Webinar topic: Mikrotik Hotspot
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Mikrotik Hotspot
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
The recording is available on Youtube
https://youtu.be/CX1STkMY3zQ
4. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● Based in Bandung, Indonesia
● Areas: Training, IT Consulting
● Certified partner for: Mikrotik, Ubiquity, Linux foundation
● Product: GLC radius manager
● Regular event
4
5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999, mikrotik user since 2007, UBNT
2011
● Mikrotik Certified Trainer
(MTCNA/RE/WE/UME/INE/TCE/IPv6)
● Mikrotik/Linux Certified Consultant
● Website contributor: achmadjournal.com, mikrotik.tips,
asysadmin.tips
● More info:
http://au.linkedin.com/in/achmadmardiansyah
5
6. www.glcnetworks.com
Past experience
6
● 2021 (Congo DRC, Malaysia): network support,
radius/billing integration
● 2020 (Congo DRC, Malaysia): IOT integration,
network automation
● 2019, Congo (DRC): build a wireless ISP from
ground-up
● 2018, Malaysia: network revamp, develop billing
solution and integration, setup dynamic routing
● 2017, Libya (north africa): remote wireless migration
for a new Wireless ISP
● 2016, United Kingdom: workshop for wireless ISP,
migrating a bridged to routed network
7. www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title:
tahun baru bersama solaris - new year
with solaris OS)
● As a sharing event with various topics:
linux, networking, wireless, database,
programming, etc
● Regular schedule
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/schedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information
7
9. www.glcnetworks.com
Prerequisite
● This presentation some prerequisite knowledge
● We assume you already know:
○ How HTTP/browser works
○ Computer networks
○ How mikrotik firewall works, especially NAT
○ Configure mikrotik device
9
11. www.glcnetworks.com
7 OSI layer & protocol
11
● OSI layer Is a conceptual model from ISO
(International Standard Organization) for project
OSI (Open System Interconnection)
● When you send a message with a courier, you
need to add more info to get your message arrived
at the destination (This process is called
encapsulation)
● What is protocol
○ Is a set of rules for communication
○ Available on each layer
● Communication consist of series encapsulation
○ SDU: service data unit (before PDU)
○ PDU: protocol data unit (after header is added)
20. www.glcnetworks.com
At early stage of internet… (1990s)
● Most of computer’s communication is using layer 3 protocol (Internet Protocol
- IP)
● The use of CIDR (classless interdomain routing) -> no class A, B C
● There was a body that registers blocks of IP address
● Internet was booming -> IP address was running out !!!
● NAT was born
20
21. www.glcnetworks.com
RFC1631 - Network
Address Translator
● With NAT, IP address now is
divided into 2 groups:
○ Private IP address
○ Public IP address
● Private IP address will be translated
to public IP address
● Router that supports NAT will do
mapping of IP address and port
21
25. www.glcnetworks.com
However, NAT is not good….
● Its not scalable. even with the box that is so called “carrier grade NAT”
● Some applications do not work under NATed environment: Online game
(xbox, steam), voip, security, etc
● Dont use NAT on your local network -> use routing protocol instead
● NAT is not designed to be permanent solution
Ultimate Solution:
USE IPv6 !!!
25
27. www.glcnetworks.com
On which layer does the (traditional)
Firewall works?
27
● All firewall inspect traffic between segment → layer
3
● Some firewall supports tracking → layer 4
● Some firewall support inside-segment filtering →
layer 2
● See the encapsulation process before
28. www.glcnetworks.com
What is Mikrotik firewall?
● Is a feature to
○ Control network access (filter)
○ Modify network header (NAT)
○ Marking packet for further processing (mangle)
● Developed from linux
● Consist of 2 parts: matcher & action
● Executed sequentially
● Netadmin must understand the application’s characteristics in order to build a
matcher (e.g. browsing → using TCP/UDP port 80,443)
28
29. www.glcnetworks.com
How firewall works?
● Setup matcher -> then action
● Mikrotik has lots of options for matcher
-> very flexible
● Matcher + Action = Firewall rule
● Rule is executed sequentially
29
32. www.glcnetworks.com
Mikrotik firewall NAT
Do not get confused!! See packet flow
● Chain=Srcnat -> postrouting
● Chain=dstnat -> prerouting
Do not get confused with NAT action
● Src-nat
● dst-nat
32
34. www.glcnetworks.com
What is mikrotik hotspot
● Provides authentication (layer 7) for clients
before access to public networks
● Based on browser at client side
● Work reliably on IPv4
● Relies heavily on Firewall NAT
● Not available for IPv6 (not NAT on IPv6)
34
35. www.glcnetworks.com
How mikrotik hotspot works?
● Client gets IP address
● Mikrotik redirect request to captive portal
● User do authentication
● User info is recorded (MAC address / browser
cookies)
● User continue browsing
35
40. www.glcnetworks.com
Hotspot IP bindings
● allows to setup static One-to-One
NAT translations
● allows to bypass specific HotSpot
clients without any authentication
● allows to block specific hosts and
subnets from HotSpot network
40
41. www.glcnetworks.com
Hotspot walled-garden
● permits authentication bypass settings for
HTTP and HTTPs resources.
● Supports * and ? properties.
○ *.glcnetworks.???
● Support regex (should start with a colon (':'))
● Can be walled-garden or walled-garden IP
41
42. www.glcnetworks.com
Hotspot issues and solution
● Most devices, do some background checking
to see if they are behind a captive portal.
● Device requesting a known webpage and
comparing the contents of that page. If
contents are different, the device assumes
there is a login page, and creates a popup
with this login page. This method is NOT
ALWAYS works
● To improve on this mechanism, RFC 7710
was created. allowing the HotSpot to inform
all DHCP clients that they are behind a
captive-portal
42
44. www.glcnetworks.com
Tips and trick
● Upgrade to ROS version 6.48 (supports RFC7710)
● Make sure it is on IPv4 only
● Use radius for further processing dan scalable database
● Use external captive portal
● Use your programming skill to add features on hotspot
44
48. www.glcnetworks.com
Interested? Just come to our training...
● Topics are arranged in systematic and logical way
● You will learn from experienced teacher
● Not only learn the materials, but also sharing experiences, best-practices, and
networking
48
49. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Find our further event on our website : https://www.glcnetworks.com/en/
● Like our facebook page: https://www.facebook.com/glcnetworks
● Slide: https://www.slideshare.net/glcnetworks/
● Recording (youtube): https://www.youtube.com/c/GLCNetworks
● Stay tune with our schedule
● Any questions?
49