Mikrotik Hotspot + Zone Director

  • 1
  • Question
  • Updated 1 year ago
I have an installation that consists of the following.

1 Mikrotik Gateway
3 Mikrotik Point to Multipoint Antennas
10 Mikrotik Bridges connected to the PTMP antennas
1 Zone Director
22 AP's distribuited through 10 buildings.

Problem:  When I enable captive portal (hotspot) on the Mikrotik - Guests connected to the Ruckus AP's do not get redirected (get a no internet browser error).  When a guest connects directly to the main inside switch or the ethernet port of a bridge antenna right away they get the splash page.

We even tried putting a ZoneFlex AP directly behind the main inside switch, plugging into one of it's spare ports, only to find the same error.  The browser tries to go to the splash page but can not.  If we have an autonomous AP, the user gets the splash page right away so it seems to be a problem with the ZoneDirector.

Does anyone have any experience with Mikrotik Hotspot + Zone Director, any help would be appreciated.

Regards,

Derek
Photo of HighSpeed Systems

HighSpeed Systems

  • 5 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Andrea Coppini

Andrea Coppini

  • 63 Posts
  • 29 Reply Likes
I've done that several times and works perfectly!

What is probably happening is that you are running the hotspot and the AP management on the same VLAN (or no VLANs at all). That is generally a bad idea since it means the hotspot clients will be on the same network as the AP and controller management and can attempt a brute force attack.

Besides, MikroTik Hotspot does ARP proxying on the interface, so the APs are being sucked into Mikrotik's captive portal when they try to reach the controller. This results in the APs not being able to reach the controller and therefore not being able to allow clients to connect.

Solution: leave the AP management on the native VLAN (VLAN 1 on ruckus, physical interface on MikroTik) and create a separate VLAN for your guest network, enable hotspot on the VLAN only, and set the SSID to the same VLAN.
Photo of HighSpeed Systems

HighSpeed Systems

  • 5 Posts
  • 0 Reply Likes
Ah I see, no we don't have that option (running 9.5.2.0 - 15)  Will adding the MAC's to the L2/MAC Access Control and applying that ACL to the WLAN help or do we need to upgrade the ZD.

Thanks
Photo of Andrea Coppini

Andrea Coppini

  • 63 Posts
  • 29 Reply Likes
Then you will have to use Local Client Isolation which will block traffic between two devices on the same APs, but won't block traffic between two devices on different APs... not ideal, but at least it's something.

I remember we used to have a 'Full' Client Isolation option on the pre-9.7 ZDs, but to be honest I don't remember how it worked exactly... check the User Guide.

L2/MAC ACL is to block/allow specific WiFi devices to connect to the SSID, not what you want.
Photo of HighSpeed Systems

HighSpeed Systems

  • 5 Posts
  • 0 Reply Likes
Thanks, that's great information!  We'll upgrade a ZD/test this in the lab and will post back if we have any more issues.

Thanks for all your help!

Derek
Photo of Mitchell Axtell

Mitchell Axtell

  • 58 Posts
  • 15 Reply Likes

Full client isolation in pre-9.7 blocked on L3 (IPs, not MACs).  Enabling it without a whitelist allowed certain traffic through, but wasn't enough for a captive portal.  Ruckus support couldn't tell me which ports were allowed.

9.7's full client isolation works a lot better, and forces you to define a whitelist.


Also, a note about local- it's per RADIO, not per AP.  I'm not sure if it has been fixed recently, but in 9.7 and earlier it will only isolate you from the clients on the radio itself.  If you are connected to the 2.4, you can see all clients on the 5, and vice-versa.


For this reason alone we have been moving to full client isolation.

Photo of Mitchell Axtell

Mitchell Axtell

  • 58 Posts
  • 15 Reply Likes

Full client isolation in pre-9.7 blocked on L3 (IPs, not MACs).  Enabling it without a whitelist allowed certain traffic through, but wasn't enough for a captive portal.  Ruckus support couldn't tell me which ports were allowed.

9.7's full client isolation works a lot better, and forces you to define a whitelist.


Also, a note about local- it's per RADIO, not per AP.  I'm not sure if it has been fixed recently, but in 9.7 and earlier it will only isolate you from the clients on the radio itself.  If you are connected to the 2.4, you can see all clients on the 5, and vice-versa.


For this reason alone we have been moving to full client isolation.