Mikrotik "hotspot" for delinquency?


We have set up Sonar with some firewall rules for our delinquent customers (per the Sonar cast instructions). This works Ok but I am wondering if using the Mikrotik hotspot feature might be a better way to control delinquent users. We can build walled gardens with both IPs and domains using hotspot. I think that hotspot will allow us to send users to it based on source address list, like we are doing with the firewall.

Anyone have any experience doing this or thoughts on using hotspot for this?


We used Hotspot previous to using Sonar. Had too many unexplained issues that Mikrotik could not explain either.
And it was even more flaky on x86 hardware, if your using 3rd party routers.
I like the address list approach. But redirects of a customer attempting to reach an https site does not work.
we simply whitelist our customer portal and main web site among a few other locations, so users can log in and bring account up to date.
We also use PPPoE to authenticate the CPE to the network via Radius, which communicates with Sonar nicely.
we do this to keep straight which CPE is on which account as each Radius user/pw is unique.


RADIUS is the way to go but we are not there - yet. I’m trying to find a slightly more elegant solution for non-authorized MAC addresses on the network and hotspot does a better job than firewall rules. Pretty much every unknown MAC is a customer who bought a new router but I need to give them a message to contact our support line - but not shut down Internet access or re-direct all port 80 traffic.

Perhaps I figure out how to write a Mikrotik script that emails support when a DHCP IP is assigned (which to us means a MAC we don’t have in SONAR).


Not sure what equipment your using but we Auth and DHCP to the ubiquiti CPE as we know that MAC and its in Sonar inventory and on the customer account. we run those in router mode without NAT and with DHCP relay and have Sonar write DHCP reservations to MT using the CPE MAC. You set up the DHCP server to “use source mac” and Sonar supports that.
works well because we can easily issue customers a public or private address just by changing the IP assignment to the customer in Sonar. And its basically static on our side and customers dont have to login and set a static on their router.


Hmmm, interesting. We are using ePMP gear but I think we can set up DHCP relay as well. Care to share a screen shot or two on your setup in the MT and UBNT radio so I can wrap my head around it? You can email me direct at: chad (at) auwireless (dot) net

Do you use a separate management IP / VLAN for your UBNT radios as well?


well, Cambium SM’s don’t have a router mode without NAT so not sure how DHCP relay will help.
In our Cambium, we just run in bridge mode and set AP for client isolation and any switch ports the cluster is plugged into also has port isolation and DHCP snooping enabled. This keeps garbage layer 2 traffic (like a customer connecting his router wrong and introducing a DHCP server, or gratuitous ARPs, etc from polluting everything).
Then we have Sonar just put the DHCP reservation in the MT. But we do have to know the customer MAC. Back to your original problem.
You can put the SM in NAT mode and let it use DHCP or PPPoE on the WAN side, and Sonar can put in a reserved lease as you know the MAC of the SM.
We just dont like to do NAT on the CPE because that generally causes a double NAT (one on CPE and one on customer router).


With PMP450, you can use option 82 in bridge mode to DHCP to customer equipment using the SM MAC. I’m not sure if ePMP supports option 82, but if it does, that would work. You’d need to use the DHCP batcher on our Github account.


MT has a means of executing a script right in the DHCP server settings.
Check this out



Love that script! Running it now on our routers.

ePMP added option 82 in a recent firmware and it looks like I can do non-NAT routing on the SM:

On the SM:

On the AP:

I may have to run some tests on this and see if I can make it do what you are doing with the UBNT SMs since that is a better long term non-RADIUS solution.