Top

Articles in this section

MikroTik Manual Gateway Setup Guide

Follow

ElevenOS supports two mode of operation with MikroTik gateways:

  • Managed mode with MikroTik Manager
  • Manual setup

In managed mode, ElevenOS’s MikroTik Manager service is used to manage the MikroTik gateway’s configuration. See ElevenOS-MikroTik Manager for an introduction to the service and Basic Configuration to MikroTik Manager to get started.

Managed mode is the preferred mode of operation, but may not be suitable in some scenarios (e.g. where the gateway is already managed by other tools). In these instances, the gateway may be manually configured to add the required gateway configuration settings to enable it to support the ElevenOS guest hotspot service.

This document details the manual setup process of MikroTik gateway. Once completed, the gateway will support the ElevenOS guest portal service. The setup process requires several configuration updates, including:

  • Addition of hotspot files
  • Installation of certificate files
  • Creation of hotspot services
  • Addition of walled garden entries
  • HTTPS service enablement
  • Firewall rule modification

In addition to the configuration applied to the MikroTik gateway, device records must also be added within ElevenOS to Service Areas that the gateway serves. The device record setup process is also provided in this document.

 

 

Requirements

 

Create a Device Record

A device record is required for each Service Area configured for a site within ElevenOS. A site with multiple Service Areas will require a MikroTik device record per Service Area. The process to add a MikroTik device record is shown below:

  1. In ElevenOS, go to the Service Area level Org of the Site
  2. Click Setup > Devices
  3. Click Create and select MikroTik Gateway

 

Basic Details

new-mikrotik-gateway.png

  1. Gateway ID: auto generated to match service area ORG ID
  2. Gateway Address: add the NAS IP address
  3. Local Post URL: https://zqqwqihz.gatewayauth.com (this is the same for all service areas)
  4. RADIUS CoA Port: 3799 or a custom port if required
  5. Click Create

 

Configure the MikroTik Gateway

The following steps must be completed on the MikroTik gateway to enable ElevenOS guest portal service support. It is recommended that this configuration is completed using the MikroTik administration tool Winbox.

Alternatively, the gateway may be configured using the web UI of the MikroTik gateway. The configuration pages will differ slightly from those shown in this guide, but are broadly similar.

The screenshots provided in this guide use Winbox v4, as it may be used across multiple operating systems. If using Winbox v3, you will notice differences in the appearance of the pages shown and the location of some options and controls.

 

Set Gateway Identity

The system identity of the MikroTik gateway must be set to the MAC address of the gateway’s first physical interface (usually ether1).

  1. In Winbox, click Interfaces and then double-click the first physical interface
  2. Copy the MAC address interfaces-mac-address.png
  3. Click System > Identity
  4. Add the copied MAC address into the Identity field system-identity.png
  5. Click OK

 

Configure AAA Services

ElevenOS RADIUS server details must be configured, together with incoming CoA details.

 

RADIUS Server

Add three RADIUS server entries.

Server Entry 1 (RADIUS authentication and accounting):

  1. In Winbox, click RADIUS
  2. Click New
    radius-new.png
  3. Use the nslookup (or similar) command on your local laptop to resolve the 11OS RADIUS server IP address rad.11os.com
  4. Add RADIUS server details:
    1. Enabled: checked
    2. Service: hotspot
    3. Address: resolved IP address for rad.11os.com
    4. Secret: ElevenRules
    5. Authentication Port: 1812
    6. Accounting Port: 1813
    7. Timeout: 10000
  5. Click OK

Server Entry 2 (CoA):

  1. Click New
  2. Add RADIUS server details:
    1. Enabled: checked
    2. Address: 52.39.117.1
    3. Protocol: UDP
    4. Secret: ElevenRules
  3. Click OK
    server-entry-2.png

Server Entry 3 (CoA):

  1. Click New
  2. Add RADIUS server details:
    1. Enabled: checked
    2. Address: 52.41.52.0
    3. Protocol: UDP
    4. Secret: ElevenRules
  3. Click OK
    server-entry-3.png

Final RADIUS entries summary:

final-radius-server-entries-summary.png

 

CoA Service

  1. In Winbox, click RADIUS > Incoming
  2. Click the Accept checkbox
  3. Port: 3799
    radius-accept.png
  4. Click OK

 

Add Firewall Rules

  1. In Winbox, click IP > Firewall > New
  2. Click Enabled
  3. Chain: Input
  4. Protocol: 17 (udp)
  5. Dst. Port: 3799
  6. In. Interface: ether1 (or the interface that is being used for the gateway WAN connection)add-firewall-rules.png
  7. Click OK
  8. Drag the new rule to the second position in the rules table after it is created

 

Upload Hotspot Files

A custom set of hotspot files are required on the MikroTik gateway to redirect guests to ElevenOS guest portals. They are attached to this help article as a file named hotspot.zip. Only one instance of these files is required on the gateway, and they may be used by all hotspots created on the gateway.

When the zip file is downloaded and unzipped, it creates a single folder called hotspot. Upload the hotspot folder (and its contents) to the MikroTik flash directory (or the root if not available). This can be achieved using a file transfer utility such as FTP, or by using the Upload link in the Files page of Winbox. Note that the folder and file structure must be maintained when uploading the hotspot folder.files-upload.png

 

Install Certificates

Install the two certificate files attached to this help article on the MikroTik Gateway.

  1. Download the two certificate files, found attached the bottom of this help article
    1. server.key
    2. mikrotik.crt
  2. In Winbox, go to Files > Upload and move the certificates to the root directory
  3. Click System > Certificates
  4. For each certificate file, click Import
  5. No passphrase is required, click Import install-certificates.png

 

Create Hotspot Profile(s)

A hotspot profile is required for each Service Area.

  1. In Winbox, click IP > Hotspot > Hotspot Server Profile
  2. Click New
  3. Add the following details:
    1. Name: ElevenOS Org ID for the Service Area
    2. DNS Name: zqqwqihz.gatewayauth.com
    3. HTML directory: flash/hotspot
    4. Login By: HTTPS
    5. SSL Certificate: Select the certificate with the zqqwqihz.gatewayauth.com common name in the certificate listing in System > Certificates
    6. Use RADIUS: checked
    7. MAC format: XX:XX:XX:XX:XX
    8. Accounting: checked hotspot-profile.pnghotspot-profiles-second-image.png
  4. Click OK

 

Create Hotspot Servers

A hotspot server is required for each hotspot server profile.

  1. In Winbox, click IP > Hotspot > Hotspot Servers
    1. Name: Add the Org ID of the Service Area for this hotspot
    2. Profile: Select the profile matching the Service Area for this server create-hotspot-server.png
  2. Click OK

 

Configure Default User Profile for the Hotspot

To enable concurrent users, you must configure the Default User Profile in the MikroTik:

  1. In Winbox, click IP > Hotspot > User Profiles > default
  2. Remove the Shared Users value
  3. Click Apply

 

Add Walled Garden Entries

Multiple walled garden entries are required to allow access to Eleven resources prior to guest authentication.

First, add the entries for the Walled Garden:

  1. In Winbox, click IP > Hotspot > Walled Garden
  2. Click New and add the following:
    *.11os.com (dest port 443)
*.guestinternet.com (dest port 443)
*.gatewayauth.com (dest port 443)
*.boingomedia.com (dest port 443)
spreedly.map.fastly.net (dest port 443)

walled-garden.png

Next, add the entries for the Walled Garden IP List:

  1. In Winbox, click IP > Hotspot > Walled Garden IP List
  2. Click New and add the following:
    secure.11os.com (tcp/dest port 443)
secure.guestinternet.com (tcp/dest port 443)

walled-garden-ip-list.png

Enable www-ssl Service

The www-ssl service must be enabled and must use the previously installed certificate.

  1. In Winbox, click IP > Services
  2. Select the www-ssl service and click Enable
  3. Double-click the www-ssl entry and set the certificate in the Certificate dropdown. Choose the certificate that uses the zqqwqihz.gatewayauth.com common name field (verify this in System > Certificates)enable-ssl.png

 

Disable Fasttrack Connection Firewall Entry

A gateway restored to factory default will have a fasttrack connection rule in its firewall. This rule must be disabled if it is present.

  1. In Winbox, click IP > Firewall > Filter Rules
  2. Select and disable the fasttrack connection rule if it is presentdisable-fasttrack.png

 

Configure Guest Logout

Configure a logout method for guests. This allows guests to log out of the wireless network by entering logout.net in the address bar of a browser on a connected device. 

  1. In Winbox, click IP > DNS > Configuration > Static
  2. Verify that the static entry for zqqwqihz.gatewayauth.com is present
  3. Click New and add the following: 
    1. Enabled: checked
    2. Comment: logout.net CNAME
    3. Name: logout.net
    4. Regexp: <empty>
    5. Type: CNAME
    6. TTL: 0
    7. CNAME: zqqwqihz.gatewayauth.com
  4. Click OK

Repeat this process on any additional gateways that are in High Availability mode.

 

Support

We offer best-endeavors support for the addition of guest portal configuration where gateways have an existing configuration which may interfere with the operation of the guest portal solution. If issues occur that require detailed analysis of an existing configuration, we may ask for the gateway to be reverted to a factory default configuration before we can provide assistance.

Please click Submit a request to contact our support team.

 

Related articles