MikroTik: Setting Up the Walled Garden for PPPoE users

The Walled Garden is one of the important parts of the Azotel SIMPLer platform. It provides the end customer with the tools to maintain their own services. Unauthenticated customers are redirected to the End User Portal, where they can verify their account details, pay off outstanding invoices and/or buy additional services.

Please follow the steps outlined below to setup the Walled Garden on MikroTik.

Prerequisites:
  • working MikroTik router
  • PPPoE server setup on the Mikrotik Router
  • PPPoE server using SIMPLer enabled RADIUS server to AAA users
Steps:

  • Define IP Pools
    • From the winbox go to IP->Pools
    • Add IP-Pools for IP subnets you already use for authenticated customers ('authenticated' IP Pool on the example)
    • Add one additional IP Pool for customers, that will fail authentication. They will be assigned on IP address from this IP Pool.



  • Setup Firewall
    • From winbox go to IP->Firewall
    • Go to Address Lists Tab
    • Add 'restricted' Address List reflecting the 'restricted' IP Pool - this will allow using under firewall rules instead of per rule IP space definitions

    • Switch to NAT Tab
    • And following the images below add a 'redirect to URL' rule for all 'restricted' IP addresses. This rule will redirect all traffic to the transparent proxy run on the MikroTik, where the actual URL redirection will be made.








    • Switch to Filter Rules Tab
    • Follow the images below add a rule accepting traffic to the SIMPLer server (replace the 84.203.220.3 IP address with respective SIMPLer server address) for all 'restricted' IP addresses. 






Follow the images below add a rule accepting traffic to the DNS server (replace the 192.168.11.2 IP address with respective SIMPLer server address) for all 'restricted' IP addresses.




    • Follow the images below add a rule denying all other traffic for all 'restricted' IP addresses.




  • Setup the proxy server
    • From winbox go to IP->Web Proxy
    • Go to Access Tab
    • Relate to the screenshot below to add a rule passing through traffic to respective SIMPLer server IP address (84.203.220.3 in this case)

    • Relate to the screenshot below to add a rule passing through traffic to respective SIMPLer hostname (wib.azotel.com in this case)


    • Relate to the screenshot below to add a rule redirecting traffic to the the respective splash page informing customer about his account getting blocked (in this case: https://wib.azotel.com/redirect/testss/)

    • Click on the 'Web Proxy Settings' button to bring up the proxy server configuration page and make sure it is enabled on port 8080

  • Setup the PPPoE server to work with SIMPLer
    • From winbox go to IP->PPP
    • Click on PPPoE tab and double click on the PPPoE service line
    • Make sure to leave only yhe chap option in the Authentication, otherwise some issues with authentication may occur for unauthenticated users

    • In the 'PPP->Profiles' profiles section, click on default profile, switch to 'Limits' tab and set the session timeout to something close to 24h. Note that the screenshot below presents 1 minute.

  • Notify Azotel about the process being finished and providing the list of IP addresses and their respective 'System->Identity' values. Plaese CC both support@azote.com and maciej@azotel.com to this email. Azotel will need to update the RADIUS server to send back ACK packet with an Framed-Pool attribute set to 'restricted'. Sample email format:
IP              Identity
84.203.220.3    testPPPoE



Azotel | River House | Blackpool Park | Cork | Ireland
US +1-312-239-0680 | IE +353-21-234-8100 | UK +44-207-193-4170 | SA +27-11-083-6900