Mikrotik RouterOS
1. Getting started with WinBox
Launch WinBox app. After selecting “...” button wait a while to get MAC Addresses list. Select requested address (not IP if you are in a different net). Don’t type any password.
Confirm the action by pressing Connect button.
2. Downloading the latest RouterOS
This option appears only in default configuration.
Confirm the Remove Configuration option. From the address http://www.mikrotik.com/download/ download the latest firmware:
RouterOS > mipsbe > v6.6 > Upgrade package (options may vary if you configure another Routerboard)
2.1. Upgrading your MikroTik
Upload Firmware file (.npk) to routerboard
(drag and drop it on an open area Winbox, or "copy" and then paste into the folder Files):
Restart routerboard: System > Reboot. After rebooting connect with Winbox again.
3. Cleaning up
You can skip this step.
Remove unnecessary packages - to boost your memory and performance:
System > Packages - delete packages which have a note that they are uninstalled:
Important packages that should stay:
- advanced-tools
- dhcp
- hotspot
- security
- system
- wireless
Other packages at your decision.
Follow simple rule: what you don’t need must go away.
4. Setting SNTP client
After the next reboot: System, Reboot configure SNTP client (time):
System > SNTP Client
Enabled: Checked
Mode: Unicast
Primary NTP Server: 0.north-america.pool.ntp.org
Secondary NTP Server: 1.north-america.pool.ntp.org
Please set servers that are as close to your location as possible. You can find NTP list here: http://www.pool.ntp.org/en/
Enable the correct time zone System > Clock > Time Zone Name:
America/Montreal (or according to your location):
The time is automatically synchronized after the correct termination of LAN configuration.
5. Setting up DHCP client
Run DHCP client on ether1 interface: IP > DHCP Client > +
New DHCP Client DHCP Client tab
Interface: ether1
OK
Result example:
6. Adding the bridge
Add the bridge to all ports except ether1 and SFP1:
Bridge > Bridge tab > +
New Interface: General tab
Name:bridge-HS
OK
7. Adding the bridge ports
Bridge > Ports tab > +
New Bridge Port: General tab
Interface: ether2 gradually to a ether10 and wlan1
all on Bridge:bridge-HS
8. Setting the WiFi part
This is optional setup for MikroTik AP providing the internet access. In case MikroTik serves as a router for other APs skip this step.
Configurate WiFi part (Wireless) - first activate the interface:
Wireless > Interfaces tab > select wlan1 > ✔
Configure in the Advanced Mode to see all available options (e.g. Country).
We have to set ap-bridge, eg:
Select wlan 1
Interface <wlan1>: Wireless tab
Mode: ap bridge
SSID: Name of your WiFi
Country: Configure it according to local laws and conditions (configuring engineer must know these conditions! - in the United States use the options as shown).
Enable antennas
Interface <wlan1>: HT tab
Chains: checked all
Logging in must be turned off - make a check:
Wireless Security Profiles Tab, Select Default
Security profile <default> General tab
Name: default
Mode: none
9. Definition of the SOCIFI hotspot
Run the definition of hotspot:
IP > Hotspot > Servers Tab, Hotspot Setup
bridge-HS Instead of addresses listed in this figure, we recommend a different address, than the address of the interface (bridge-HS), eg: 192.168.88.1/24, see the notes at the end of the manual.
The number of IP addresses should submit their license (L4 = 200 addresses). See notes at the end of the manual.
If you are customer with White Label solution, please change your custom domain from hotspot.socifi.com to your custom domain (for example mycustomdomain.com) at step 7
Hotspot Setup:
- HotSpot Interface: bridge-HS
- Local Address of Network: 192.168.88.1/24
- Address Pool of Network: 192.168.88.20 - 192.168.88.219
- Select Certificate: none
- IP Address of SMTP Server: 0.0.0.0
- DNS Servers: 192.168.88.1 / 8.8.8.8 / 8.8.4.4
First DNS server address must be the interface address!! - DNS Name: hotspot.socifi.com (required)
This domain could be adjusted to fit your needs. For example hotspot.mydomain.com - Name of Local HotSpot User: user
10. Change Hotspot settings
Remove Shared User (default = 1):
IP > Hotspot > User ProfilesDefault , General Tab
Shared Users: clear
OK
Addresses per MAC = 1 (default = 2 )
IP > Hotspot > Server hotspot1
Addresses per MAC: 1
Change the Name from the default value of hotspot1 to value "MK_ <serial number of Mikrotik>", for example "MK_3F0602DFA144". Where to find the serial number is described in the section 15.
OK
Change the method of the Authentication:
IP > Hotspot > Server Profiles select hsprof1
Hotspot Server Profile <hsprof1> Login Tab
HTTP PAP: checked
Use RADIUS: Checked
Default Domain:
Location ID:
Location Name:
Mac Format: XX:XX:XX:XX:XX:XX
Accounting: Checked
Interim-Update: 00:01:00
Nas Port Type: 19 (wireless-802.11)
Now define a list of allowed servers, IP > Hotspot Walled Garden:
Create WalledGarden script: System > Scripts +
Name: WalledGarden
Copy & paste following script:
If you are customer with White Label solution, please add your custom domain (for example mycustomdomain.com) to the Walled Garden list.
add dst-host=*. mycustomdomain.com
/ip hotspot walled-garden add dst-host=*.socifi.com add dst-host=*.facebook.com add dst-host=*.akamaihd.net add dst-host=*.akamai.net add dst-host=*.edgecastcdn.net add dst-host=*.edgekey.net add dst-host=*.akamaiedge.net add dst-host=*.twitter.com add dst-host=twitter.com add dst-host=*.twimg.com add dst-host=*.fastly.net add dst-host=*.li-cdn.net add dst-host=*.cloudfront.net add dst-host=facebook.com add dst-host=*.fbcdn.net add dst-host=*.instagram.com add dst-host=instagram.com add dst-host=*.cdninstagram.com add dst-host=*.linkedin.com add dst-host=linkedin.com add dst-host=*.licdn.com
facebook.com and twitter.com (Yes, twice. Once with and once without the asterisk)
The result is a list of servers:
The list of Walled Garden servers is changed from time to time, you may be asked to change its contents. The current list is always in this documentation. Before you run the script again (even if with new content), first you must delete old Walled Garden server list (otherwise the list would be permanently duplicated).
11. Creating a definition for hotspot login
Script definition for content of hotspot / login.html
We generate a hotspot / login.html file the same way: System > Scripts > +
Name: ReplaceLogin
Click Apply and than run script: Run Script (change takes the effect by changing the date and time of file: File hotspot/login.html). Copy & paste following script:
If you are customer with White Label solution, please change http://connect.socifi.com to your custom domain (for example http://connect.mycustomdomain.com)
Some RouterOS devices have default storage on the flash memory. In this case it is necessary to modify part of this script “/file” in according to its actual storage name, e.g.: "/file set flash/hotspot/login.html contents=" supposing that link "flash/hotspot/login.html" exists. It is necessary to check it in the list of files in the "File" module.
:local mac [system routerboard get serial-number]; :if ( [system routerboard get routerboard] = yes ) do {:set mac [system routerboard get serial-number]} else { :set mac [interface ethernet get ether1 mac-address]}; /file set "hotspot/login.html" contents="<html> <head> <meta http-equiv=\"refresh\" content=\"0; url=http://connect.socifi.com/?rad=yes&serial=$mac&client_mac=\$(mac)&client_ip=\$(ip)&userurl=\$(link-orig)&login_url=\$(link-login-only)\" /> <meta http-equiv=\"pragma\" content=\"no-cache\"> <meta http-equiv=\"expires\" content=\"-1\"> </head> </html>"
12. Changing the default password
Change the default password (defaultly blank) on hard and complex one:
System > Password
(at least 8 characters, uppercase and lowercase letters and digits)
13. Configuring the RADIUS server
Add primary radius server (RADIUS Server 1):
Radius + General tab
Servis
hotspot: checked
Called ID :
Domain:
Address: rad-1-euw-1.socifi.com (for example)
We recommend to use this set of RADIUS servers:
Secret: socifi
Authentication port: 1812
Accounting port: 1813
Timeout: 300 ms
Acccountig Backup: unchecked
Src. Address:
Add secondary radius server (RADIUS Server 2):
Radius + General tab
Servis
hotspot: checked
Called ID :
Domain:
Address: (for example)
We recommend to use this set of RADIUS servers:
Secret: socifi
Authentication port: 1812
Accounting port: 1813
Timeout: 300 ms
Acccountig Backup: unchecked
Src. Address:
14. Safety in the end, but not the last
In conclusion, we recommend modifying the firewall so no one (except you :) could get into management of MikroTik: IP > Firewall > +
New Firewall Rule> General tab
chain: input
In. Interface: select bridge-HS
New Firewall Rule> Action tab
Action: drop
New rule must be at the last line:
We recommend checking NAT/Masquerade rules on IP / Firewall / NAT section. This rule is created automatically when a Wizard for Hotspot creation is used. Some Mikrotik firmware versions don't create such a rule.
15. Connecting your MikroTik to SOCIFI Dashboard
When adding Mikrotik you'll need to use Serial number (not MAC address). It can be found here:
Step 1: Login to SOCIFI Dashboard
Step 2: Click on the "Hotspots" tab on the left sidebar
Step 3: Click on the “Add a new hotspot” button located on the top right corner on the screen (pictured below)
Note: A pop-up window will appear (below)
Step 4: Select the Wi-Fi hardware manufacturer from the drop down menu
Step 5: Enter the serial number or MAC address (depending on the specific equipment manual) of your equipment. You can add multiple hotspots at once.
Step 6: Set your Network location (this step is essential for correct ad targeting)
Step 7: In the pop-up window type your location or just move the marker on the map and click on the save button to confirm the selection. This address is used for ad GEO targeting.
Step 7: Click Save
Note: Newly added hotspot are marked as (Hotspot pending). After the first user connects to the hotspot via SOCIFI, the status will automatically change and appear as (Active) within an hour. Get your first connections to test if it works properly.