Configure RouterOS and Setup Test Lab

Navigation: Help / Configure RouterOS

PrepareConfigure HotspotOther Authentication Method (PPPoE)Test Lab
Introduction
  • Congratulations! Automated authentication is a powerful way to streamline for rapid growth and easy management. This guide will walk you through the process to set up your Mikrotiks to talk to Visp.net RADIUS servers. It’s actually quite easy.
  • To get started with Hotspot Authentication add or import the subscribers that you want to automatically authenticate into UBO and be sure their packages are activated and paid up.
  • You can also easily test your configuration with an active, paid up test account added to UBO.
  • Winbox can authenticate to your MikroTik via layer-2 (mac address). In order to do so winbox needs to be able to see layer-2 traffic.

Download Winbox

Initial Setup
  • If you’re using a new Mikrotik router, we recommend resetting the device to remove the preinstalled configuration as it contains settings you will probably not need.
  • To have your MikroTik assign an IP from an upstream DHCP server, go to IP > DHCP Client > add > select wan-facing interface (e.g. eth1)
  • To setup your MikroTik’s static IP, go to IP > addresses > add a static ip address to wan-facing interface (e.g. eth1)
  • To add a default route if you have a static IP on eth1 rather than dhcp, go to IP > Routes > add
  • You may want to  upgrade your RouterOS  to the latest version, from mikrotik.com (Optional)
Making a Backup
Making a backup. We suggest that you make a backup of your current configuration. Go to Files > Backup, then click to backup your current configs to file. Optionally drag-and-drop the new backup file to your desktop to save it locally.
Hotspot
To setup your Hotspot, go to (1) IP > (2) Hotspot > (3) Servers > (4) Hotspot Setup

  • Interface: choose the (LAN) interface that faces your subscribers (Eg. Eth6).

  • Local Address of Network – accept default or modify (if you use public IPs, see Variation 1 below)

  • Address pool of Network – accept default or modify (if you use public IPs, see Variation 1 below)

  • Select Certificate – select ‘none’

  • IP Address of SMTP Server – accept default (usually 0.0.0.0)

  • DNS Servers – set 2 available dns servers (if unknown, enter: 8.8.8.8 and 8.8.4.4)

  • DNS Name – leave it blank

  • Local Hotspot User – Change this username and password to something unique and secure

  • Hotspot Server – Double-click on the new hotspot server that is created (usually named ‘hotspot1’) and perform the following steps:
  • a. Double-click on the new hotspot profile that is created (usually named ‘hotspot1’) and perform the following steps:
    b. On the Address Pool option, select ‘none’ from the drop down (reason: addresses are assigned by DHCP, so this is redundant and can cause issues).
    c. Set the login-timeout into five minutes (00:50:00), It’s a period after which if the device hasn’t been authorized itself with the server, the host entry gets deleted from host table. Loop repeats until the device is authenticated.
    d. Click the Reset HTML button on the right, confirm by clicking Yes.

Server Profiles
Go to IP > Hotspot > Server Profiles tab. Edit the server profile created in the last step (by default named hsprof1) by double clicking on it:
1. Click RADIUS
2. Select ‘Use Radius’
3. Ensure ‘Accounting’ is checked
4. NAS Port Type = 19 Wireless.
5. Click the Login tab.
6. Check MAC, HTTP CHAP, HTTP PAP, uncheck Cookie
7. Enter ‘visp’ (no quotes) as MAC Auth Password

User Profiles
Go to IP > Hotspot > User Profiles
1. Double-click the default user profile

2. If the ‘Keepalive Timeout’ option has a value in it, click the up-arrow to the right of it to disable the Keep alive timeout.

3. BE SURE THAT THE ADD MAC COOKIE OPTION IS UNCHECKED

4. Choose the Scripts tab and paste the following line into the On Logout section:  /ip hotspot host remove [find where address=”$address” and !authorized and !bypassed] 

IP Bindings (Optional)
Go to IP > Hotspot > IP Bindings.
IP-Binding allows to setup static One-to-One NAT translations, allows to bypass specific HotSpot clients without any authentication, and also allows to block particular hosts and subnets from HotSpot network.
To authenticate Subscribers only within the Hotspot network
1. MAC Address should be default
2. Add the Hotspot network address on the address box
3. Set server = all
4. Set type = regular
To bypass specific subnet (Management IPs)
1. MAC Address should be default
2. Add the network address on the address box
3. Set server = all
4. Set type = bypassed
To block unwanted hosts/subnets from HotSpot network (Eliminating Unwanted Traffic)
1. Add the MAC address of device (optional)
2. Add a quad-zero route with a /0 subnet in the Address line
3. Set server = all
4. Set type = blocked
5. Note: Make sure that the drop rule is added last on the list. It will block all traffic if added to the top.
Walled Garden IP List
Go to IP > Hotspot > Walled Garden IP List tab. This section configures the Mikrotik to allow the subscriber to signup, pay their bills, and login to the service.
1. Add (+ symbol)
2. Action > accept
3. Set Dst. Host: ocsp.godaddy.com
4. Add another the same way with Dst Host: secure7.userservices.net
5. Add another the same way with Dst Host: wlogin.userservices.net
Queues
Go to Queues (left menu)
1. Select the Queue Types tab, and then double-click the default-small queue to open it.

2. Change the default-small queue Kind value to ‘red’ and leave the default settings. The “best” queue type is sometimes subjective, but the general rule is that RED is better due to its design and algorithm that works better with a smaller set of aggregate flows. Yet, sfq works extremely well when you have a scenario where you have lots of “flows” that all aggregate into a single queue. With that, we also recommend sfq as the default small queue type if you are seeing issues with red, this all depends on your setup.

Files
Go to Files (left menu).
1. Download this login.html file to your desktop. (right-click on login.html and choose ‘save as’ or ‘save link as’)
2. Edit the login.html file with notepad or an html editor. Replace the value “yourisp.com” with your primary domain name as setup with visp.net. Save your edits. “yourisp.com” must match our database exactly for captive portal to work!
3. Drag the login.html file from your desktop into the hotspot folder on the file listing. Refer to the video below for instructions:

DNS Settings
Go to IP > DNS > Settings.

  • Enter two available DNS servers such as Google’s public DNS at 8.8.8.8 and 8.8.4.4.

Instructions for RADIUS Setup
Primary RADIUS
This section configures your Primary Radius client on the Mikrotik to communicate with the VISP radius servers. Click Radius (left) and click (+) symbol to add a radius server.
  1. Under General tab, select Hotspot for Service (you may select PPP, for PPPoE service)
  2. Address: 52.89.100.186
  3. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  4. Auth port: 1645
  5. Acct port: 1646
  6. Timeout: 5000ms
  7. Realm: yourdomain.ext (e.g. ubodemo.com)


Secondary RADIUS
  • The following are the steps to add your Secondary Radius server:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.33.139.28
  5. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  6. Auth port: 1645
  7. Acct port: 1646
  8. Modify the timeout value to 5000ms
  9. Realm should display your account domain
  10. Click OK to save settings.

The Mikrotik will sometimes display the hotspot in red implying that it is not running after being added to the bridge. This is easily cured by going to IP / Hotspot / Servers tab, right-click the server and choose disable. Right-click again and choose enable.
Backup RADIUS
  • Here are the steps for adding your Backup Radius server. Select an available backup IP, based on the category below:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.11.200.62 (AWS Radius. Or select one below)
    • Google Cloud RADIUS
      • 104.197.99.33 – 15MB/10MB
      • 23.236.57.151 – 10MB/5MB
      • 104.197.22.129 – 5MB/3MB
      • 104.197.14.68 – Unlimited
  5. Secret: (to be provided via Secure Note. For those who are upgrading to the new RADIUS setup, please coordinate with the Sys Admins for your new secret key)
  6. Auth port: 1645 or port assigned by visp.net
  7. Acct port: 1646 or port assigned by visp.net
  8. Modify the timeout value to 5000ms
  9. You may leave the realm blank
  10. Click OK to save settings.


Optional Configuration
Customize Login Page (Optional)
The login.html page stored in your Mikrotik router redirects subscribers to your wireless_login_template. This page is created for you by default and stored on Visp’s servers locally. You may want to add your logo and/or additional info to this page. For adding your logo, simply email your logo to support@visp.net and our team will add this for you. To customize it further, download the following template to your desktop: wireless_login_template.html (right-click on file and choose ‘save as’) The file can be edited in any html editor or notepad.

Be sure to replace ‘yourdomain.com’ in the links above with the ISP domain you have registered with visp.net. When finished editing, email the file to support@visp.net.

Here is an example of what the finished product can look like: http://wlogin.userservices.net/_templates/ultimateispdemo.com.php
Tower Location ID (Optional)
  • To support specific packages unique to certain locations, you can use UBO’s Location ID feature.
  • First add the location ID to the login.html file on your mikrotik: <input type=”hidden” name=”location_id” value=””>
  • From UBO, click File > Settings (or ISP Configuration in version 6.x) > Billing > Packages > then select or create a new wireless package(s) as desired.
  • Select the wireless Package > Options (the gear icon): Check Signup Server and select Wireless.

  1. Login to support.visp.net. Navigate to you ISP portal configuration. Click Edit Details for Wireless Packages.
    • Create your short term hotspot packages and include the location ID, or modify your monthly packages with the location ID
    • Add the location ID from step one and descriptions as desired.


Other Settings
  • Setup NTP for Automatic Time Synchronization. This will keep your logs and timestamps accurate on the Mikrotik.
    • Go to System > NTP Client
    • Click Enabled, Mode = unicast, Primary NTP Server = 192.43.244.18
    • Go to System, Clock, and select the proper timezone

  • Create User Accounts. This is a good idea for security. The default login is ‘admin’ with no password and anybody can connect and hack into the box without this.
    1. Go to System > Users
    2. Add a new user with full privileges. Set a secure password
    3. Add any additional users for employees who need access to the router
    4. Disable standard admin account.

  • Firewall Unnecessary Ports. This protects standard targeted ports from potential denial of service and hack attempts. Add a new rule with the following settings. All other settings are default.
  1. Go to IP > Firewall > Filter Rules tab > add (+ symbol)
  2. Chain: input
  3. Protocol: 6(tcp)
  4. Dst Port: 21
  5. Action tab > Action: drop
  6. Click OK to save
  7. Repeat steps for ports 22, 23, 80

  • Variations
    • Distribute public IPs via DHCP rather than NAT’d IPs. When creating the hotspot, and asked for “Local Address of Network”, select the IP address and prefix of your public network. For example, if you have a class C of public IPs that begin with 222.222.222.0, the local address of network would likely be 222.222.222.1/24. This should match the public IP assigned to the ethernet or wireless interface. Ensure “Masquerade Network” is un-checked.
      • For the address pool of network, specify an IP range consistent with your block of available IPs. This is usually automatically determined and pre-filled by the Mikrotik.
    • Subscriber equipment is configured with static IPs (DHCP disabled on CPE/SM equipment). Follow the same directions above as if you distribute public IPs. Static IPs will not request address space. If no equipment will ever need DHCP support, you can also disable the DHCP server.
    • Distribute static public IPs via radius (DHCP enabled on CPE/SM equipment). Follow the primary directions including assigning a private IP pool. Radius will then instruct the Mikrotik at authentication time to route the public IP to the subscriber.
    • More than one interface to enable authentication on. Repeat the steps above for Authentication setup, and when prompted for an interface during the hotspot setup wizard, choose the new interface from the list. When enabling multiple interfaces, you can either have all your interfaces bridged to one IP range, or you will need different IP ranges for each interface.
    • Host the login page directly on the Mikrotik router. Caution! Doing this can cause subscribers to sometimes see the login screen even when they are successfully authenticated by MAC. This is a bug in Mikrotik that as of now has not been repaired. This method also prohibits the login page from displaying a specific reason why the subscriber cannot connect, such as when their bill is overdue.
      • To host the login page on the Mikrotik, follow all the standard instructions above, only skip the section dealing with the login.html file. Instead, download the login.html file from the Files menu on the Mikrotik, modify it to your preference, and re-upload that file to the Mikrotik hotspot directory.
These instructions assume that you have a new Mikrotik with little to no existing configuration.  These instructions specify certain IP ranges which are commonly used; however, you can replace the IP ranges referenced below with your own custom ranges if you wish.  Likewise, if you have a pre-existing PPPoE setup, you can skip all steps that you have already completed.

Note: If you are already using a Hotspot Authentication method, you will no longer need to set this up on your Mikrotik.
Save a Backup
We suggest you make a backup of your current configuration

  • Go to Files > Backup, then click to backup your current configs to file.  Optionally drag-and-drop the new backup file to your desktop to save it locally.

Note that PPPoE does not allow for the optimal captive portal experience.

Configure IP / Addresses
  • Add ip address 10.5.50.1/24 on the customer facing interface.  This range will be used as the gateway IP for active subscribers.
  • Add ip address 10.254.254.1/24 on the customer facing interface.  This range will be used for routing suspended subscribers.
Configure IP Pools
  • Setup a pool containing IP addresses you wish to assign to subscribers.  Name the pool “pppoe-pool” and set the addresses to 10.5.50.2-10.5.50.254 (this will support up to 253 subscribers – expand the pool if you are servicing more subscribers from this PPPoE server).
  • Setup a second pool.  Name the pool “suspended”, with an address range of 10.254.254.2-10.254.254.254.
Configure PPP
  • Click the PPPoE Servers tab and add a new server with the following settings
    • Name: ppp-visp
    • Interface: select your subscriber facing interface
    • Default Profile: default-encryption
    • Authentication: check PAP & CHAP, un-check mschap1 & mschap2
  • Click the Secrets tab
  • Click the “PPP Authentication & Accounting” button, check Use Radius & Accounting, choose OK.
  • Click the Profiles tab and edit the default-encryption profile
    • Local address: 10.5.50.1
    • Remote Address: pppoe-pool
    • DNS Server: 8.8.8.8 & 8.8.4.4 (or use your own)
Configure IP / Firewall
  • On the Address Lists tab, create a new address list with the following settings:
    • Name: suspended
    • Address:  10.254.254.2-10.254.254.254
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • General / Protocol: 17 (udp)
    • General / Dst Port: 53
    • Advanced / Src Address List: suspended
    • Action / Action: accept
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • General / Dst Address: 52.32.157.119
    • General / Protocol: 6 (tcp)
    • General / Dst Port: 80,443
    • Advanced / Src Address List: suspended
    • Action / Action: accept
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • Advanced / Src Address List: suspended
    • Action / Action: drop
Configure IP / Firewall / NAT
  • On the “NAT” tab, add a new rule with the following settings:
    • General / Chain: srcnat
    • General / Src Address: 10.5.50.0/24
    • Action / Action: masquerade
  • On the “NAT” tab, add a new rule with the following settings:
    • General / Chain: srcnat
    • General / Src Address: 10.254.254.0/24
    • Action / Action: masquerade
  • On the “NAT” tab, add a new rule with the following settings:
    • General / Chain: dstnat
    • General / Protocol: 6(tcp)
    • General / Dst Port: 80
    • Advanced / Src Address List: suspended
    • Action / Action: redirect
    • Action / To Ports: 8080
Configure IP / Web Proxy
  • On the General tab, specify the following settings:
    • Check the enabled checkbox
    • Port: 8080
  • Click the “Access” button
  • Add a Web Proxy Access rule with the following settings:
    • Dst Address: 52.32.157.119
    • Action: allow
  • Add another access rule:
    • Action: deny
    • Redirect To: wlogin.userservices.net/redir.php?isp=yourispdomain.com
      (replace yourispdomain.com with your ISPs domain as registered with VISP.NET)
Configure Queues
  • Select the Queue Types tab, and then double-click the default-small queue to open it.
  • Change the default-small queue Kind value to ‘sfq’ and leave the default settings.

Instructions for RADIUS Setup
Primary RADIUS
This section configures your Primary Radius client on the Mikrotik to communicate with the VISP radius servers. Click Radius (left) and click (+) symbol to add a radius server.
  1. Under General tab, select Hotspot for Service (you may select PPP, for PPPoE service)
  2. Address: (ip assigned by visp.net)
  3. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  4. Acct port: 1646 or port assigned by visp.net
  5. Timeout: 5000ms
  6. Realm: yourdomain.ext (e.g. ubodemo.com)


Secondary RADIUS
  • The following are the steps to add your Secondary Radius server:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.33.139.28
  5. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  6. Auth port: 1645 or port assigned by visp.net
  7. Acct port: 1646 or port assigned by visp.net
  8. Modify the timeout value to 5000ms
  9. Realm should display your account domain
  10. Click OK to save settings.

The Mikrotik will sometimes display the hotspot in red implying that it is not running after being added to the bridge. This is easily cured by going to IP / Hotspot / Servers tab, right-click the server and choose disable. Right-click again and choose enable.
Backup RADIUS
  • Here are the steps for adding your Backup Radius server. Select an available backup IP, based on the category below:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.11.200.62 (AWS Radius. Or select one below)
    • Google Cloud RADIUS
      • 104.197.99.33 – 15MB/10MB
      • 23.236.57.151 – 10MB/5MB
      • 104.197.22.129 – 5MB/3MB
      • 104.197.14.68 – Unlimited
  5. Secret: (to be provided via Secure Note. For those who are upgrading to the new RADIUS setup, please coordinate with the Sys Admins for your new secret key)
  6. Auth port: 1645 or port assigned by visp.net
  7. Acct port: 1646 or port assigned by visp.net
  8. Modify the timeout value to 5000ms
  9. You may leave the realm blank
  10. Click OK to save settings.


Important
  • We highly recommend starting a test bench first. Once the network has been configured and is running as you expect, you may gradually move into production, starting on the site with the least number of subscribers. Don’t have subscribers yet? You can start a test bench or setup the head-end routers on your live network.
  • In order for the System Administrators to assist you better, please provide a brief diagram or documentation about your network or your expected network setup. Send to sysadmin@visp.net.

images_icon_connection

You will need the following for your test bench

  • Head-end Router (Mikrotik, Peplink, Cisco)
  • Access Point (AP)
  • Customer Premises Equipment (CPE)
  • Desktop, laptop or mobile device
  • Home Router (Optional)

Note: The VISP RADIUS communicates with most head-end routers, however, Mikrotik allows you to use the Captive Portal functionality.

Splash Page
These are the possible reasons a subscriber would be unable to get the captive portal page, after you’ve installed and setup the CPE and then connected it to the AP or Tower:
  • The subscriber is trying to open an HTTPs version of a website. Ask the subscriber to open a Non-HTTPs website like CNN.com or Speedtest.net
  • wlogin.userservices.net is not added on the Walled Garded IP list
  • Subscriber’s IP address is blocked in the IP binding rule. On this same page, go to Configure Hotspot > IP Bindings (Optional)
Authentication Test
  • Let’s start by activating a service for your demo account in the UBO software. Proceed to the  Packages Tab .

add_package

  • Click on the  Add  button, and then  select a service or package  for your account.

select package

  • Add a  username and password  to the service. Click on the  Activate  button when you’re done.

activation

  • If you’re using PPPoE, then the next step may not apply to you. Connect a device (laptop or phone) to your network. Try connecting to the internet. If you see a  Captive Portal  page open requiring you to input a username and password, that means you have successfully connected to the RADIUS. You may now login using the  username and password  you added in the Wireless service.

captive portal

Speed Testing
To determine that you are getting at least 80% of the speed that you have configured in the Wireless service of your (demo) account, you may take the average from any of the following speed test apps available below:

Reauthentication
  • The first time your subscribers authenticate through the network, their MAC address is automatically captured by the RADIUS and displayed in the software.

reauth

    • The same MAC address is used by the RADIUS to re-authenticate the device between  12AM to 3AM Pacific Time .
    • Changes to the account of the subscriber (upgrade, downgrade, suspensions, etc.) automatically happen during the reauthentication time.
    • You may manually re-authenticate a subscriber by removing their MAC address in the software, and then booting them off from the Mikrotik router.
    • To change an already authenticated device (replacing CPE’s, etc), all you need to do is remove the MAC address from the software and then boot them off from the MIkrotik.

hosts_tab

Assigning Static IPs
  • To assign a static IP, first you must activate the Subnet Mask field from the Packages node in the ISP Settings page.

packages_subnet

  • Next, add the Subnet mask in the Wireless node in the Packages tab (e.g. 255.255.255.0

subnet_mask

  • Lastly, assign a public IP address under the Devices subnode in the packages tab. Save the changes when done.

assign_ip