User Profiles
User Profiles
Section titled “User Profiles”HotSpot user profiles define the policy applied to a group of users: session duration, bandwidth limits, quota, MAC cookie behaviour, queue integration, and login/logout hooks. Each user references a profile; users without an explicit profile assignment use the default profile.
Profile vs. Per-User Settings
Section titled “Profile vs. Per-User Settings”Most limits can be set at the profile level (shared across many users) or overridden at the individual user level:
| Setting | Profile Path | Per-User Override |
|---|---|---|
| Session timeout | session-timeout | — |
| Idle timeout | idle-timeout | — |
| Rate limit | rate-limit | rate-limit on user |
| Data quota | limit-bytes-* | limit-bytes-*, limit-uptime on user |
| Shared users | shared-users | — |
| MAC cookie | add-mac-cookie | — |
When both a profile and a per-user value are set, the per-user value takes precedence.
Creating and Assigning Profiles
Section titled “Creating and Assigning Profiles”# Create a profile/ip hotspot user profileadd name=standard \ session-timeout=8h \ idle-timeout=30m \ rate-limit=5M/10M \ shared-users=1 \ add-mac-cookie=yes
# Assign a user to the profile/ip hotspot useradd name=alice password=secret123 profile=standardSession Control Parameters
Section titled “Session Control Parameters”| Parameter | Description | Default |
|---|---|---|
session-timeout | Maximum session duration. Session ends after this time and user must re-authenticate. 0 = unlimited. | 0 |
idle-timeout | Disconnect after this period of inactivity (no data flowing). 0 = never disconnect for inactivity. | 0 |
keepalive-timeout | How long to keep an idle session open while the keepalive mechanism is running. | 2m |
# 8-hour daily session with 20-minute idle cutoff/ip hotspot user profileadd name=daily \ session-timeout=8h \ idle-timeout=20m \ keepalive-timeout=2mBandwidth Limiting
Section titled “Bandwidth Limiting”The rate-limit parameter controls per-session upload and download speed using RouterOS’s queue rate-limit syntax.
Rate Limit Format
Section titled “Rate Limit Format”rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] rx-burst-threshold[/tx-burst-threshold] rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]- rx = download (from client’s perspective: bytes arriving at the client)
- tx = upload (bytes leaving the client)
- Rates are specified as numbers with a suffix:
k(kilobits),M(megabits),G(gigabits)
Examples
Section titled “Examples”# 5 Mbps download, 2 Mbps uploadrate-limit=5M/2M
# 10 Mbps symmetricrate-limit=10M/10M
# Burst: 20M download burst up to 20M threshold for 10 seconds, then sustain at 5Mrate-limit="5M/2M 20M/10M 1M/512k 10s"
# With minimum guaranteed rate (RouterOS 7 PCQ)rate-limit="5M/2M 10M/5M 1M/512k 10s 8 1M/512k"Per-User Override
Section titled “Per-User Override”# Override rate limit for a specific user (ignores profile value)/ip hotspot userset [find name=vip] rate-limit=50M/20MData Quotas
Section titled “Data Quotas”Quotas track cumulative data transfer and disconnect the user when the limit is reached.
| Parameter | Description |
|---|---|
limit-bytes-in | Maximum bytes the user may download |
limit-bytes-out | Maximum bytes the user may upload |
limit-bytes-total | Combined download + upload limit |
limit-uptime | Maximum cumulative session time (across all sessions) |
# 1 GB total data quota/ip hotspot user profileadd name=quota-1gb limit-bytes-total=1073741824
# Using unit suffixes (RouterOS 7)/ip hotspot user profileadd name=quota-500mb limit-bytes-total=500M
# Per-user override with a tighter time limit/ip hotspot useradd name=guest1 profile=standard limit-uptime=2h limit-bytes-total=200MShared Users
Section titled “Shared Users”shared-users controls how many devices can authenticate simultaneously using the same credentials.
# One device at a time (enforce single-session)/ip hotspot user profileadd name=single shared-users=1
# Up to 5 devices (e.g., family plan)/ip hotspot user profileadd name=family shared-users=5
# Unlimited concurrent sessions/ip hotspot user profileadd name=open shared-users=unlimitedWhen shared-users=1 and a second device attempts to log in with the same credentials, the first session is disconnected.
MAC Cookie
Section titled “MAC Cookie”MAC cookies allow a device to reconnect to HotSpot without entering credentials again, identified by its MAC address.
| Parameter | Description | Default |
|---|---|---|
add-mac-cookie | Enable MAC cookie for sessions in this profile | yes |
mac-cookie-timeout | How long the cookie is valid after the session ends | 3d |
/ip hotspot user profileadd name=standard \ add-mac-cookie=yes \ mac-cookie-timeout=7dWhen a client reconnects within the cookie validity window, HotSpot authenticates it automatically without showing the login page.
Status Page Behaviour
Section titled “Status Page Behaviour”open-status-page controls whether and when the session status page is shown to the user after login.
| Value | Behaviour |
|---|---|
always | Always open status page after login |
never | Never open status page |
http-login | Open status page only if login was over HTTP (not HTTPS) |
/ip hotspot user profileadd name=standard open-status-page=http-loginTrial Access
Section titled “Trial Access”Trial mode grants unauthenticated users limited free access before requiring login.
| Parameter | Description |
|---|---|
trial-uptime | How long trial access lasts (e.g., 10m) |
trial-user-limit | Max simultaneous trial users (per server) |
trial-uptime-limit | Alternative per-user trial uptime cap |
# 10-minute trial, up to 20 simultaneous trial users/ip hotspot user profileadd name=default \ trial-uptime=10m \ trial-user-limit=20Trial users are tracked by MAC address. After the trial expires, they are redirected to the login page.
Address Pool
Section titled “Address Pool”Assign a separate IP pool to users in a profile:
/ip pooladd name=pool-premium ranges=10.5.50.200-10.5.50.230
/ip hotspot user profileadd name=premium address-pool=pool-premiumThis is useful for assigning different subnets to different user tiers (e.g., to apply different firewall policies by subnet).
Queue Integration
Section titled “Queue Integration”HotSpot creates a per-session simple queue for rate limiting. You can integrate sessions into a PCQ or HTB parent queue for fair sharing across all hotspot users.
| Parameter | Description |
|---|---|
parent-queue | Name of the parent queue to attach the per-session queue to |
queue-type | Queue type to use for the session queue (e.g., pcq-download-default) |
# Create a parent queue that caps total guest bandwidth/queue simpleadd name=hs-total max-limit=100M/50M target=br-guest
# Assign sessions to the parent queue/ip hotspot user profileadd name=standard \ rate-limit=5M/2M \ parent-queue=hs-totalFirewall Mark Integration
Section titled “Firewall Mark Integration”HotSpot can apply packet marks to authenticated sessions, enabling policy routing, QoS, or traffic accounting in the firewall and mangle chains.
| Parameter | Description |
|---|---|
incoming-packet-mark | Mark applied to packets arriving from the client |
outgoing-packet-mark | Mark applied to packets leaving toward the client |
/ip hotspot user profileadd name=premium \ incoming-packet-mark=hs-premium-in \ outgoing-packet-mark=hs-premium-out
# Use marks in mangle/QoS rules/ip firewall mangleadd chain=forward packet-mark=hs-premium-in action=set-priority new-priority=1 \ comment="Prioritize premium upload traffic"Firewall Chain Integration
Section titled “Firewall Chain Integration”Route authenticated session traffic through custom firewall chains for per-profile filtering:
| Parameter | Description |
|---|---|
incoming-filter | Firewall filter chain name applied to incoming (client upload) traffic |
outgoing-filter | Firewall filter chain name applied to outgoing (client download) traffic |
# Create a custom chain/ip firewall filteradd chain=hs-guest-in action=drop protocol=tcp dst-port=25 \ comment="Block SMTP from guests"
# Apply chain to profile/ip hotspot user profileadd name=guest incoming-filter=hs-guest-inTransparent Proxy
Section titled “Transparent Proxy”Enable transparent HTTP proxy for sessions in this profile:
/ip hotspot user profileadd name=standard transparent-proxy=yesWhen enabled, HTTP traffic from authenticated users is redirected to the router’s web proxy. Requires /ip proxy to be enabled and configured.
Login and Logout Scripts
Section titled “Login and Logout Scripts”Run RouterOS scripts automatically when a user logs in or out:
| Parameter | Description |
|---|---|
on-login | Script name or inline script to execute on session start |
on-logout | Script name or inline script to execute on session end |
Scripts receive the following environment variables:
| Variable | Description |
|---|---|
username | HotSpot username |
mac | Client MAC address |
ip | Client IP address |
server | HotSpot server name |
session-id | Unique session identifier |
timeout | Session timeout value |
limit-uptime | User’s uptime limit |
# Log login events to a file/system scriptadd name=hs-on-login source={ /log info message=("HotSpot login: " . $username . " from " . $ip)}
# Apply the script to a profile/ip hotspot user profileadd name=standard on-login=hs-on-loginAdvertise (Ad Injection)
Section titled “Advertise (Ad Injection)”The advertise feature periodically opens a new browser window on authenticated clients to display an advertisement or notification page.
| Parameter | Description | Default |
|---|---|---|
advertise | Enable advertisement injection | no |
advertise-url | URL to open for the advertisement | — |
advertise-interval | How often to show the advertisement | — |
advertise-timeout | How long the ad window stays open | — |
/ip hotspot user profileadd name=free-tier \ advertise=yes \ advertise-url=http://ads.example.com/hotspot-ad \ advertise-interval=30m \ advertise-timeout=30sComplete Profile Examples
Section titled “Complete Profile Examples”Free Guest (Time-Limited)
Section titled “Free Guest (Time-Limited)”/ip hotspot user profileadd name=guest-free \ session-timeout=2h \ idle-timeout=15m \ rate-limit=2M/5M \ shared-users=1 \ add-mac-cookie=yes \ mac-cookie-timeout=1d \ open-status-page=http-login \ trial-uptime=10m \ trial-user-limit=50Paid Voucher (Data Quota)
Section titled “Paid Voucher (Data Quota)”/ip hotspot user profileadd name=voucher-1gb \ rate-limit=10M/10M \ limit-bytes-total=1073741824 \ shared-users=1 \ add-mac-cookie=no \ session-timeout=24hPremium (Unlimited, High Speed)
Section titled “Premium (Unlimited, High Speed)”/ip hotspot user profileadd name=premium \ rate-limit=50M/20M \ shared-users=3 \ add-mac-cookie=yes \ mac-cookie-timeout=30d \ session-timeout=0 \ idle-timeout=0 \ open-status-page=neverStaff (Bypass via IP Binding)
Section titled “Staff (Bypass via IP Binding)”For staff devices that should bypass authentication entirely, use an IP binding rather than a user profile:
/ip hotspot ip-bindingadd mac-address=AA:BB:CC:DD:EE:FF type=bypassed comment="Staff laptop"Managing Users
Section titled “Managing Users”# View all users and their profiles/ip hotspot user print
# View user statistics (bytes, uptime)/ip hotspot user print stats
# Reset counters for a user/ip hotspot user reset-counters [find name=alice]
# Disconnect an active session/ip hotspot active remove [find user=alice]
# View active sessions/ip hotspot active print detailRelated Documentation
Section titled “Related Documentation”- HotSpot Overview — Complete HotSpot setup guide
- Walled Garden — Pre-authentication access rules
- RADIUS Integration — Centralized user management