routeros之hotspot設置
參照routeros的手冊，針對我的情況作了部分修改。已經在2.7.14和2.8.11上測試通過。

我的routeros是2塊網卡，ether1連接adsl,做pppoe client，ether2連接局域網。
首先按照論壇上置頂的說明正確安裝并配置routeros,實現客戶機能夠正常上網。
然后terminal routeros

改變www服務端口為8081：
/ip service set www port=8081

改變hotspot服務端口為80,為用戶登錄頁面做準備：
/ip service set hotspot port=80


Setup hotspot profile to mark authenticated users with flow name "hs-auth":
/ip hotspot profile set default mark-flow="hs-auth" login-method=enabled-address

增加一個用戶：
/ip hotspot user add name=user1 password=1


重定向所有未授權用戶的tcp請求到hotspot服務
/ip firewall dst-nat add in-interface="ether2" flow="!hs-auth" protocol=tcp action=redirect
to-dst-port=80 comment="redirect unauthorized clients to hotspot service"


允許dns請求、icmp ping ；拒絕其他未經認證的所有請求：
/ip firewall add name=hotspot-temp comment="limit unauthorized hotspot clients"

/ip firewall rule forward add in-interface=ether2 action=jump
jump-target=hotspot-temp comment="limit access for unauthorized hotspot clients"

/ip firewall rule input add in-interface=ether2 dst-port=80 protocol=tcp
action=accept comment="accept requests for hotspot servlet"

/ip firewall rule input add in-interface=ether2 dst-port=67 protocol=udp
action=accept comment="accept requests for local DHCP server"

/ip firewall rule input add in-interface=ether2 action=jump
jump-target=hotspot-temp comment="limit access for unauthorized hotspot clients"

/ip firewall rule hotspot-temp add flow="hs-auth" action=return
comment="return if connection is authorized"

/ip firewall rule hotspot-temp add protocol=icmp action=return
comment="allow ping requests"

/ip firewall rule hotspot-temp add protocol=udp dst-port=53 action=return
comment="allow dns requests"

/ip firewall rule hotspot-temp add action=reject
comment="reject access for unauthorized clients"

創建hotspot通道給認證后的hotspot用戶
Create hotspot chain for authorized hotspot clients:
/ip firewall add name=hotspot comment="account authorized hotspot clients"

Pass all through going traffic to hotspot chain:
/ip firewall rule forward add action=jump jump-target=hotspot
comment="account traffic for authorized hotspot clients"


客戶機輸入任何網址，都自動跳轉到登陸頁面，輸入賬號密碼，繼續瀏覽。
如果使用ftp、pop3等，也必須先通過網頁登錄，才可以使用，當然使用winbox的時候也必須先登錄。