Implementation and use of Spanning Tree Protocol in Mikrotik RouterOS

  • 0

    Sub-menu: /interface bridge
    Standards: IEEE802.1D


    Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).
    Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP and RSTP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchange configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all bridges would be updated with the newest information about changes in network topology. (R)STP selects root bridge which is responosible for network reconfiguration, such as blocking and opening ports of the other bridges. The root bridge is the bridge with lowest bridge ID.

    Bridge Interface Setup

    Sub-menu: /interface bridge


    To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the smallest MAC address will be chosen automatically).

    Properties

    Property Description
    admin-mac (MAC address; Default: ) Static MAC address of the bridge (takes effect if auto-mac=no)
    ageing-time (time; Default: 00:05:00) How long a host information will be kept in the bridge database
    arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) Address Resolution Protocol setting
    auto-mac (yes | no; Default: yes) Automatically select the smallest MAC address of bridge ports as a bridge MAC address
    forward-delay (time; Default: 00:00:15) Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally
    l2mtu (integer; read-only) Layer2 Maximum transmission unit. read more»
    max-message-age (time; Default: 00:00:20) How long to remember Hello messages received from other bridges
    mtu (integer; Default: 1500) Maximum Transmission Unit
    name (text; Default: bridgeN) Name of the bridge interface
    priority (integer: 0..65535; Default: 32768) Bridge interface priority. The priority argument is used by Spanning Tree Protocol to determine, which port remains enabled if at least two ports form a loop
    protocol-mode (none | rstp | stp; Default: none) Select Spanning tree protocol (STP) or Rapid spanning tree protocol (RSTP) to ensure a loop-free topology for any bridged LAN. RSTP provides provides for faster spanning tree convergence after a topology change.
    transmit-hold-count (integer: 1..10; Default: 6) The Transmit Hold Count used by the Port Transmit state machine to limit transmission rate

    (Rapid) Spanning Tree Protocol

    (R)STP eliminate the possibility for the same MAC addresses to be seen on multiple bridge ports by disabling secondary ports to that MAC address.
    • First root bridge is elected based on smallest bridge ID
    • Then breadth-first search algorithm is used taking root bridge as starting point
      • If algorithm reaches the MAC address for the first time – it leaves the link active
      • If algorithm reaches the MAC address for the second time – it disables the link

    Example

    To add and enable a bridge interface that will forward all the protocols:
    [admin@MikroTik] /interface bridge> add 
[admin@MikroTik] /interface bridge> print 
Flags: X - disabled, R - running 
 0  R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled 
      mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 
[admin@MikroTik] /interface bridge>

    Bridge Settings

    Sub-menu: /interface bridge settings


    Property Description
    use-ip-firewall (yes | no; Default: no) Makes bridged traffic to be processed through IP firewall
    use-ip-firewall-for-pppoe (yes | no; Default: no) Makes bridged unencrypted PPPoE traffic to be processed through IP firewall (requires use-ip-firewall=yes to work)
    use-ip-firewall-for-vlan (yes | no; Default: no) Makes bridged VLAN traffic to be processed through IP firewall (requires use-ip-firewall=yes to work)

    Port Settings

    Sub-menu: /interface bridge port


    Port submenu is used to enslave interfaces in a particular bridge interface.
    Property Description
    bridge (name; Default: none) The bridge interface the respective interface is grouped in
    edge (auto | no | no-discover | yes | yes-discover; Default: auto) Set port as edge port or non-edge port, or enable automatic detection
    external-fdb (auto | no | yes; Default: auto) Whether to use wireless registration table to speed up bridge host learning
    horizon (none | integer 0..429496729; Default: none) Use split horizon bridging to prevent bridging loops. read more»
    interface (name; Default: none) Name of the interface
    path-cost (integer: 0..65535; Default: 10) Path cost to the interface, used by STP to determine the "best" path
    point-to-point (auto | no | yes; Default: auto) This feature can be turned on for point to point interface to increase STP/RSTP performance
    priority (integer: 0..255; Default: 128) The priority of the interface in comparison with other going to the same subnet

    Example

    To group ether1 and ether2 in the already created bridge1 bridge
    [admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether1
[admin@MikroTik] /interface bridge port> add bridge=bridge1 interface=ether2
[admin@MikroTik] /interface bridge port> print 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY PATH-COST  HORIZON   
 0    ether1                 bridge1             0x80     10         none      
 1    ether2                 bridge1             0x80     10         none      
[admin@MikroTik] /interface bridge port>

    Bridge Monitoring

    Sub-menu: /interface bridge monitor


    Used to monitor the current status of a bridge.
    Property Description
    current-mac-address (MAC address) Current MAC address of the bridge
    designated-port-count (integer) Number of designated bridge ports
    port-count (integer) Number of the bridge ports
    root-bridge (yes | no) Shows whether bridge is the root bridge of the spanning tree
    root-bridge-id (text) The root bridge ID, which is in form of bridge-priority.bridge-MAC-address
    root-path-cost (integer) The total cost of the path to the root-bridge
    root-port (name) Port to which the root bridge is connected to
    state (enabled | disabled) State of the bridge

    Example

    To monitor a bridge:
    [admin@MikroTik] /interface bridge> monitor bridge1 
                  state: enabled
    current-mac-address: 00:0C:42:52:2E:CE
            root-bridge: yes
         root-bridge-id: 0x8000.00:00:00:00:00:00
         root-path-cost: 0
              root-port: none
             port-count: 2
  designated-port-count: 0

[admin@MikroTik] /interface bridge>

    Bridge Port Monitoring

    Sub-menu: /interface bridge port monitor


    Statistics of an interface that belongs to a bridge.
    Property Description
    edge-port (yes | no) Whether port is an edge-port of the spanning tree
    edge-port-discovery (yes | no) Whether port to automatically detects edge ports
    external-fdb (yes | no) Shows whether registration table is used instead of forwarding data base
    forwarding (yes | no) Port state
    learning (yes | no) Port state
    point-to-point-port (yes | no) Indicates whether this port is connected only to one network device (WDS, wireless in bridge mode)
    port-number (integer 1..4095) Port identifier
    role (designated | root port | alternate | backup | disabled) (R)STP algorithm assigned role of the port:
    • Disabled port - for looped ports
    • Root port – a path to the root bridge
    • Alternative port – backup root port (only in RSTP)
    • Designated port – forwarding port
    • Backup port – backup designated port (only in RSTP)
    sending-rstp (yes | no) Whether the port is sending BPDU messages
    status (in-bridge | inactive) Port status

    Example

    To monitor a bridge port:
    [admin@MikroTik] /interface bridge port> monitor 0     
               status: in-bridge
          port-number: 1
                 role: designated-port
            edge-port: no
  edge-port-discovery: yes
  point-to-point-port: no
         external-fdb: no
         sending-rstp: no
             learning: yes
           forwarding: yes

[admin@MikroTik] /interface bridge port>

    Bridge Host Monitoring

    Sub-menu: /interface bridge host


    Property Description
    age (read-only: time) The time since the last packet was received from the host
    bridge (read-only: name) The bridge the entry belongs to
    external-fdb (read-only: flag) Whether the host was learned using wireless registration table
    local (read-only: flag) Whether the host entry is of the bridge itself (that way all local interfaces are shown)
    mac-address (read-only: MAC address) Host's MAC address
    on-interface (read-only: name) Which of the bridged interfaces the host is connected to

    Example

    To get the active host table:
    [admin@MikroTik] /interface bridge host> print 
Flags: L - local, E - external-fdb 
  BRIDGE           MAC-ADDRESS       ON-INTERFACE          AGE                 
  bridge1          00:00:00:00:00:01 ether2                3s                  
  bridge1          00:01:29:FF:1D:CC ether2                0s                  
L bridge1          00:0C:42:52:2E:CF ether2                0s                  
  bridge1          00:0C:42:52:2E:D0 ether2                3s                  
  bridge1          00:0C:42:5C:A5:AE ether2                0s                  
[admin@MikroTik] /interface bridge host>

    Bridge Firewall

    Sub-menu: /interface bridge filter, /interface bridge nat


    The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge.
    Packet flow diagram shows how packets are processed through router. It is possible to force bridge traffic to go through /ip firewall filter rules (see: Bridge Settings)
    There are two bridge firewall tables:
    • filter - bridge firewall with three predefined chains:
      • input - filters packets, which destination is the bridge (including those packets that will be routed, as they are anyway destined to the bridge MAC address)
      • output - filters packets, which come from the bridge (including those packets that has been routed normally)
      • forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)
    • nat - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:
      • srcnat - used for "hiding" a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface
      • dstnat - used for redirecting some pakets to another destinations
    You can put packet marks in bridge firewall (filter and NAT), which are the same as the packet marks in IP firewall put by mangle. So packet marks put by bridge firewall can be used in IP firewall, and vice versa.
    General bridge firewall properties are described in this section. Some parameters that differ between nat and filter rules are described in further sections.

    Properties

    Property Description
    802.3-sap (integer) DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match an SAP byte
    802.3-type (integer) Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B
    arp-dst-address (IP address; default: ) ARP destination address
    arp-dst-mac-address (MAC address; default: ) ARP destination MAC address
    arp-gratuitous (yes | no; default: ) Matches ARP gratuitous packets
    arp-hardware-type (integer; default: 1) ARP hardware type. This normally Ethernet (Type 1)
    arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-reply | inarp-request | reply | reply-reverse | request | request-reverse) ARP opcode (packet type)
    • arp-nak - negative ARP reply (rarely used, mostly in ATM networks)
    • drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated
    • drarp-reply - Dynamic RARP reply, with a temporaty IP address assignment for a host
    • drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC address
    • inarp-reply -
    • inarp-request -
    • reply - standard ARP reply with a MAC address
    • reply-reverse - reverse ARP (RARP) reply with an IP address assigned
    • request - standard ARP request to a known IP address to find out unknown MAC address
    • request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)
    arp-src-address (IP address; default: ) ARP source address
    arp-src-mac-address (MAC address; default: ) ARP source MAC address
    chain (text) Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user defined)
    dst-address (IP address; default: ) Destination IP address (only if MAC protocol is set to IPv4)
    dst-mac-address (MAC address; default: ) Destination MAC address
    dst-port (integer 0..65535) Destination port number or range (only for TCP or UDP protocols)
    in-bridge (name) Bridge interface through which the packet is coming in
    in-interface (name) Physical interface (i.e., bridge port) through which the packet is coming in
    ingress-priority (integer 0..63) Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. read more»
    ip-protocol (ddp | ggp | icmp | igmp | ipsec-ah | ospf | rdp | tcp | vrrp | egp | gre | icmpv6 | ipencap | ipsec-esp | pim | rspf | udp | xns-idp | encap | hmp | idpr-cmtp | ipip | iso-tp4 | pup | st | vmtp | xtp) IP protocol (only if MAC protocol is set to IPv4)
    • ipsec-ah - IPsec AH protocol
    • ipsec-esp - IPsec ESP protocol
    • ddp - datagram delivery protocol
    • egp - exterior gateway protocol
    • ggp - gateway-gateway protocol
    • gre - general routing encapsulation
    • hmp - host monitoring protocol
    • idpr-cmtp - idpr control message transport
    • icmp - internet control message protocol
    • icmpv6 -
    • igmp - internet group management protocol
    • ipencap - ip encapsulated in ip
    • encap - ip encapsulation
    • ipip - ip encapsulation
    • iso-tp4 - iso transport protocol class 4
    • ospf - open shortest path first
    • pim - protocol independent multicast
    • pup - parc universal packet protocol
    • rspf - radio shortest path first
    • rdp - reliable datagram protocol
    • st - st datagram mode
    • tcp - transmission control protocol
    • udp - user datagram protocol
    • vmtp - versatile message transport
    • vrrp -
    • xns-idp - xerox ns idp
    • xtp – xpress transfer protocol
    jump-target (name) If action=jump specified, then specifies the user-defined firewall chain to process the packet
    limit (integer/time,integer) Restricts packet match rate to a given limit. Usefull to reduce the amount of log messages
    • count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option
    • time - specifies the time interval over which the packet rate is measured
    • burst - number of packets to match in a burst
    log-prefix (text) Defines the prefix to be printed before the logging information
    mac-protocol (arp | ip | ipv6 | ipx | length | pppoe | pppoe-discovery | rarp | vlan) Ethernet payload type (MAC-level protocol)
    out-bridge (name) Outgoing bridge interface
    out-interface (name) Interface via packet is leaving the bridge
    packet-mark (name) Match packets with certain packet mark
    packet-type (broadcast | host | multicast | other-host) MAC frame type:
    • broadcast - broadcast MAC packet
    • host - packet is destined to the bridge itself
    • multicast - multicast MAC packet
    • other-host - packet is destined to some other unicast address, not to the bridge itself
    src-address (IP address; default: ) Source IP address (only if MAC protocol is set to IPv4)
    src-mac-address (MAC address; default: ) Source MAC address
    src-port (integer 0..65535) Source port number or range (only for TCP or UDP protocols)
    stp-flags (topology-change | topology-change-ack) The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU peridiocally for preventing from loop
    • topology-change - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology
    • topology-change-ack - topology change acknowledgement flag is sen in replies to the notification packets
    stp-forward-delay (time 0..65535) Forward delay timer
    stp-hello-time (time 0..65535) STP hello packets time
    stp-max-age (time 0..65535) Maximal STP message age
    stp-msg-age (time 0..65535) STP message age
    stp-port (integer 0..65535) STP port identifier
    stp-root-address (MAC address) Root bridge MAC address
    stp-root-cost (integer 0..65535) Root bridge cost
    stp-root-priority (integer 0..65535) Root bridge priority
    stp-sender-address (MAC address) STP message sender MAC address
    stp-sender-priority (integer 0..65535) STP sender priority
    stp-type (config | tcn) The BPDU type:
    • config - configuration BPDU
    • tcn - topology change notification
    vlan-encap (arp | ip | ipv6 | ipx | length | pppoe | pppoe-discovery | rarp | vlan ) the MAC protocol type encapsulated in the VLAN frame
    vlan-id (integer 0..4095) VLAN identifier field
    vlan-priority (integer 0..7) The user priority field

    Notes

    • STP matchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also stp should be enabled.
    • ARP matchers are only valid if mac-protocol is arp or rarp
    • VLAN matchers are only valid for vlan ethernet protocol
    • IP-related matchers are only valid if mac-protocol is set as ipv4
    • 802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards (note: it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.

    Bridge Packet Filter

    Sub-menu: /interface bridge filter


    This section describes bridge packet filter specific filtering options, which were omitted in the general firewall description.

    Properties

    Property Description
    action (accept | drop | jump | log | mark-packet | passthrough | return | set-priority)
    • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain
    • drop - silently drop the packet (without sending the ICMP reject message)
    • jump - jump to the chain specified by the value of the jump-target argument
    • log - log the packet
    • mark - mark the packet to use the mark later
    • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
    • return - return to the previous chain, from where the jump took place
    • set-priority

    Bridge NAT

    Sub-menu: /interface bridge nat


    This section describes bridge NAT options, which were omitted in the general firewall description.

    Properties

    Property Description
    action (accept | drop | jump | mark-packet | redirect | set-priority | arp-reply | dst-nat | log | passthrough | return | src-nat)
    • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain
    • arp-reply - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain)
    • drop - silently drop the packet (without sending the ICMP reject message)
    • dst-nat - change destination MAC address of a packet (only valid in dstnat chain)
    • jump - jump to the chain specified by the value of the jump-target argument
    • log - log the packet
    • mark - mark the packet to use the mark later
    • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
    • redirect - redirect the packet to the bridge itself (only valid in dstnat chain)
    • return - return to the previous chain, from where the jump took place
    • set-priority
    • src-nat - change source MAC address of a packet (only valid in srcnat chain)
    to-arp-reply-mac-address (MAC address) Source MAC address to put in Ethernet frame and ARP payload, when action=arp-reply is selected
    to-dst-mac-address (MAC address) Destination MAC address to put in Ethernet frames, when action=dst-nat is selected
    to-src-mac-address (MAC address) Source MAC address to put in Ethernet frames, when action=src-nat is selected

    Reverse Proxy on Windows Server

    • 0
    If you are looking for a way to secure your HTTP server behind a Reverse Proxy, then Use the following:
    • FreeProxy Internet Suite


    Block and Mitigate DDOS attacks on Windows

    I recommend using - Anti-DDOS Guardian, which is capable of blocking basic DDOS attacks to systems which hosting some sort of HTTP Server.

    Anti-DDOS guardian could be the only software which works well on x64 bit OS from MS Win Server 2003 to Win Server 2008.

    There is another way to do the same by using WIPFW Firewall, a Win32 version of BSD IPFW Firewall. WIPFW will allow you to create firewall policies on advanced TCP flags which can mitigate DDOS attacks.




    If you are on a 32 bit system and running Win Server 2003, go straight for "Sygate Personal Firewall PRO". Sygate can even detect port scans and block them.


    Setting up Mikrotik Hotspot for Internet Billing

    • 1
    Mikrotik RouterOS provides a very powerful Hotspot Feature. This can be used with the Mikrotik built in Radius server (Userman) or with a remote Radius/Freeradius Server.

    You will need:

    Mikrotik RouterBOARD:


    • Level 4 or better licence (Lower licences will allow only a single Hotspot client)
    • RouterOS 6.x (5.x will also work, but this tutorial is based on v6.7)
    The network will be configured as below. You may need to adjust the IP Addresses to suit your needs
    Mikrotik Hotspot Network




    Notes:
    The RouterBOARD CPU and RAM will directly affect the performance of your Hotspot, so consider beforehand how many clients you wish to connect.
    A RouterBOARD 750 can comfortably run about 25-50 users.
    In my example I will use a RouterBOARD 532 with one 2.4ghz WLAN card


    Step 1: Configure internet access on the router


     Add Router IP Address:
    /ip address add address=10.0.0.2/24 interface=ether1
    Change the IP to match your network configuration

    1. Click on the IP Menu
    2. Click on the Addresses Menu
    3. Click "+"
    4. Enter the IP Address you wish to assign to the router, this will be the outward facing IP, so make sure to select the ethernet interface that will give the router internet access.
    5. Click on "Apply"


    Configure Upstream DNS Server:
    /ip dns set servers=8.8.8.8 allow-remote-requests=yes
    This example uses Google's DNS service. You can easily make use of OpenDNS to implement simple filtering, or use your own DNS servers if needed.

    1. Click on the IP Menu
    2. Click on the DNS Menu
    3. Enter your desired DNS server - here I am using Google's DNS
    4. Click on "Apply"


    Configure Default Route:
    /ip route add dst-address=0.0.0.0/0 gateway 10.0.0.1

    1. Click on IP
    2. Click on Routes
    3. Click on "+"
    4. Enter 0.0.0.0/0 as the Dst. Address
    5. Enter 10.0.0.1 as the Gateway

    Test:
    Check if you can ping a public ip address like 8.8.8.8

    1. Click on Tools
    2. Click on Ping
    3. Enter a publicly available address 
    4. Click Start 

    Step 2: Install User Manager and Hotspot

    If you plan to use a stand alone Radius Server, you may skip this step.
    Download the firmware package from Mikrotik
    Extract the zip file on your local drive
    1. Make sure that the version of the file matches the version and architecture of your device
    2. Open the Files window on winbox
    3. Drag the "user-manager-X.X-xxxxxx.npk" to the files window.
    4. Do the same for "hotspot-X.X-xxxxxx.npk".
    5. Reboot the router (/system reboot)

    Step 3: Configure interfaces

    First, we need to configure two Bridge interfaces. The first one will be a loopback interface. I have found in the past that if you use the normal loopback address (127.0.0.1), or one of the other static addresses, for the Radius (Usermanager) server, you may experience some difficulties.

    3.1.1 - Create Loopback Bridge
    /interface bridge add name=Loopback
    1. Click on the "Bridge" menu
    2. Click on "+"
    3. Enter "Loopback" for the bridge name
    4. Click "Apply"
    3.1.2 - Add Loopback Bridge IP Address
    I use any unused private ip range for this, it is used simply as an interface to run the RADIUS server on.
    /ip address add address=10.10.0.1/32 interface=Loopback

    1. Click on the IP Menu
    2. Click on the Addresses menu
    3. Click the "+" button
    4. Enter "10.10.0.1/32" as the IP Address
    5. Select the "Loopback" Interface
    6. Click "OK"


    3.2.1 - Create Hotspot Bridge
    If you are planning to run the hotspot on a single interface you may skip this step.
    /interface bridge add name=Hotspot
    1. Click on the "Bridge" menu
    2. Click on "+"
    3. Enter "Hotspot" for the bridge name
    4. Click "Apply"
    3.2.2 - Add Hotspot Bridge IP Address
    I make use of the private 192.168.0.1/24 range for the hotspot network, but you can use whatever is suitable in your setup.
    /ip address add address=192.168.0.1/24 interface=Hotspot




    1. Click on the IP Menu
    2. Click on the Addresses menu
    3. Click the "+" button
    4. Enter "192.168.0.1/24" as the IP Address
    5. Select the "Hotspot" Interface
    6. Click "OK"
    3.2.3 - Add Hotspot Ports to Bridge
    If you would like multiple interfaces to have access to the hotspot, you can repeat this process, only changing the interface each time.
    If you are running on a RouterBOARD 750 or similar, you will need to add the ports that you AP's are connected to, to the bridge.
    /interface bridge port add bridge=Hotspot interface=wlan1
    1. Click on the "Bridge" menu
    2. Click on the "Ports" Tab
    3. Click on the "+"
    4. Select the interface you want to add to the hotspot, in my case it is "wlan1"
    5. Select the "Hotspot" bridge
    6. Click "OK
    3.3 - Configure the Access Point
    If you are using a RouterBOARD 750 or similar, you will not be using this section.
    You may choose to implement security on your access point, but since this is a captive portal, you should not need to use any security. This tutorial will not include any security settings.
    /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g disabled=no mode=ap-bridge ssid=Hotspot
    1. Click on the "Wireless" Menu
    2. Double click on the Wireless Interface that you will be using
    3. Set the mode to "ap-bridge"
    4. Set the band to 2Ghz-B/G (or otherwise if needs be)
    5. Change the SSID to "Hotspot", or whatever suits you.
    6. Click "OK"

    4 - Configure the Hotspot

    /ip hotspot profile
    add dns-name=hotspot.example.com hotspot-address=192.168.0.1 name=hsprof1 smtp-server=192.168.123.4
    /ip hotspot
    add address-pool=hs-pool-7 disabled=no interface=Hotspot name=hotspot1 profile=hsprof1
    /ip hotspot user profile
    set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
    /ip hotspot user
    add name=dexter password=dexter
    1. Click on the "IP" menu. If this option is not available refer to step 2
    2. Click on the "Hotspot" item
    3. Click on "Hotspot Setup". This will start the Hotspot Setup Wizard
    4.1 - The Hotspot Wizard
    1. Select the Hotspot bridge as the Hotspot Interface
    2. Click Next
    1. Click next - The address range should be filled in automatically as per our network configuration.

    1. Click Next - the address pool should be pre-populated with the right settings

    1. This tutorial will not cover the use of Certificates, so you may select "none" and click next
    1. Enter the IP-Address of your SMTP server. Many providers do not allow use of their SMTP servers outside their own network, so this option allows you to circumvent the SMTP server configured on the client's device in favor of your own. (You may even specify the SMTP server of you own provider in some cases)
    2. Click "Next"

    These are the upstream DNS servers used by the hotspot.
    1. Enter one or more upstream DNS servers, you can use OpenDNS to provide you with a basic filtering service. Here I use Google's public DNS.
    2. Click "Next"

    1. Enter a host name for the local Hotspot. I am using hotspot.example.com, but this could be anything you want.
    2. Click "Next"

    1. Enter a name for your administrative Hotspot user.
    2. Enter a password for your administrative user.
    3. Click "Next"

    1.  Click "OK" to complete your hotspot setup.


    Congratulations, you have now set up basic functionality for a Mikrotik Wireless Hotspot, you can create users under "IP->Hotspot->Users. But alas, you still need to configure the Usermanager for a fully featured hotspot.

    Step 5 - Configuring UserManager

    5.1 Setting up the Hotspot to use RADIUS
    1. Click on the "IP" menu
    2. Click on "Hotspot"
    3. Select the "Server Profiles" tab
    4. Double click on "hsprof1"
    5. Select the "RADIUS" tab
    6. Tick the "Use RADIUS" tickbox
    7. Click "OK"

    1. Click on "RADIUS"
    2. Click on "+"
    3. Tick the "hotspot" tickbox
    4. Add the loopback bridge IP to the address field, in this tutorial 10.10.0.1
    5. Choose a secure password
    6. Click "OK"

    1. Using your browser of choice, connect to http://router-ip/userman
    2. Click "Log In" - The default username is admin with no password
    1. Once you have logged in, click on the "Routers" menu
    2. Click "Add" then "New"
    3. Enter "Local Router" as the name
    4. Enter the Loopback Bridge IP address
    5. Enter the password you chose earlier.
    6. Click "OK" 

    Your Mikrotik Hotspot should now be able to communicate with the Usermanager Radius Server. You can now proceed to set up profiles and users on the user manager interface.

    Install a new Login template on your hotspot:

    Download my favourite Sample Template from Here:


    1. Connect to your Mikrotik router using winbox
    2. Open the "files" window
    3. Drag the "hotspot" folder from the zip file onto the root of your router's file system


    BroadBand Internet Billing Solutions for ISPs. Also applies to - "Bandwidth Management Solutions for ISP i.e Internet Service Providers.

    1. Inventum: 

    Headquartered in India, Provides Unify SMP, a cloud based system with user license subscription facility as per need basis.


    System works in-conjunction with the Provider Edge Server which controls the Bandwidth and provides AAA by communicating with the Central Cloud Server.


    The Inventum UNIFY™ Cloud service is a hosted version of the UNIFY Service Management Platform ISP Edition. The solution is ideal for Wi-Fi hotspot venues, ISP & WISP networks looking to target 100 to 10,000 users.
    The cloud service is a zero investment, no compromise, quick-start solution that enables network owners to go live in 24 to 48 hours.

    Two Editions

    Public Cloud

    • Hosted by Inventum in their data center
    • Start with as little as 100 users/subscribers
    • Shared access to a common UNIFY installation with guaranteed privacy of data
    • Full featured AAA that works with Inventum's Service Controller & other approved access controllers (NAS)
    • Prepay & Postpaid Billing with usage metering.
    • Branded captive portal with self-service website for subscribers
    • Integrated shared credit card gateway for collecting payments.
    • Mobile SMS messaging engine for password delivery & other customer care purposes.
    • Use Inventum Service Routers & Controllers or choose from the wide variety of supported routers.

    Private Cloud

    • Hosted on customer servers, managed by Inventum
    • Commitment of 10,000+ users/subscribers and 2 year contract
    • Exclusive UNIFY installation on servers at customer's premises – no sharing
    • Full featured AAA that works with Inventum's Service Controllers & other approved access controllers (NAS)
    • Fully customize billing & charging requirements.
    • Branded captive portal with self-service website for subscribers
    • Interface with your own banking & payment gateways
    • Interface with mobile SMS provides for PIN delivery & mobile originated customer workflows
    • Support for advanced mobile data offload integrations, for example EAP-SIM based authentication of Wi-Fi devices in hotspots.

    Key Features

    • Subscriber Management Maintain your entire subscriber database in the cloud. Create accounts, organize into groups & hierarchies. The subscriber database is integrated with billing, charging & a self care portal which are also part of the UNIFY Cloud.AAA - Hosted authentication, authorization & accounting system that uses standard RADIUS & complies with all major IETF RFCs. Use Inventum's controllers or other authorized Network Access Server (NAS) to control & meter user sessions. Supports prepay & postpaid billing. Pre-integrated with other modules of the UNIFY. Completely browser managed.
    Unify SMP

    OLD Control Panel
    • PrePay Charging Charge your customers using real-time, prepay service plans. All plans can support rate-limits, daily/monthly quotas, fair-usage policy controls & more. Automatic disconnection on balance expiry. In-session bandwidth downgrade. Peak & off-peak, day-of-week policies can also be set up on the UNIFY Cloud
    • Voucher System: PIN & one-time-password (OTP) generation & management. Generate voucher series & print or distribute electronically. Track inventory of vouchers including cancellation, usage & unused balances.
    • Manage Resellers: Appoint resellers & link to your cloud account. Each reseller will have their own administrative portal where the parent operator may selectively enable functions including service plans to be sold by reseller. Track every action of the reseller including subscribers & their services.
    • Self – Care Portal: Each customer can login to the cloud service "e.g. my.yourisp.com" & manage their subscriptions, recharge services, check usage, inspect charges & raise support tickets.

    2. 24Online: 


    24online is a product of Elitecore Technologies which is a part of Sterlite Technologies Limited, a leading global provider of solutions for the high-speed data transmission and power transmission networks.

    Authentication, Authorization & Accounting (AAA):

    24online comprehensive solution is available with an inbuilt standard RADIUS server which supports *PPPoE, RADIUS, and SOAP protocols. 24online AAA is designed and developed to support WiMAX, Wi-Fi, Dialup/Broadband and IMS with centralize subscriber database and policy management. 24online AAA provides authorization based on IP and MAC addresses and comprehensive accounting based on time, duration, and usage.

    Billing Management 

    24online billing control solution offers prepaid billing and postpaid billing functions with single invoice facility for multiple services. 24online offers flat, flexible billing packages with peak and off-peak billing supported by pulse-based rating. Internet service providers can offer promotions and discounts as well as launch date; time and usage based packages with carry-forward facilities. It also allows invoices to include service components and to configure it for taxes as well as ancillary charges.

    Bandwidth and QoS Management

    24online supports committed bandwidth allocation (CIR) and burstable bandwidth allocation (CBR) offering high quality service to high-valued enterprise customers. Variable bandwidth allocation based on hours/days and data usage supports customized services.

    Subscriber Management

    The comprehensive feature of 24online subscriber management system facilitates service providers to manage unlimited number of users in a dynamic network with user addition/updation/deletion management functions, user migration facilities and user authentication process. 24online’s subscriber management system is highly flexible solution which is pre-integrated with external database like LDAP, active-directory etc to fetch user details, avoid recreation of users.

    Access Gateway

    24online’s comprehensive access gateway acts as the gateway between the RADIUS and the end user. 24online access gateway basically acts as the front end for all user requests and communicates with RADIUS server for catering the authenticating and authorization requests. 24online access gateway also offers in-built DHCP service along with NAT* (Network Address Translation) features that maps dynamic IP addresses to static public IP. With the help of 24online access gateway basic firewall, you can restrict access to certain IP addresses or domain names, or block certain traffic by blocking several kinds of "Denial of Service attacks". It also prevents any unauthenticated traffic to access the internet network, as all incoming connections from the Internet are restricted using captive portal capabilities. 

    Captive Portal Capabilities

    Captive Portal enables service providers to create different types of login templates in the system. With the help of 24online captive portal features, service providers can create pool wise, zone wise, SSID wise, location wise captive portal for their subscriber base. It helps user login process more attractive with the help of various features provided and offers an advertising platform for increasing market reach.

    Role based Multiple Level Administrations

    24online provides differential levels of controls through multiple administrator and user level controls. It enables role-based administration and creation of an administration for each zone.


    Download 24Online User Guide: 
    https://drive.google.com/file/d/0B55kPL-Md6gYYWpwY3Z0NGlSRUE/view?usp=sharing



    3. IPAcct:

    IPAcct is a easy to maintain AAA solution with very simple WEBUI. Pricing of this system is based on the number of IP addresses served by the AAA server.

    IPAcct Admin Login Panel
    IPAcct provides all the functionality 24Online Provides, so I'm skipping copy/pasting the same details again. 
    IPAcct Customer Information Portal
    IPAcct seems to have a Online Demo System available. You can find that here:

    4. Synnefo: 

    SYNNEFO Internet Management Software is the ideal tool to manage all aspects of Internet Management, a tool for Internet operators and managers.



    Synnefo is a two year old company dedicated into developing software for ISP solutions.The Synnefo IMS is a PHP based Software, which uses Mikrotik's Radius Server as it's backend and does the QOS using Mikrotik Queuing.


    1. Synnefo is capable of Running PPPoE and as Hotspot Captive Portal using the Mikrotik's HotSpot Functionality.
    2. The billing information however is stored in a Central Server running at Synnefo Cloud and works in-conjunction with the Provider Edge Mikrotik Router. 



    Other Honorable Mentions:

    1. Log2Space
    2. Zima Radius

    Reset UBNT device back to factory defaults. This also applies to - "Reset Ubnt password even when the Reset Button is disabled in Software."

    If you already tried resetting your device to factory default values with the reset button and you can't access the unit, we recommend that you perform a TFTP recovery.

    Note: The firmware used is dependent on the firmware compatible with the product..

    Steps

    Requirements:
    • A narrow tool to press down reset button (like the pin of a headset or paper clip).
    • TFTP client running on PC
    • Latest AirOS firmware file (you can download it from http://www.ubnt.com/download)

    Note: this guide refers to a PC running Windows, but is easly applicable to any other OS.
    IMPORTANT!
    • Do not switch off, do not reboot and do not disconnect the device from the power supply during the firmware upgrade process, as these actions will damage the device!

    Recovery procedure 

    Windows Users

    1. Make sure that radio responds to pings (perform a ping 192.168.1.20 from a DOS window), if it does not, go back to the first step.



    2. First, power off the device.
    3. Configure your computer: Windows PC's Ethernet must be configured manually with the following settings (under Network Connections):
      IP Address: 192.168.1.254, Subnet Mask : 255.255.255.0
    4. Connect your radio to the PC.
    5. Begin by pressing the reset button. Keep holding, then power the unit on. Wait 8 seconds then release the button (if you want to reset the unit to factory defaults, wait about 15 seconds or until the signal LEDs light up to indicate that the device is ready for recovery.)
    6. Upload firmware image file .bin to 192.168.1.20, using a TFTP client software (binary mode). Windows integrated command line TFTP client or download a third party utility to upload the AirOS firmware. Below are two examples:
      1. Windows Alternative 1: From Windows PC, you can use TFTP command line from a DOS window (START>>>CMD):



        Go into the same directory structure as the firmware (e.g., assuming that you have stored the image files in c:\firmware directory, type the command :cd c:\firmware) and enter the following (for help type TFTP -h) , e.g.:

        tftp -i 192.168.1.20 put XS2.ar2316.v3.4-rc.4351.090504.2146.bin
      2. Windows Alternative 2: Download and execute tftp2 and configure it as in the image to upgrade.


    7. Signal LEDs will keep blinking one by one in 4 different colors during firmware upgrade. Wait for about 7-10 minutes (devices and firmware depending) - do not power off the device during the procedure!

    Linux Users

    Generic Linux distributions have an integrated command line TFTP client. From a PC running Linux, you can upload via TFTP by typing into Terminal the following commands:
    root@ubuntu:tftp 192.168.1.20
    tftp> bin
    tftp> trace
    tftp> put XS2.ar2316.v3.4-rc.4351.090504.2146.bin
    Sent 1965199 bytes in 35.2 seconds
    tftp> exit
    Subscribe to: Posts ( Atom )