routeros-hotspotlisted

RouterOS hotspot captive portal for wired/wireless access control. Use when: configuring hotspot on RouterOS, setting up captive portal, writing hotspot profiles or instances, configuring walled garden, setting DHCP option 114 (RFC 8910 captive portal URI), integrating RADIUS with hotspot, or when the user mentions /ip/hotspot, walled-garden, hotspot profile, or captive portal on MikroTik.
tikoci/routeros-skills · ★ 18 · API & Backend · score 81

Install: claude install-skill tikoci/routeros-skills

# RouterOS Hotspot ## How Hotspot Chains Work Hotspot traffic intercept runs **before** the regular firewall input/forward chains. This is the single most important fact to internalize: - `/ip/hotspot` binds to a bridge or interface — all traffic on that interface enters the hotspot chain first - Firewall rules blocking TCP 80/443 from the hotspot interface do **NOT** block the captive portal login page — hotspot handles it before the firewall sees it - RouterOS automatically injects dynamic firewall rules (`hs-unauth`, `hs-auth` chains) — do not manually create, remove, or interfere with these hotspot-managed rules **Common mistake:** Adding a DROP rule for port 443 from bridge-hotspot to "fix a security gap" — this breaks the HTTPS login page silently. ## Hotspot Profile ```routeros /ip/hotspot/profile/add \ name=my-profile \ hotspot-address=10.20.0.1 \ login-by=https,mac,http-pap \ mac-auth-mode=mac-as-username-and-password \ dns-name=login.example.com \ ssl-certificate=login.example.com.crt_0 \ nas-port-type=ethernet \ use-radius=yes \ radius-accounting=yes \ html-directory-override=hotspot-files ``` Key properties: - `ssl-certificate=` — reference the name after import (RouterOS appends `_0` to imported certificate names) - `nas-port-type=` — use `ethernet` for wired hotspots and `wireless-ieee-802-11-g` for wireless hotspots - `html-directory-override=` — must match the exact folder name on the router's filesystem - `login-by=https` — serves t