MikroTik Hotspot with a Captive Portal: Setting Up WiFi Marketing on RouterOS

Why MikroTik in Hospitality

MikroTik RouterOS devices appear in hospitality networks primarily in two contexts: as the router/gateway behind another brand's access points, or as the complete networking solution (MikroTik router + MikroTik or third-party APs). MikroTik's popularity is driven by price-to-capability ratio — a CRS or RB series device provides enterprise-grade routing features at a fraction of Cisco or Juniper prices.

The MikroTik Hotspot feature (distinct from a WiFi access point) provides a built-in captive portal framework on RouterOS that can be redirected to an external portal server. Understanding how MikroTik Hotspot works is essential for configuring any external captive portal integration.

The MikroTik Hotspot Architecture

MikroTik Hotspot is a layer-3 feature on the RouterOS router. It intercepts HTTP requests from unauthenticated clients on a designated network interface and redirects them to the Hotspot login page. The login page can be:

1. Hosted locally on the MikroTik device (the default hotspot/login.html template)
2. Redirected to an external server by modifying the login page template to perform an HTTP redirect to your external portal URL

VoqadoWiFi integration uses method 2: a minimal login.html template that immediately redirects to the VoqadoWiFi portal URL with the required parameters.

Walled Garden Setup

The Walled Garden in MikroTik Hotspot is the list of domains and IPs that unauthenticated clients can access before logging in. This must include all resources loaded by the VoqadoWiFi portal.

In Winbox (MikroTik's GUI): IP > Hotspot > Walled Garden

Add entries for: - dst-host=portal.voqadowifi.com (your VoqadoWiFi portal domain) - dst-host=*.voqadowifi.com (for CDN assets) - dst-host=accounts.google.com (if using Google social login) - dst-host=appleid.apple.com (if using Apple social login) - dst-host=connect.mailchimp.com (if Mailchimp opt-in API is called client-side)

For HTTPS walled garden entries, use the Walled Garden IP tab to whitelist IP ranges if domain-based rules are not matching HTTPS traffic correctly (common in older RouterOS versions).

The Login Page Redirect

The default MikroTik login page is located at /flash/hotspot/login.html on the device. Create a modified version that redirects immediately to VoqadoWiFi:

<html><head>
<meta http-equiv="refresh" content="0;url=https://portal.voqadowifi.com/login?
  mac=$(mac)&
  ip=$(ip)&
  hostname=$(hostname)&
  redirect=$(link-orig-esc)">
</head><body>Redirecting...</body></html>

MikroTik populates the $(mac), $(ip), and $(link-orig-esc) variables automatically from the Hotspot session data.

RADIUS Authentication vs UAM

After the guest completes the VoqadoWiFi portal form, the platform must tell MikroTik to grant network access to the guest's MAC address. Two methods are supported:

RADIUS: VoqadoWiFi sends an Access-Accept packet to MikroTik's built-in RADIUS server. MikroTik immediately authorises the client. This requires configuring MikroTik Hotspot to use RADIUS authentication and configuring VoqadoWiFi with the RADIUS shared secret and port (default: 1812).

UAM (Universal Access Method): A HTTP-based callback mechanism. After form completion, VoqadoWiFi calls MikroTik's UAM login URL with the guest MAC address and a shared key. Simpler to configure than RADIUS, with equivalent functionality for most deployments.

For new integrations, UAM is recommended — it is easier to debug and does not require firewall rules for RADIUS port access.

Common Issues and Fixes

Portal loads but shows a certificate warning: HTTPS captive portal interception requires a valid certificate or a HTTP fallback. Configure MikroTik Hotspot to use HTTP-only redirect for the initial capture, then redirect to your HTTPS portal URL.

Guest gets internet access before completing the form: Check your Walled Garden — if the VoqadoWiFi domain is whitelisted too broadly, clients may be passing the walled garden check without authenticating.

MikroTik API connection fails from VoqadoWiFi: VoqadoWiFi's servers must be able to reach your MikroTik's API port (default 8728 for non-SSL, 8729 for SSL). Configure port forwarding from your internet-facing IP to the MikroTik management IP.