HotSpot - crop notes

In this article I will try to describe how to prepare network equipment for organizing a public HotSpota and what equipment has proven itself in doing so. I’ll tell you what is preferable in certain cases and how to organize the last mile.


Several years ago, the task was to organize HotSpot in public places of a small city: square, park, squares, train stations. As an Internet provider, I already had experience working with all kinds of equipment, including wireless. It remained to think through the details. Do not consider advertising when mentioning different companies, I am just sharing a way to solve the problem.

In general, the following picture was seen:
- In the center stands MikroTik with a L5 license allowing 500 online HotSpota users. For starters, you can also make the device simpler; a 4th level license will limit 200 users;
- From MikroTika to each place we stretch a separate vlan;
- For each vlan with its own interface on MikroTike, a separate HotSpota service is created with its authorization page, settings and restrictions;
- The same vlan must come to several devices in the same switching point for the client to switch between access points (roaming);
- Due to the openness and insecurity of HotSpota, configure isolation between clients;
- Management and monitoring of all equipment is carried out in a separate vlane;
- In view of the different conditions of use, it is necessary to use different equipment, if possible complete performance.

Used equipment and functionality

Immediately make a reservation: there will not be detailed instructions and manuals for setting up. I will write only recommendations from personal experience and settings, which are little covered in the standard instructions and which I personally consider important to provide quality service.

Listing all the pros and cons, we settled on using MikroTika as the core of HotSpota, moreover, in the form of RouterBOARDa. A rack-mount model with a license of the 5th level was selected. I can’t say that MikroTik OS is a refined system, it happens that they break functionality from firmware to firmware, but if it works, it works. The main thing is to look into the list of corrections and not be updated immediately upon the release of a new version of the software. The configuration of the HotSpota service is standard and described in detail in the official wiki, with the exception that more than one service will work for us simultaneously. I can only say that it is highly advisable to specify a burst when setting up speed slicing for comfortable use of the service. Also, in the firewall setting, it is necessary to prohibit the passage of traffic between vlanes on which there will be HotSpot.

The AP version number of times - NanoStation M2 from Ubiquiti - has established itself as a worthy solution with a good coverage area. NSM2’s built-in antenna gain is 11dBi, transmitter output power is 630mW (28dBm), and antenna coverage is 60 degrees. Of course, there is no need to set the transmitter at full power. Given that we will work with low-power devices in the form of phones and tablets and we need them to catch a stable signal at a distance from which we can hear them as clearly as they do us, then we fix the power at -19dBm. As practice has shown, this is more than enough. Otherwise, the situation will be that the client will see a confident signal from the AP, but stable operation will not work. NanoStation loco M2 was not doing its best the built-in antenna creates an almost circular radiation pattern, while collecting all kinds of interference from all sides. In addition to a good radio path, the equipment meets our initial requirements. There is full support for vlans, if desired, using additional scripts, you can configure VirtualAP. If creating a virtual point is a personal matter, then I consider the use of vlans with a separate control vlan to be mandatory.

In the advanced settings, turn off automatic distance adjustment (ACK) and set the parameter to 0.5 miles (0.8 km). Here you can configure the filtering of unwanted multicast traffic and be sure to activate client isolation. Personally, I consider this option the most mandatory in any HotSpote. If desired or necessary, you can prevent clients with a bad signal from connecting with the Sensitivity Threshold parameter. The setting does not allow connecting if the input from the client is lower than the specified one, but after connecting and signal deterioration it does not reset the client, unlike the similar implementation in MikroTike. The inclusion of Ping Watchdoga will be important - this functionality has repeatedly saved from long trips. For centralized monitoring of the number of connected clients and loading interfaces, the SNMP agent functionality is used.

Option number two is the RouterBOARD SXT G-2HnD from MikroTik. Although the companies are competing and someone prefers only one of them, I will say that each option is good in its own way and has the right to life. The built-in MIMO 2x2 antenna provides 10dBi in the 60-degree sector with a power of 1600mW (32dBm), while the antenna has minimal side and rear radiation lobes, which allows placing several devices at a relatively short distance with minimal impact on each other. In conditions of dense urban development, this specificity of the antenna allows you to more accurately cover a given area with the exception of unnecessary interference and coverage of unnecessary territories. This device also copes with a heavy load and shows itself well at any time of the year. Built-in functionality allows you to watch the voltage at the input of the device, which is relevant at a sufficient distance from the place of availability of 220V. To configure isolation between clients in the wlan interface settings, deactivate the option - Default Forward. If we need to weed out clients with a weak signal, deactivate the Default Authenticate option in the same place, which will enable or disable client connections according to the Access List. After this, it is necessary to create a rule based on which a decision will be made:

/ interface wireless access-list
add forwarding = no signal-range = -86..120

Here we again prohibit forwarding between clients and specify the signal at which the client is allowed to connect to the AP. Be careful, the client will be disconnected immediately when the signal deteriorates or it will see the network on the air, but will not be able to connect to it.

If there is a need for the location of the AP away from the building, a fiber optic cable is a good solution. To supply power, either a copper-fiber optic cable is used, or a separate cable is laid with a supply of 48V. Everything is mounted on a BS in a sealed box, where several DC-DC converters are located to turn on the media converter and the AR itself.


I wanted to share this publication with some important, in my opinion, moments when setting up a public HotSpota. Recommendations will also be important to those who are faced with this equipment. In few places you can find the included functionality for isolating clients, but now it is supported by almost all home routers and access points, not to mention devices with a class higher.

I will be glad to see comments and suggestions in the comments, I will also gladly answer all questions on the HotSpot topic, equipment and implementation that are not covered in this publication.

Also popular now: