Sunday, July 22, 2007

Mikrotik Hotspot Advantages/Limitations

I have been looking at various Hotspot Router Software offerings for several months. I wanted a more flexible system than NoCatAuth which could incorporate three NIC ports and which did not depend exclusively on remote authentication. The Mikrotik system was one of my first attractions, but after weeks of frustrated effort in March, I found that the Mikrotik HOTSPOT software would not work with external stand alone wireless Access Points I wanted to be able to use. In late May, I got an email from Mikrotik saying that the system would now work on other than the expensive routers. I have tested out the new version 2.7.4 software and it seems to have everything I have been looking for and at a reasonable price.

Mikrotik is a software company in Latvia that has been developing their version of a Linux router since about 1995. In 2002, they first offered a WiFi Hotspot capability which operated with specific internal (to the Linux computer) wireless cards and a few APs. In mid 2003, this range has expanded to allow working with a wide range of vendor’s standard Wireless Access Points. This recently includes the Dlink 900AP+ and similar inexpensive APs as well as the old standbys such as Cisco. Some specific features and advantages of the Mikrotik Router with HotSpot in (the latest) version 2.7.4 are:

1) It is supported software with a constant stream of feature enhancements and fixes for problems experience by users. Bug fixes are frequent and severe problems seem to be fixed pretty fast.The Mikrotik system has a very complete (500+ page) reference manual as the system has functions that allow it to do about everything an ISP could dream of doing and more than most casual users will ever need. But.. If you need some routing feature, likely it is already available.

2) The bad news is Mikrotik Tech Support is not the best even after you buy a license so they will assist. :( The Mikrotik technicians know a lot about their system but: Most answers to emailed questions seem to be references to the manual and if you send three questions, they likely will only answer part of them. Some answers I did receive had errors that are just killers for a beginning router programmer/user.

There are lots of command examples in the manual but almost zero overall application examples. The exception is a HotSpot example, but even with this, only someone already familiar with router ip table setup can get through the complete design without outside help. I did get some excellent help from Eje Gustaffason at who offers Mikrotik consulting for $100 per hour. Not Cheap... But a lot cheaper than spending weeks with a simple problem that you cannot work out. Eje is fast and efficient and best of all he gives workable answers with explanations a beginner can understand and use. The detailed three port application example plus the two port example that I have worked up are the only ones I know of. Let me know if there are improvements/clarifications needed.

3) The system software itself is inexpensive. A fully working basic software system with PPPoE and limited to 4 simultaneous Hotspot users and 4 total NAT entries is FREE to download and use from for evaluation and unlimited use but without any support whatsoever (which is quite reasonable). Other options include a solid state 64meg IDE FLASH "disk drive" with the fully Licensed Mikrotik Router + Hotspot software loaded on it with a one year free update service for US$125 from This Flash drive system requires no floppy/CDROM/Hard Drive in a router system. The licensed software alone is about $75 from if you want to make a WiFi Hotspot authenticator/controller in a computer you already have and you wish to use your conventional disk drive (100meg or more). The system for local Hotspot use will run fine on a Pentium I-75mhz machine with 64megs of RAM.

4) The Mikrotik system is quite complex and will take most people a good while to learn in detail. HOWEVER, with the cook book application guide that I have worked up HERE, a three port Hotspot router can be assembled and made operational in one evening by someone who just knows how to do medium complexity software installs on a PC.

5) The system allows the HotSpot owner/operator (OO) to edit the locally stored html files used for login, FAQs, Help pages, etc. The user can freely add or change links between these pages and the main login page using FrontPage or Dreamweaver or even Netscape Composer except for the login.html page which has tables.

6) It is possible to allow internet access to specific websites (with fixed IP addresses) without login when desired.

7) Hotspot User Authentication can be done from a local list (default) or from a local or remote RADIUS authentication server. The system can be programmed to use local authentication when it is available and to query a RADIUS server when the desired entry is not in the local list. The RADIUS server is expected to periodically update the local list. If the RADIUS server or link should fail, the local authentication will continue uninterrupted. In my opinion, a feature like this is an essential ingredient for our growing Atlanta Free Net system.

6) The Mikrotik “UNIVERSAL CLIENT” optionally permits “any” roaming user with “any” normal IP address and gateway setup in his networking to access the Hotspot without changing his networking setup. I really like this feature. :) Note: The Universal Client feature is mutually exclusive with use of the DWL-900AP+ as a REPEATER of Mikrotik data packets. The "address mangling" done to accommodate the Universal Client confuses the DWL-900 Repeaters.

7) It is easy to give any number of user “groups” different privileges on the Hotspot. For instance, group “guests” could be given 32kbps internet service speed upon login. Registered Guests could be (for instance) given 144kbps. Members could be given 1mbps and Owners could be given “full” speed. It is possible to configure queues so that even if the higher speed users are using “all available” bandwidth, low priority users still get most of their allocated bandwidth. "Burst" modes can also be configured so that users get a "burst" of traffic for some seconds and then get throttled to some lower speed. This can give even low speed users the feel of higher speed, yet throttle their download speed on game or file download.

8) The Mikrotik system can be configured with multiple NICs with varying capabilities. In my “cook book” system design, I have the router configured to accept one “public” LAN (could be PPPoE) input for the internet connection. A second NIC is the connection for the Hotspot Access Point. A third NIC port is provided to connect the local home LAN to the internet. web-proxy and NAT filters are used to insure that users on the Hotspot cannot access computers on the home LAN and vice versa. This eliminates the need in most cases for a separate router as the Mikrotik system can provide full NAT and firewall services for both the Hotspot and for the local LAN services at the same time..

9) Inbound service via the Mikrotik OS Router can direct traffic to mail servers and/or other computers or servers on the home local LAN.

10) The Hotspot provided can accommodate multiple simultaneous logins with the same username and password. In my own setup, I instruct "roaming guests" to sign in as “guest” with a blank password. This gives internet connectivity and mail service at low speed. If a user registers with me, I will give him connectivity speeds as negotiated. For now, everyone is at DSL speed but I can change that at will.

11) The one thing I know of that the Mikrotik does not now offer that is provided in the NoCatAuth box is SELF REGISTRATION. With the Mikrotik box, registration and user enabling past the “guest” stage requires an email to the hotspot supervisor and manual input of a user ID and password. This input takes about half a minute via a windows based GUI.

12) The bandwidth throttling system allows the user to throttle bandwidth for individual user groups, and for entire NIC ports. Thus, you can prevent your hotspot users from using all of your bandwidth even if a number of users simultaneously download large files.

13) Perhaps most useful for the Owner/Operator of Hotspots, programming changes can be done by most any user who has a reasonable amount of computer skills in the area being changed. By this, I mean “anybody” can change a user name, password, and user group or setup a new usergroup with different capabilities and bandwidth allocations. But while changing the bandwidth offered a user group is straightforward, the OO understand the basic area of bandwidth allocation on a network. Other changes similarly require that the user understand what he is doing. Routing changes demand that the user understand at least the basics of Linux ip table operation and setup.

14) The Mikrotik is undoubtedly an extremely complex system overall, but straightforward if you just need to put up a three port system in accord with my new Hotspot Application Note. The draft document is available at the link below. I am continuing to add features and it will be fleshing out more in the weeks to come. The basic hotspot and authentication all work fine and I am in the process of refining the firewall features. I will also be adding PPPoE as an option so the router can connect directly to a DSL or Cable modem. You can manually input the commands in just a couple of hours. See


  1. Hi, im Tobias Audi from Argentina, i m "new" to mikrotik, and for quite long time i m strugglin´ with this hotspot thing, i find no help despite the fact i look very hard to find out a guide to people like me with very little knowledge on the topic, in your blog you mention "with the cook book application guide that I have worked up HERE" where is it, because it´s going to be extremly helpfull for me i have the time to workarround a solution but cant find a guide for begginers, tnx in advance, and congratulations for your great info that help me to be suhre this is the correct solution for me.

  2. The link you provided is unavailable. Do you know a new location?

  3. Thanks ever so much, very useful article. If you do not mind, please visit my article related to travel to Pandeglang district in Banten, Indonesia at Kenali dan Kunjungi Objek Wisata di Pandeglang

    Best regards