Skip to main content

Overview

FyberPay supports hotspot-based internet access alongside PPPoE. Hotspots use a captive portal (login page) where subscribers authenticate before gaining internet access. This is ideal for public Wi-Fi locations, apartment complexes, and pay-as-you-go internet cafes. Hotspot authentication flows through the same RADIUS infrastructure as PPPoE, so billing, dunning, and provisioning all work identically.

MikroTik Hotspot Server Setup

1

Create a hotspot interface

On your MikroTik router, go to IP > Hotspot > Hotspot Setup and run the wizard on your subscriber-facing interface (bridge or WLAN).Alternatively, FyberPay can configure the hotspot server remotely. Navigate to Network > [Router] > Setup PPPoE and select the Hotspot option instead.
2

Point RADIUS to FyberPay

Configure the MikroTik hotspot server to authenticate against FreeRADIUS:
/radius
add address=<freeradius-ip> secret=<shared-secret> service=hotspot
Ensure the RADIUS shared secret matches the one configured in your FreeRADIUS clients.conf.
3

Enable RADIUS authentication on the hotspot

Under IP > Hotspot > Server Profiles, edit your hotspot profile:
  • Set Use RADIUS to yes
  • Set RADIUS Accounting to yes
  • Set RADIUS Interim Update to a suitable interval (e.g., 5 minutes)
4

Configure the IP pool

Create an IP pool for hotspot clients:
/ip pool
add name=hotspot-pool ranges=10.10.0.2-10.10.0.254
Assign this pool to the hotspot server profile.
FyberPay uses the same RADIUS database for both PPPoE and hotspot authentication. Subscribers with access method set to “hotspot” are provisioned identically in radcheck and radusergroup, but they authenticate through the captive portal instead of a PPPoE client.

Login Page Customization

MikroTik hotspot servers serve a captive portal login page to unauthenticated clients. You can customize this page to match your brand and integrate FyberPay payment flows.

Default Login Flow

  1. Subscriber connects to the Wi-Fi network
  2. On opening a browser, they are redirected to the hotspot login page
  3. They enter their username (phone number) and password (voucher code or account password)
  4. MikroTik authenticates via RADIUS
  5. On success, the subscriber gains internet access with the bandwidth limits from their plan

Custom Login Page

Upload a custom login.html to your MikroTik router at Files > hotspot/login.html. Key elements to include:
  • Your ISP branding (logo, colors)
  • A login form with username and password fields
  • A link to purchase a voucher or create an account via the FyberPay portal
  • The FyberPay payment page URL for direct M-Pesa purchases
Include a “Buy with M-Pesa” button on your login page that links to https://yourorg.fyberpay.com/portal/buy. This allows walk-in customers to purchase a package and receive credentials instantly.

Login Page Variables

MikroTik injects variables into the login page that you can use for dynamic content:
VariableDescription
$(identity)Router name
$(login-by)Authentication method
$(error)Error message on failed login
$(error-orig)Original error message
$(ip)Client IP address
$(mac)Client MAC address

Voucher and Package Management

Creating Hotspot Packages

Hotspot packages are created as regular plans in FyberPay. Navigate to Billing > Plans and create a plan with these considerations:
For hourly or daily access:
  • Set Billing Cycle to the access duration (e.g., 1 day = 1 billing cycle day)
  • Set Speed to the desired bandwidth
  • Set Price to the package cost
Examples:
PackageSpeedDurationPrice
1 Hour5 Mbps1 dayKES 20
Daily10 Mbps1 dayKES 50
Weekly10 Mbps7 daysKES 200
Monthly20 Mbps30 daysKES 1,000

Generating Vouchers

Vouchers are pre-generated credentials that subscribers use to log in to the hotspot. Each voucher is a one-time-use code tied to a specific package.
1

Navigate to voucher management

Go to Billing > Vouchers in the admin dashboard.
2

Select a package

Choose the hotspot plan that vouchers should be generated for.
3

Set batch size

Enter the number of vouchers to generate (e.g., 100).
4

Generate and print

Click Generate. FyberPay creates unique voucher codes and provisions RADIUS credentials for each one. Download the batch as a printable PDF (voucher cards) or CSV.
Each voucher code is a unique PPPoE/hotspot username with a pre-set password. When a customer enters the voucher code on the login page, RADIUS authenticates them and applies the package’s bandwidth limits.

Voucher Distribution

Common distribution methods for ISPs:
  • Printed voucher cards: Download the PDF and cut into individual cards for physical resale
  • SMS delivery: Sell via M-Pesa and have FyberPay SMS the voucher code to the buyer’s phone
  • Self-service portal: Customers purchase packages directly from yourorg.fyberpay.com/portal/buy and receive credentials instantly

Bandwidth Limits Per Package

Each hotspot package enforces bandwidth through the same RADIUS mechanism as PPPoE. When you create a plan in FyberPay:
  1. FyberPay writes the Mikrotik-Rate-Limit attribute to radgroupreply
  2. When the hotspot user authenticates, MikroTik receives the rate-limit from RADIUS
  3. A dynamic simple queue is created on the router for that session

Example Package Configuration

PackageDownloadUploadBurstPrice
Basic Wi-Fi5 Mbps2 MbpsNoneKES 50/day
Standard Wi-Fi10 Mbps5 Mbps15/8 Mbps for 10sKES 100/day
Premium Wi-Fi25 Mbps10 Mbps40/15 Mbps for 10sKES 200/day
Burst settings give users a temporary speed boost when they first start downloading, improving perceived performance for web browsing.

Session Timeouts

Configure session limits to control how long a hotspot user stays connected:

MikroTik Session Limits

On your MikroTik hotspot server profile, configure:
SettingDescriptionRecommended Value
Session TimeoutMaximum session duration before forced re-authenticationMatch billing cycle (e.g., 24h for daily packages)
Idle TimeoutDisconnect after inactivity period15-30 minutes
Keepalive TimeoutInterval for checking if client is still connected30 seconds

RADIUS Session Control

FyberPay can also send session timeout attributes via RADIUS:
  • Session-Timeout: Maximum seconds before disconnect
  • Idle-Timeout: Seconds of idle before disconnect
These are set per plan in the radgroupreply table alongside the rate-limit attribute.
For time-based packages, set the Session-Timeout RADIUS attribute to match the package duration. A 1-hour package would have Session-Timeout = 3600.

Walled Garden Configuration

The walled garden allows unauthenticated hotspot users to access specific websites without logging in. This is essential for:
  • The FyberPay payment portal (so users can buy packages before authenticating)
  • M-Pesa payment endpoints (so STK Push works before the user has internet)
  • Your ISP’s marketing or info page

Configuring Walled Garden on MikroTik

1

Open hotspot walled garden settings

On your MikroTik router, go to IP > Hotspot > Walled Garden.
2

Add allowed destinations

Add entries for each domain or IP that should be accessible without authentication:
/ip hotspot walled-garden ip
add dst-host=yourorg.fyberpay.com action=accept
add dst-host=*.safaricom.co.ke action=accept
add dst-host=api.safaricom.co.ke action=accept
3

Add DNS access

Ensure DNS resolution works for unauthenticated clients:
/ip hotspot walled-garden ip
add dst-port=53 protocol=udp action=accept
add dst-port=53 protocol=tcp action=accept
4

Test access

Connect a device to the hotspot without authenticating. Verify that you can reach the FyberPay portal and complete an M-Pesa payment. All other sites should redirect to the login page.
If the walled garden is not configured correctly, subscribers in the dunning walled-garden state or new customers trying to purchase packages will not be able to reach the payment portal. Always test this after router configuration changes.

Required Walled Garden Entries

At minimum, your walled garden should allow access to:
DestinationReason
yourorg.fyberpay.comSubscriber portal and payment page
api.fyberpay.comAPI for STK Push and payment processing
*.safaricom.co.keM-Pesa API endpoints
DNS (port 53 UDP/TCP)Domain name resolution

Hotspot with FyberPay Billing

The full hotspot billing flow ties together the captive portal, RADIUS, and M-Pesa:
  1. Customer connects to the Wi-Fi network
  2. Captive portal redirects to the login page
  3. Customer buys a package via M-Pesa on the walled-garden payment portal
  4. FyberPay receives payment, creates a subscription, and provisions RADIUS credentials
  5. Credentials are sent to the customer via SMS
  6. Customer logs in on the captive portal
  7. RADIUS authenticates and returns bandwidth limits to MikroTik
  8. Customer gets internet at the package speed for the package duration
FyberPay charges a 2% commission on hotspot transactions. This is calculated on the payment amount and deducted from your settlement. Commission details are visible at Billing > Platform Fees.

Next Steps

Network Provisioning

Deep dive into RADIUS, PPPoE profiles, and bandwidth shaping.

Dunning Automation

Automate payment collection for overdue hotspot and PPPoE subscribers.