Webinar topic: Mikrotik Hotspot Presenter: Achmad Mardiansyah In this webinar series, We are discussing Mikrotik Hotspot Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram The recording is available on Youtube https://youtu.be/CX1STkMY3zQ

1. www.glcnetworks.com
Mikrotik hotspot
GLC Webinar,
17 Jun 2021
Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia
1

2. www.glcnetworks.com
Agenda
● Introduction
● Review prerequisite knowledge
● Mikrotik hotspot
● Tips and trick
● Live practice
● Q & A
2

3. www.glcnetworks.com
introduction
3

4. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● Based in Bandung, Indonesia
● Areas: Training, IT Consulting
● Certified partner for: Mikrotik, Ubiquity, Linux foundation
● Product: GLC radius manager
● Regular event
4

5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999, mikrotik user since 2007, UBNT
2011
● Mikrotik Certified Trainer
(MTCNA/RE/WE/UME/INE/TCE/IPv6)
● Mikrotik/Linux Certified Consultant
● Website contributor: achmadjournal.com, mikrotik.tips,
asysadmin.tips
● More info:
http://au.linkedin.com/in/achmadmardiansyah
5

6. www.glcnetworks.com
Past experience
6
● 2021 (Congo DRC, Malaysia): network support,
radius/billing integration
● 2020 (Congo DRC, Malaysia): IOT integration,
network automation
● 2019, Congo (DRC): build a wireless ISP from
ground-up
● 2018, Malaysia: network revamp, develop billing
solution and integration, setup dynamic routing
● 2017, Libya (north africa): remote wireless migration
for a new Wireless ISP
● 2016, United Kingdom: workshop for wireless ISP,
migrating a bridged to routed network

7. www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title:
tahun baru bersama solaris - new year
with solaris OS)
● As a sharing event with various topics:
linux, networking, wireless, database,
programming, etc
● Regular schedule
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/schedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information
7

8. www.glcnetworks.com
Please introduce yourself
● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?
8

9. www.glcnetworks.com
Prerequisite
● This presentation some prerequisite knowledge
● We assume you already know:
○ How HTTP/browser works
○ Computer networks
○ How mikrotik firewall works, especially NAT
○ Configure mikrotik device
9

10. www.glcnetworks.com
Review prerequisite knowledge
10

11. www.glcnetworks.com
7 OSI layer & protocol
11
● OSI layer Is a conceptual model from ISO
(International Standard Organization) for project
OSI (Open System Interconnection)
● When you send a message with a courier, you
need to add more info to get your message arrived
at the destination (This process is called
encapsulation)
● What is protocol
○ Is a set of rules for communication
○ Available on each layer
● Communication consist of series encapsulation
○ SDU: service data unit (before PDU)
○ PDU: protocol data unit (after header is added)

12. www.glcnetworks.com
Layered model (TCP/IP vs ISO) and encapsulation
12
/ datagram

13. www.glcnetworks.com
Layer 4 header (which one is TCP?)
13

14. www.glcnetworks.com
Layer 3 header (which one is IPv4?)
14

15. www.glcnetworks.com
Ethernet header (which is the MTU?)
15

16. www.glcnetworks.com
802.11 header
16

17. www.glcnetworks.com
Did you notice?
● There is a big overhead on encapsulation process
● More encapsulation means less payload?
17

18. www.glcnetworks.com
HUB, switch, router, firewall
18

19. www.glcnetworks.com
Network Address Translation (NAT)
19

20. www.glcnetworks.com
At early stage of internet… (1990s)
● Most of computer’s communication is using layer 3 protocol (Internet Protocol
- IP)
● The use of CIDR (classless interdomain routing) -> no class A, B C
● There was a body that registers blocks of IP address
● Internet was booming -> IP address was running out !!!
● NAT was born
20

21. www.glcnetworks.com
RFC1631 - Network
Address Translator
● With NAT, IP address now is
divided into 2 groups:
○ Private IP address
○ Public IP address
● Private IP address will be translated
to public IP address
● Router that supports NAT will do
mapping of IP address and port
21

22. www.glcnetworks.com
Mapping between private IP to public IP
22
Source:
wikimedia.org

23. www.glcnetworks.com
Mapping public IP and port to private IP
23
Source:
wikimedia.org

24. www.glcnetworks.com
24
Source:
wikimedia.org

25. www.glcnetworks.com
However, NAT is not good….
● Its not scalable. even with the box that is so called “carrier grade NAT”
● Some applications do not work under NATed environment: Online game
(xbox, steam), voip, security, etc
● Dont use NAT on your local network -> use routing protocol instead
● NAT is not designed to be permanent solution
Ultimate Solution:
USE IPv6 !!!
25

26. www.glcnetworks.com
Mikrotik firewall
26

27. www.glcnetworks.com
On which layer does the (traditional)
Firewall works?
27
● All firewall inspect traffic between segment → layer
3
● Some firewall supports tracking → layer 4
● Some firewall support inside-segment filtering →
layer 2
● See the encapsulation process before

28. www.glcnetworks.com
What is Mikrotik firewall?
● Is a feature to
○ Control network access (filter)
○ Modify network header (NAT)
○ Marking packet for further processing (mangle)
● Developed from linux
● Consist of 2 parts: matcher & action
● Executed sequentially
● Netadmin must understand the application’s characteristics in order to build a
matcher (e.g. browsing → using TCP/UDP port 80,443)
28

29. www.glcnetworks.com
How firewall works?
● Setup matcher -> then action
● Mikrotik has lots of options for matcher
-> very flexible
● Matcher + Action = Firewall rule
● Rule is executed sequentially
29

30. www.glcnetworks.com
30
Where the packet
is processed?
A: see packet flow
Note: ipsec is removed in this
diagram

31. www.glcnetworks.com
31
31
What's the
difference between
forward and input?
FORWARD
INPUT

32. www.glcnetworks.com
Mikrotik firewall NAT
Do not get confused!! See packet flow
● Chain=Srcnat -> postrouting
● Chain=dstnat -> prerouting
Do not get confused with NAT action
● Src-nat
● dst-nat
32

33. www.glcnetworks.com
Mikrotik hotspot
33

34. www.glcnetworks.com
What is mikrotik hotspot
● Provides authentication (layer 7) for clients
before access to public networks
● Based on browser at client side
● Work reliably on IPv4
● Relies heavily on Firewall NAT
● Not available for IPv6 (not NAT on IPv6)
34

35. www.glcnetworks.com
How mikrotik hotspot works?
● Client gets IP address
● Mikrotik redirect request to captive portal
● User do authentication
● User info is recorded (MAC address / browser
cookies)
● User continue browsing
35

36. www.glcnetworks.com
Hotspot server profile
● Is used to define how the hotspot
server “behave”
36

37. www.glcnetworks.com
Hotspot server
● Is used to define the interface where the
server is listening on
● Define where the captive-portal will be
appeared
37

38. www.glcnetworks.com
Hotspot user profile
● Define user rights
● Classify customer
38

39. www.glcnetworks.com
Hotspot user
● Its a database of users
● Authentication information
● Define limit of user
39

40. www.glcnetworks.com
Hotspot IP bindings
● allows to setup static One-to-One
NAT translations
● allows to bypass specific HotSpot
clients without any authentication
● allows to block specific hosts and
subnets from HotSpot network
40

41. www.glcnetworks.com
Hotspot walled-garden
● permits authentication bypass settings for
HTTP and HTTPs resources.
● Supports * and ? properties.
○ *.glcnetworks.???
● Support regex (should start with a colon (':'))
● Can be walled-garden or walled-garden IP
41

42. www.glcnetworks.com
Hotspot issues and solution
● Most devices, do some background checking
to see if they are behind a captive portal.
● Device requesting a known webpage and
comparing the contents of that page. If
contents are different, the device assumes
there is a login page, and creates a popup
with this login page. This method is NOT
ALWAYS works
● To improve on this mechanism, RFC 7710
was created. allowing the HotSpot to inform
all DHCP clients that they are behind a
captive-portal
42

43. www.glcnetworks.com
Tips trick
43

44. www.glcnetworks.com
Tips and trick
● Upgrade to ROS version 6.48 (supports RFC7710)
● Make sure it is on IPv4 only
● Use radius for further processing dan scalable database
● Use external captive portal
● Use your programming skill to add features on hotspot
44

45. www.glcnetworks.com
LIVE practice
45

46. www.glcnetworks.com
preparation
● SSH client
● SSH parameters
○ SSH address
○ SSH port
○ SSH username
○ SSH password
46

47. www.glcnetworks.com
Q & A
47

48. www.glcnetworks.com
Interested? Just come to our training...
● Topics are arranged in systematic and logical way
● You will learn from experienced teacher
● Not only learn the materials, but also sharing experiences, best-practices, and
networking
48

49. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Find our further event on our website : https://www.glcnetworks.com/en/
● Like our facebook page: https://www.facebook.com/glcnetworks
● Slide: https://www.slideshare.net/glcnetworks/
● Recording (youtube): https://www.youtube.com/c/GLCNetworks
● Stay tune with our schedule
● Any questions?
49