JUANFI RGB V3.3
🔑 The MikroTik Hotspot: A Deep Dive into Captive Portal Architecture and Network Monetization
The MikroTik Hotspot feature, which provides a managed access portal, is one of the most powerful and widely used functionalities of the RouterOS platform. It is far more than a simple login screen; it is a Wireless Access Gateway (WAG) that controls every aspect of a user's connection, making it the backbone of commercial, public, and secure guest networks worldwide.
I. Captive Portal Architecture in RouterOS
The MikroTik Hotspot functions by intercepting all HTTP/HTTPS traffic from unauthenticated clients and redirecting them to the login page (the "portal"). This process relies on a core set of components:
1. The Hotspot Gateway (Walled Garden)
When a user first connects, the router's IP Firewall automatically places the client's MAC and IP address into a specific state. Before successful authentication, the client is only permitted access to a limited set of resources, known as the Walled Garden.
Allowed Access: This zone typically includes the Hotspot server itself, the DNS server, and potentially an external website for payments or a third-party login page (e.g., a social media login provider).
2 Access Denial: All other internet traffic is dropped until authentication is complete, ensuring the portal is unavoidable.
2. The Hotspot Server Profile
This is the central configuration unit. It defines the network interface that the Hotspot operates on and establishes critical parameters for user sessions:
| Parameter | Function | Implication |
| Hotspot Address | The IP address of the router's Hotspot interface. | Defines the default gateway for the captive network. |
| DNS Name | The public name users are redirected to (e.g., login.example.com). | Ensures a smooth login experience, preventing browser security warnings. |
| HTML Directory | Specifies the local folder on the router's file system (/file) containing the portal's HTML, CSS, and Javascript files. | Allows for extensive branding and customization. |
II. Advanced Authentication and Management
For enterprise and commercial deployments, the MikroTik Hotspot’s power lies in its ability to integrate with external systems via the Remote Authentication Dial-In User Service (RADIUS) protocol.
External RADIUS Integration (User Manager)
While MikroTik can manage users locally, scalability and centralized billing require an external RADIUS server (MikroTik's own User Manager is a common choice, but third-party solutions are also frequently used).
Authentication: The client submits credentials to the portal.
4 The Hotspot server sends an Access-Request to the external RADIUS server.5 Authorization: The RADIUS server verifies the credentials and sends back an Access-Accept packet, which includes Vendor-Specific Attributes (VSAs) like
Mikrotik-Rate-Limit.6 Dynamic Policy Enforcement: The router instantly enforces the received parameters—such as the user's maximum download/upload speed (rate-limit), session duration, and session timeout—creating a powerful system for tiered access control.
Authentication Methods
MikroTik supports several authentication methods, which can be selected in the Hotspot Profile:
HTTP PAP / CHAP: Basic, unencrypted/encrypted password login via the portal.
MAC Cookie: Remembers the client's MAC address after a successful login, allowing them to reconnect for a defined period without re-authenticating. This enhances user experience.
Trial Mode: Grants a time-limited free session (e.g., 15 minutes) to first-time users, often used for marketing purposes.
III. Monetization and Business Use Cases
The captive portal is the primary tool for monetizing public Wi-Fi services, most notably in the Piso Wi-Fi Vendo business model common in the Philippines.
Voucher Systems: Operators use the RADIUS/User Manager system to pre-generate hundreds of unique, disposable login codes (vouchers) tied to specific service plans (e.g., ₱5 for 30 minutes, ₱10 for 1 hour).
7 This simplifies cash-based transactions.Tiered Service Plans: By creating different User Profiles with unique bandwidth limits (e.g., 2 Mbps vs. 5 Mbps) and data quotas, operators can offer premium paid access alongside basic free access.
8 Data Capture and Marketing: For venues like hotels or cafes, the portal can be customized for Social Media Login (e.g., Facebook, Google).
9 This allows the business to capture valuable user demographics and email addresses for marketing campaigns, transforming a simple amenity into a customer intelligence platform.
In essence, the "portal" in a MikroTik router represents a centralized, highly flexible policy enforcement point that provides the necessary control for security, resource allocation, and revenue generation in modern public network environments.