cancel
Showing results for 
Search instead for 
Did you mean: 

Mikrotik Hotspot + Zone Director

highspeed_syste
New Contributor II
I have an installation that consists of the following.

1 Mikrotik Gateway
3 Mikrotik Point to Multipoint Antennas
10 Mikrotik Bridges connected to the PTMP antennas
1 Zone Director
22 AP's distribuited through 10 buildings.

Problem:  When I enable captive portal (hotspot) on the Mikrotik - Guests connected to the Ruckus AP's do not get redirected (get a no internet browser error).  When a guest connects directly to the main inside switch or the ethernet port of a bridge antenna right away they get the splash page.

We even tried putting a ZoneFlex AP directly behind the main inside switch, plugging into one of it's spare ports, only to find the same error.  The browser tries to go to the splash page but can not.  If we have an autonomous AP, the user gets the splash page right away so it seems to be a problem with the ZoneDirector.

Does anyone have any experience with Mikrotik Hotspot + Zone Director, any help would be appreciated.

Regards,

Derek
10 REPLIES 10

Close, but no, not the L3/4 Access Control, that's something else altogether.

Which ZD version are you running?  On 9.7 onwards you should be seeing this ....

Image_ images_messages_5f91c466135b77e247a5f92f_518a8a3fc466ec52e88ed01f20f9a54a_RackMultipart20160510155117jbw-7c6bdfdb-31cc-4a2b-b074-6b453c024604-1133816731.png1462910428

Ah I see, no we don't have that option (running 9.5.2.0 - 15)  Will adding the MAC's to the L2/MAC Access Control and applying that ACL to the WLAN help or do we need to upgrade the ZD.

Thanks

Then you will have to use Local Client Isolation which will block traffic between two devices on the same APs, but won't block traffic between two devices on different APs... not ideal, but at least it's something.

I remember we used to have a 'Full' Client Isolation option on the pre-9.7 ZDs, but to be honest I don't remember how it worked exactly... check the User Guide.

L2/MAC ACL is to block/allow specific WiFi devices to connect to the SSID, not what you want.

Thanks, that's great information!  We'll upgrade a ZD/test this in the lab and will post back if we have any more issues.

Thanks for all your help!

Derek

Full client isolation in pre-9.7 blocked on L3 (IPs, not MACs).  Enabling it without a whitelist allowed certain traffic through, but wasn't enough for a captive portal.  Ruckus support couldn't tell me which ports were allowed.

9.7's full client isolation works a lot better, and forces you to define a whitelist.


Also, a note about local- it's per RADIO, not per AP.  I'm not sure if it has been fixed recently, but in 9.7 and earlier it will only isolate you from the clients on the radio itself.  If you are connected to the 2.4, you can see all clients on the 5, and vice-versa.


For this reason alone we have been moving to full client isolation.