Hot Spot settings on the RouterOS Platform

Article Title: Hotspot settings on the RouterOS Platform. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

My routeros is two NICs, ether1 connects to adsl, implements pppoe client, and et22.
First, install and configure routeros correctly according to the top-up instructions on the Forum to enable the client to access the Internet normally.
Then terminal routeros

Change the www Service port to 8081:
/Ip service set www port = 8081

Change the hotspot service port to 80 to prepare for the user logon page:
/Ip service set hotspot port = 80

Setup hotspot profile to mark authenticated users with flow name "hs-auth ":
/Ip hotspot profile set default mark-flow = "hs-auth" login-method = enabled-address

Add a user:
/Ip hotspot user add name = user1 password = 1

Redirect all unauthorized tcp requests to the hotspot service
/Ip firewall dst-nat add in-interface = "etsp2" flow = "! Hs-auth "protocol = tcp action = redirect
To-dst-port = 80 comment = "redirect unauthorized clients to hotspot service"

Allow dns requests and icmp ping; reject all other unauthenticated requests:
/Ip firewall add name = hotspot-temp comment = "limit unauthorized hotspot clients"

/Ip firewall rule forward add in-interface = ether2 action = jump
Jump-target = hotspot-temp comment = "limit access for unauthorized hotspot clients"

/Ip firewall rule input add in-interface = etsp2 dst-port = 80 protocol = tcp
Action = accept comment = "accept requests for hotspot servlet"

/Ip firewall rule input add in-interface = etsp2 dst-port = 67 protocol = udp
Action = accept comment = "accept requests for local DHCP server"

/Ip firewall rule input add in-interface = ether2 action = jump
Jump-target = hotspot-temp comment = "limit access for unauthorized hotspot clients"

/Ip firewall rule hotspot-temp add flow = "hs-auth" action = return
Comment = "return if connection is authorized"

/Ip firewall rule hotspot-temp add protocol = icmp action = return
Comment = "allow ping requests"

/Ip firewall rule hotspot-temp add protocol = udp dst-port = 53 action = return
Comment = "allow dns requests"

/Ip firewall rule hotspot-temp add action = reject
Comment = "reject access for unauthorized clients"

Create a hotspot channel for authenticated hotspot users
Create hotspot chain for authorized hotspot clients:
/Ip firewall add name = hotspot comment = "account authorized hotspot clients"

Pass all through going traffic to hotspot chain:
/Ip firewall rule forward add action = jump-target = hotspot
Comment = "account traffic for authorized hotspot clients"

The client automatically jumps to the logon page when entering any website address. Enter the account and password to continue browsing.
If you use ftp, pop3, and so on, you must log on through the web page before using it. Of course, you must log on to winbox first.