In earlier tutorials, you discovered RouterOS, an open source operating system that can make your generic PC into an advanced, enterprise-type, router and LAN server.
In the article "Turn an Old PC into a LAN Server with RouterOS: Part 1," you put together the computer, installed the Linux-based software, and did some initial configuration.
In "Turn an Old PC into a LAN Server with RouterOS: Part 2," you set up the DHCP server to handle the IP addresses, enabled NAT to share the Internet, and configured the wireless interface for Wi-Fi access.
Now you will experiment with the hotspot features. If you want to offer wireless Internet to the public, this tutorial will get you started.
Configuring the Hotspot Server
First, make sure that you configured the Internet connection on its interface and created an IP on another interface for the LAN/hotspot. (We discussed this in Part 1 of this tutorial series.)
Now you can configure a hotspot server on the LAN/hotspot interface with the WinBox utility. Follow these steps:
- Click IP > Hotspot.
- Click the Hotspot Setup button to open the wizard.
- Select the interface that the switch or AP for the hotspot network will be connected to and then click Next.
- Verify the IP of the server, which should be the address you had created for the LAN/hotspot interface, and click Next.
- Verify the IP range that's automatically chosen for the hotspot users and click Next.
- Ignore the server certificate setting, at least for now, and click Next.
- Unless you are running your own SMTP email server or are using a service, ignore the setting and click Next.
- Verify that the DNS server address from your Internet connection is entered and click Next.
- If you prefer that your users see a DNS (domain) name instead of the gateway's IP when logging in, you can create one here and click Next.
- Finally, create a hotspot user so you can log in; then click Next.
It's best to secure your hotspot login pages with SSL encryption when users are logging in with unique accounts; otherwise, the account credentials could be easily sniffed by eavesdroppers on the network. When accepting payments, encryption is a must!
You'll see how to get this all set up a bit later.
To prevent people from sending junk or illegal email from your Internet connection, you should block the port used for outgoing email (25), which I'll discuss later.
However, so users aren't forced to use only web-based mail applications, you can list your own SMTP server that better controls usage, preventing them from sending tons of email.
You can essentially just make up a domain name, such as hotspot.yourcompanyname.com. If nothing is entered, your IP address will automatically be used.
After completing the Hotspot Setup Wizard, you should get a disconnect prompt from WinBox. That means the hotspot captive portal is working. To receive network and Internet access, you must log in with the account you created via the Web browser.
Enabling SSL Encryption
If you want to encrypt the hotspot pages because you're requiring payments or accounts on your hotspot, it's best to purchase a certificate signed by a certificate authority (CA) rather than create your own self-signed certificates for free. This is because users will see a warning/error in their Web browser unless your hotspot server is using a certificate issued by a CA recognized by their browser.
To get started, you must create a certificate signing request (CSR) with RouterOS via command-line, either at the server PC or with a new terminal window in WinBox.
Run the following command:
/certificate create-certificate-request
You'll be prompted to enter a name for the file that the CSR and private key will be written to; the default filenames should be fine.
You'll also create a passphrase for the private key. Next, use the default RSA key bits value. Then you'll be asked the general CSR questions.
Now you need to download the CSR and private key files with a FTP client, such as FileZilla, by connecting to the RouterOS IP with your administration account credentials.
You can use the CSR to order your certificate from a CA such as GoDaddy, RapidSSL, or Thawte.
Once you have the signed certificate, upload it via FTP. Then run the following command:
/certificate import file-name=thecertificatesfilename
Then you have to type the password you created when making the CSR.
On WinBox, now you need to click IP > Services. Then you need to double-click the www-ssl entry, select the certificate and click OK.
Back on the IP Service List, click the www-ssl entry and click the checkmark button to enable it.
Now to enable SSL for your hotspot, edit your hotspot server profile to allow HTTPS logins and select your certificate.
Change Login and Hotspot Pages
You probably want to change the login or other hotspot pages, such as adding your company name or welcome message, or even plopping in logos and images. Some HTML knowledge or understanding helps.
To download and upload the HTML files from RouterOS, you can use a FTP client, such as FileZilla, and connect to the RouterOS IP with your administration account credentials.
If you prefer that users are redirected to a specify site or page after logging on, edit the login.html file to replace $(link-orig) with the full URL. This is the default value for the dst (destination) hidden attribute within the Form tags.
If you link to locations on the Internet, including images, you must add their domain to the Walled Garden list in order for users to access them before logging on. This is available on a tab of the Hotspot window in WinBox.
Getting More Help
In addition to configuring the basic settings, you experimented with a few features.
For more help, refer to the Wiki or documentation. If you want to enable Web filtering for your private or public access, consider using OpenDNS.