How ISPbills Hotspot Works
Three components work together. MikroTik is the traffic gatekeeper — it intercepts unauthenticated connections and redirects them to the ISPbills portal. ISPbills is the orchestration layer — it handles OTP verification, payment processing, creates RADIUS users, and activates internet via the MikroTik RouterOS API. FreeRADIUS (managed by ISPbills) enforces bandwidth limits and session expiry on every authenticated device.
[Customer Device]
│ Connects to WiFi SSID (open / passwordless)
▼
[MikroTik Hotspot Server]
├── DHCP: assigns IP from pool
├── Captive portal: HTTP redirect to ISPbills portal
├── RADIUS client (port 1812/1813) ─────────────────┐
└── CoA listener (port 3799) ◄───────────────────────┤
│
[ISPbills Server]
├── Laravel app
├── FreeRADIUS
├── SMS gateway (OTP)
└── Payment gateways
(bKash · Nagad · Shurjopay
SSLCommerz · Stripe · more)Prerequisites
- ✓A running ISPbills instance (the server IP and RADIUS shared secret are available in the ISPbills dashboard).
- ✓A MikroTik router with RouterOS — hAP, RB4011, CCR, or any model that supports Hotspot Server.
- ✓API access enabled on the MikroTik router (IP → Services → api: enabled, port 8728).
- ✓At least one SMS gateway configured in ISPbills (Settings → SMS Gateway) so OTP messages can be delivered.
- ✓At least one payment gateway configured in ISPbills (Settings → Payment Gateways) so customers can self-pay.
Step 1 — Register the Router in ISPbills
Before MikroTik can talk to ISPbills's FreeRADIUS, the router must be registered as a NAS (Network Access Server) in ISPbills. Navigate to Routers & Packages → Routers → Add Router and fill in:
| Field | Value |
|---|---|
| Router Name | Anything descriptive — e.g. "Zone-A Hotspot" |
| Router IP (nasname) | The WAN/management IP of the MikroTik |
| Type | Hotspot |
| RADIUS Secret | Create a strong shared secret — you will use it in Step 3 |
| API Username | The MikroTik API user (admin or a dedicated api-user) |
| API Password | The API user's password |
| API Port | 8728 (default MikroTik API port) |
After saving, ISPbills displays the RADIUS Server IP and shared secret you need for Step 3. The API credentials are used by ISPbills to push Walled Garden rules and to trigger instant internet login after payment via the RouterOS API command /ip/hotspot/active/login.
Step 2 — Create Hotspot Packages in ISPbills
Navigate to Routers & Packages → Packages → Add Package. Set Customer Type = Hotspot. ISPbills only shows hotspot-type packages on the captive portal — PPPoE packages are never mixed in.
Common hotspot package examples:
Validity: 1 hour
Speed: 5 Mbps / 5 Mbps
Data: —
Validity: 24 hours
Speed: 10 Mbps / 5 Mbps
Data: 2 GB
Validity: 7 days
Speed: 20 Mbps / 10 Mbps
Data: 10 GB
Validity: 30 days
Speed: 20 Mbps / 10 Mbps
Data: Unlimited
ISPbills also auto-assigns a Trial Package when a new customer verifies their OTP — giving them a few minutes of free internet while they choose a plan. Create a package named Trial with a short validity (e.g. 5 minutes) and zero price to enable this.
Step 3 — Configure MikroTik RADIUS Client
Add ISPbills as the RADIUS server and enable the CoA/Disconnect-Message listener on port 3799. ISPbills uses this port to push real-time attribute changes when a customer purchases a new package or is suspended.
# Add ISPbills as RADIUS server for hotspot
/radius
add service=hotspot \
address=YOUR_ISPBILLS_SERVER_IP \
secret=YOUR_RADIUS_SHARED_SECRET \
authentication-port=1812 \
accounting-port=1813 \
timeout=3000
# Enable CoA / Disconnect-Message listener
/radius incoming
set accept=yes port=3799
# Verify connectivity
/ping YOUR_ISPBILLS_SERVER_IP count=4The RADIUS shared secret must match exactly what you entered in ISPbills when registering the router. A mismatch causes silent authentication failures — all customers will be stuck at the captive portal.
Step 4 — MikroTik Hotspot Server & Profile
ISPbills identifies each customer by their device's MAC address. The hotspot profile must be set to mac-as-username-and-passwordso MikroTik sends the MAC as both the RADIUS username and password — ISPbills stores this as the customer's RADIUS username in the radcheck table.
# Create bridge for hotspot interface(s)
/interface bridge
add name=bridge-hotspot
/interface bridge port
add bridge=bridge-hotspot interface=wlan1 # WiFi AP
add bridge=bridge-hotspot interface=ether2 # Wired AP or switch uplink
/ip address
add address=192.168.88.1/24 interface=bridge-hotspot
# DHCP for hotspot clients
/ip pool
add name=pool-hotspot ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add name=dhcp-hotspot address-space=192.168.88.0/24 \
interface=bridge-hotspot lease-time=1h disabled=no
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=8.8.8.8,1.1.1.1
# Hotspot profile — MAC-as-username required for ISPbills
/ip hotspot profile
add name=ispbills-hotspot \
use-radius=yes \
radius-accounting=yes \
radius-interim-update=2m \
mac-auth-mode=mac-as-username-and-password \
login-by=mac-cookie,http-chap \
http-cookie-lifetime=1d \
hotspot-address=192.168.88.1
# Hotspot server
/ip hotspot
add name=hotspot1 \
interface=bridge-hotspot \
address-pool=pool-hotspot \
profile=ispbills-hotspot \
idle-timeout=10mradius-interim-update=2m— MikroTik sends accounting updates to ISPbills every 2 minutes. ISPbills uses these to track live data consumption and runs the auto-suspension check against each customer's package limit.
Step 5 — Walled Garden: One-Click Push from ISPbills
The Walled Garden allows unauthenticated customers to reach the payment gateway before they have paid — otherwise they can never complete the checkout flow. ISPbills automates the entire setup: it connects to your MikroTik via the RouterOS API and pushes all the required firewall rules in one operation.
In ISPbills, go to Routers & Packages → Routers → Actions → Walled Garden → Push to Router. ISPbills will create:
- → Layer7 protocol patterns — regexp matching for each configured payment gateway's domain
- → Firewall filter rules — add matched destination IPs to the
payment_gatewaysaddress list - → Walled-garden IP rule — accept any traffic destined for the
payment_gatewaysaddress list
ISPbills generates Layer7 patterns for every payment gateway you have enabled:
# Layer7 protocol patterns (pushed per enabled gateway)
/ip firewall layer7-protocol
add name=bkash_checkout regexp="^.+(bka.sh).*$"
add name=bkash_tokenized regexp="^.+(bkash.com).*$"
add name=nagad regexp="^.+(mynagad.com).*$"
add name=shurjopay regexp="^.+(shurjopayment.com).*$"
add name=sslcommerz regexp="^.+(sslcommerz.com).*$"
add name=razorpay regexp="^.+(razorpay.com).*$"
add name=stripe regexp="^.+(stripe.com).*$"
# Firewall filter: add matched dst to address-list
/ip firewall filter
add chain=forward action=add-dst-to-address-list \
address-list=payment_gateways address-list-timeout=none-static \
layer7-protocol=bkash_tokenized comment=hotspot_walled_garden
# (one rule per gateway — ISPbills creates them all automatically)
# Walled-garden IP: allow access to address-list
/ip hotspot walled-garden ip
add action=accept dst-address-list=payment_gateways comment=hotspot_walled_gardenImportant: You only need to click Push to Router once per router. If you add a new payment gateway in ISPbills later, run Push to Router again — ISPbills will clear the old rules and recreate them including the new gateway.
Step 6 — The Complete Self-Service Customer Flow
Here is exactly what happens inside ISPbills from the moment a customer connects to your SSID to the moment they are online — and what happens when they run out.
- 1Device connects to WiFi
Customer connects to your open SSID. MikroTik DHCP assigns an IP. The router intercepts the first HTTP request and redirects to the ISPbills captive portal, passing the customer's IP address, MAC address, and the MikroTik system identity.
- 2ISPbills identifies the device
The ISPbills hotspot endpoint validates the router identity to determine which ISP operator the request belongs to. It then checks the RADIUS database for a matching mobile number and MAC address — four outcomes are possible: new customer, returning active customer, suspended customer, or device MAC changed.
- 3New customer — 4-digit OTP via SMS
If neither the mobile number nor the MAC address is found, ISPbills creates a temporary customer record and sends a 4-digit OTP to the mobile number via the configured SMS gateway. The OTP is valid for 5 minutes (cached in Redis). WhatsApp is intentionally disabled for hotspot OTP — SMS only.
- 4OTP verified — trial package + instant internet
Once the customer enters the correct OTP, ISPbills creates a full RADIUS customer with the Trial package. RADIUS attributes are written to the database (radcheck: Cleartext-Password + Expiration; radreply: Mikrotik-Rate-Limit + Mikrotik-Total-Limit). ISPbills then calls the MikroTik RouterOS API command /ip/hotspot/active/login with the customer's IP and MAC — the customer goes online immediately without needing to re-authenticate. A welcome SMS is sent.
- 5Customer selects a package and pays
The customer portal shows available hotspot packages. The customer chooses a plan and pays via bKash (Checkout or Tokenized), Nagad, Shurjopay, SSLCommerz, Razorpay, Stripe, or other configured gateways. All payment callbacks are handled server-side by ISPbills.
- 6Payment confirmed — RADIUS updated + instant login
ISPbills payment processor marks the customer active, updates the RADIUS expiry and data limit for the chosen package, then immediately calls /ip/hotspot/active/login via the MikroTik API. The customer's session is upgraded in real-time — no reconnection needed. A payment confirmation SMS is sent.
- 7Returning customer — auto-login
On a future visit, MikroTik sends a MAC-auth RADIUS request for the customer's device. If the customer has an active package, ISPbills returns Access-Accept and ISPbills calls /ip/hotspot/active/login automatically — the customer is online without entering anything.
- 8Suspended — SMS notification + portal redirect
If the customer's account is suspended when they try to connect, ISPbills sends a "purchase package" SMS notification (once per suspension cycle) and redirects them to the customer portal to buy a new plan.
Step 7 — RADIUS Attributes ISPbills Writes
ISPbills writes to two FreeRADIUS tables per hotspot customer. These are the exact attributes ISPbills uses — no others.
radcheck (authentication rules)
| Attribute | Value | Purpose |
|---|---|---|
| Cleartext-Password | Device MAC address | RADIUS password — matches mac-as-username-and-password mode |
| Expiration | e.g. 07 Jun 2026 23:59:59 | Hard session expiry — FreeRADIUS rejects login after this time |
radreply (session policy)
| Attribute | Example Value | Purpose |
|---|---|---|
| Mikrotik-Rate-Limit | "10M/5M" | Download/upload bandwidth cap — enforced by RouterOS natively |
| Mikrotik-Total-Limit | 2147483648 | Total bytes (up + down) before session is blocked — 2 GB example |
For unlimited data packages, Mikrotik-Total-Limit is set to 0 (no limit). Session enforcement is then purely time-based via the Expiration attribute.
# Verify a hotspot session and its applied RADIUS attributes live /ip hotspot active print detail # Shows: user (MAC address), ip, mac-address, uptime, bytes-in, bytes-out, rate-limit # Check RADIUS was accepted (look for "Access-Accept" from ISPbills) /log print where topics~"radius" # Manually test RADIUS authentication for a MAC /radius test mac-address=AA:BB:CC:DD:EE:FF server=YOUR_ISPBILLS_SERVER_IP
Step 8 — MAC-Based Re-Authentication
ISPbills uses the device MAC address as the RADIUS username. When a registered customer returns on the same device, MikroTik sends a MAC-auth RADIUS request. ISPbills checks whether the customer has an active package:
- Active package →ISPbills returns Access-Accept with fresh RADIUS attributes. ISPbills also calls
/ip/hotspot/active/loginvia the RouterOS API for an immediate session start. - No active package →RADIUS returns Access-Reject. MikroTik redirects the customer to the portal to purchase.
- New device, same mobile →ISPbills detects the MAC change and triggers a MAC replacement flow so the customer can link their new device to their existing account.
Multi-AP deployments: For MAC re-authentication to work seamlessly across multiple access points, all hotspot routers in the same zone must broadcast the same SSID. ISPbills identifies customers by MAC — if the SSID changes between APs, the device reconnects as a different network and MAC re-auth fails.
Step 9 — Auto-Suspension: How ISPbills Cuts Off Expired Accounts
ISPbills runs a scheduled Artisan command that checks all hotspot customers against their package limits. Two conditions trigger suspension:
Data limit exceeded
ISPbills sums the RADIUS accounting bytes (upload + download) for the customer's username from the radacct table and compares against total_octet_limit. If exceeded: status → suspended, suspend_reason → volume_limit_exceeds.
Mikrotik-Total-LimitTime limit exceeded
ISPbills compares package_expired_at against the current time in the operator's timezone. If the package is past its expiry: status → suspended, suspend_reason → time_limit_exceeds.
ExpirationSuspended customers are not disconnected mid-session immediately — RouterOS enforces the limits natively via the RADIUS attributes. On the customer's next login attempt (or after the Expiration attribute is hit), ISPbills returns Access-Reject and redirects them to purchase a new package. ISPbills also sends a “your balance is low” SMS.
ISPbills logs every suspension event to hotspot_logs and auto_suspension_logs with the reason and timestamp — viewable in the dashboard under Logs → Hotspot.
# MikroTik enforces Expiration natively — no extra config needed. # Verify the RADIUS Expiration attribute is set on a user: /ip hotspot active print detail where user="aa:bb:cc:dd:ee:ff" # Shows session-time-left countdown (derived from Expiration) # Mikrotik-Total-Limit enforcement — check remaining quota: /ip hotspot active print detail # Columns: bytes-in, bytes-out — compare against the limit # After auto-suspension, next RADIUS auth returns Access-Reject: /log print where topics~"hotspot" and message~"logged out"
Step 10 — Operator Recharge & Package Change from the Dashboard
While customers can self-pay online, ISPbills operators can also recharge or change a hotspot customer's package manually from the dashboard — useful for cash walk-in payments or customer support.
Navigate to Customers, find the customer, then use the Actions → Hotspot Recharge or Actions → Change Package menu. ISPbills will:
- →Show available hotspot packages (filtered by connection_type = Hotspot) with a runtime invoice preview.
- →Record the payment as Cash in the customer_payments table.
- →Call CustomersPaymentProcessController to activate the new package.
- →Update RADIUS attributes (Expiration, Mikrotik-Total-Limit, Mikrotik-Rate-Limit).
- →Call the MikroTik RouterOS API to log the customer in immediately if they are not already online.
- →Log the recharge to hotspot_logs and pgsql_activity_log for audit trail.
After each recharge — whether self-service online or operator-assisted — ISPbills generates a PDF voucher/receipt that can be downloaded from Accounts → Customer Payments. The voucher includes the customer name, package, validity, amount paid, and payment date.
Troubleshooting Quick Reference
Customer stuck on captive portal after OTP / after payment
Check that the MikroTik API credentials in ISPbills are correct (Settings → Routers). ISPbills uses /ip/hotspot/active/login via RouterOS API to activate sessions — if the API connection fails, the customer authenticates via RADIUS but the active login call does not fire.
/ip service print # Confirm api: enabled on port 8728 /log print where topics~"hotspot"
Payment page is blank or shows a spinner
Walled Garden rules are missing or incomplete. Run Push to Router again from ISPbills → Routers → Actions → Walled Garden. Re-run after enabling a new payment gateway.
/ip hotspot walled-garden ip print /ip firewall layer7-protocol print
RADIUS authentication failing (Access-Reject for all users)
Verify the RADIUS shared secret matches exactly in both ISPbills (router settings) and MikroTik. A mismatch is silent — RADIUS rejects without logging a mismatch error on the MikroTik side.
/radius print /log print where topics~"radius"
Customer not suspended after data limit is reached
Confirm radius-interim-update is set (e.g. 2m) in the hotspot profile. Without accounting updates, ISPbills cannot track consumption. Also verify the auto-suspension scheduler is running on the ISPbills server.
/ip hotspot profile print /radius print
MAC re-authentication not working across multiple APs
All access points in the same hotspot zone must broadcast the exact same SSID. ISPbills identifies customers by MAC address — a different SSID is treated as a different network by the device and MAC re-auth fails.
/interface wireless print # Confirm ssid is identical on all APs
OTP SMS not delivered
Check the SMS gateway configuration in ISPbills Settings → SMS Gateway. Verify the gateway has sufficient balance. ISPbills logs SMS failures under Logs → SMS History.
# Check ISPbills SMS logs in dashboard # Logs → SMS History
What ISPbills Automates End-to-End
OTP via SMS
4-digit OTP delivered in seconds. Cached 5 minutes. Ties every hotspot session to a verified mobile number.
Multi-gateway payments
bKash Tokenized, Nagad, Shurjopay, SSLCommerz, Razorpay, Stripe, M-Pesa and more. All callback handling is server-side.
Instant activation
ISPbills calls /ip/hotspot/active/login via RouterOS API the moment payment is confirmed. No manual reconnect.
One-click Walled Garden
ISPbills auto-pushes Layer7 + firewall rules for every enabled payment gateway to the MikroTik via API.
RADIUS enforcement
Mikrotik-Rate-Limit, Mikrotik-Total-Limit, and Expiration written per customer per package. RouterOS enforces natively.
Scheduled auto-suspension
ISPbills checks every hotspot customer against their package limits and suspends on data or time breach — zero human touch.