Skip to main content

5 Messages

 • 

112 Points

Tue, May 10, 2016 6:18 PM

Mikrotik Hotspot + Zone Director

I have an installation that consists of the following.

1 Mikrotik Gateway
3 Mikrotik Point to Multipoint Antennas
10 Mikrotik Bridges connected to the PTMP antennas
1 Zone Director
22 AP's distribuited through 10 buildings.

Problem:  When I enable captive portal (hotspot) on the Mikrotik - Guests connected to the Ruckus AP's do not get redirected (get a no internet browser error).  When a guest connects directly to the main inside switch or the ethernet port of a bridge antenna right away they get the splash page.

We even tried putting a ZoneFlex AP directly behind the main inside switch, plugging into one of it's spare ports, only to find the same error.  The browser tries to go to the splash page but can not.  If we have an autonomous AP, the user gets the splash page right away so it seems to be a problem with the ZoneDirector.

Does anyone have any experience with Mikrotik Hotspot + Zone Director, any help would be appreciated.

Regards,

Derek

Responses

74 Messages

 • 

1.6K Points

4 years ago

I've done that several times and works perfectly!

What is probably happening is that you are running the hotspot and the AP management on the same VLAN (or no VLANs at all). That is generally a bad idea since it means the hotspot clients will be on the same network as the AP and controller management and can attempt a brute force attack.

Besides, MikroTik Hotspot does ARP proxying on the interface, so the APs are being sucked into Mikrotik's captive portal when they try to reach the controller. This results in the APs not being able to reach the controller and therefore not being able to allow clients to connect.

Solution: leave the AP management on the native VLAN (VLAN 1 on ruckus, physical interface on MikroTik) and create a separate VLAN for your guest network, enable hotspot on the VLAN only, and set the SSID to the same VLAN.

5 Messages

 • 

112 Points

Thanks for the quick reply Andrea, in our trial and error, it seems enabling option 82 on the WLAN on the ZD worked (we were able to get the login page) The only problem is that it only works when full client isolation is disabled (local is enabled), even after taking your suggestion to move the users to a VLAN not on the AP management subnet.

Any suggestions (Just having local client isolation isn't sufficient for this installation)

Regards and thanks for your help!

74 Messages

 • 

1.6K Points

I think Option 82 was pure coincidence.  Enabling Option 82 merely adds the AP's name or MAC (don't remember which one) to the client's DHCP request.  I don't think it's related in your case.  MikroTik's DHCP server simply ignores it

.. but now you mentioned Client Isolation, which could be your root cause.  Simply turning on Full Client Isolation without creating a whitelist will block ALL traffic, even traffic going from the clients to the default gateway (the MikroTik)!  Go to the Access Control section on the ZD and create a Client Isolation Whitelist.  In it, specify the MAC and/or the IP of the gateway and apply it to the SSID via the drop down box.  This will block ALL traffic except what you specify in the whitelist.

5 Messages

 • 

112 Points

Thanks, I don't see a Client Isolation whitelist.. do I use the L3/4/IP address Access Controler and put the IP of MikroTik in here?  Also, under configure--WLAN-- Access Control the L3/4/IP is greyed out... should I just enter the MAC in ACL and if so should I enter Mikrotik Bridge MAC or a specific port MAC, sorry for the questions, you're a great help!

74 Messages

 • 

1.6K Points

Close, but no, not the L3/4 Access Control, that's something else altogether.

Which ZD version are you running?  On 9.7 onwards you should be seeing this ....

5 Messages

 • 

112 Points

Ah I see, no we don't have that option (running 9.5.2.0 - 15)  Will adding the MAC's to the L2/MAC Access Control and applying that ACL to the WLAN help or do we need to upgrade the ZD.

Thanks