its trial period, the $(trial) link is hidden on subsequent visits. RouterOS creates auto-generated entries in /ip hotspot user prefixed with T- (for trial) to track used MACs.
To view or reset trial users:
# List trial user entries/ip hotspot user print where name~"^T-"
# Remove a specific trial entry to allow a retry/ip hotspot user remove [find name="T-AA:BB:CC:DD:EE:FF"]
# Remove all expired trial entries/ip hotspot user remove [find name~"^T-"]Note: Removing a trial entry allows the same MAC to get trial access again. This is a support tool — use carefully in commercial deployments.
Security Considerations
Section titled “Security Considerations”MAC Cookie
Section titled “MAC Cookie”MAC cookies remember authenticated devices to avoid repeated logins on reconnect. Enable per profile:
/ip hotspot user profileset default add-mac-cookie=yes mac-cookie-timeout=3dRate Limiting
Section titled “Rate Limiting”Apply per-user bandwidth limits to prevent abuse:
# Per-user rate limit in user profile/ip hotspot user profileadd name=limited rate-limit="2M/5M"
# Override rate limit for specific user/ip hotspot userset [find name=vip] rate-limit="20M/20M"Isolate Guest Traffic from LAN
Section titled “Isolate Guest Traffic from LAN”Prevent guest users from accessing the internal LAN:
/ip firewall filteradd chain=forward in-interface=br-guest out-interface=!ether1-WAN \ action=drop comment="Block guests from LAN"Troubleshooting
Section titled “Troubleshooting”Common Issues
Section titled “Common Issues”Users not redirected to login page
- Verify the HotSpot server is running on the correct interface:
/ip hotspot print - Confirm the client received a DHCP lease from the hotspot range
- Check that DNS resolves (client must be able to make a DNS request that triggers redirect)
- Verify no firewall rules are blocking traffic before HotSpot processes it
RADIUS authentication failing
- Test connectivity:
/tool ping address=<radius-server> - Verify the shared secret matches on both sides
- Check RADIUS logs on the server for rejected requests
- Confirm the RADIUS server is listening on the expected ports
HTTPS login certificate errors
- Ensure
ssl-certificateis set in the HotSpot profile - Verify the certificate CN or SAN matches the HotSpot DNS name (
/ip hotspot profile print) - For self-signed certs, users must manually accept the trust exception in their browser
- Import the CA certificate into browsers or use a public CA for seamless experience
Users getting logged out frequently
- Increase
idle-timeoutin user profile:/ip hotspot user profile set default idle-timeout=30m - Check for IP address changes (DHCP lease expiry shorter than session timeout)
- Review
session-timeoutin profile
MAC cookie not working after reconnect
- Ensure
add-mac-cookie=yesin the user profile - Check
mac-cookie-timeoutis long enough - Verify the client IP doesn’t change between sessions
Debug Commands
Section titled “Debug Commands”# View HotSpot server status/ip hotspot print
# View all active authenticated sessions/ip hotspot active print detail
# View HotSpot host table (all detected clients)/ip hotspot host print
# View HotSpot-related log messages/log print topic=hotspot
# View user statistics/ip hotspot user print stats
# Test RADIUS reachability/tool ping 192.0.2.10
# Check certificate details/certificate print detail where name=hotspot-certRelated Documentation
Section titled “Related Documentation”- Walled Garden — Pre-authentication access rules, HTTPS destinations, OS captive portal detection
- User Profiles — Session limits, bandwidth policies, queue integration, and login scripts
- RADIUS Integration — Centralised authentication, accounting, MAC auth, VSAs, and FreeRADIUS examples
- Wireless Interface — WiFi access point configuration
- CAPsMAN — Centralized wireless management
- RADIUS — RADIUS client configuration
- Firewall Filter — Network filtering
- Certificates — Certificate management