How to create a WiFi login page for guest access

Establishing guest access on a wireless network isn't just a matter of convenience, but a necessary security measure to isolate unauthorized devices from your main infrastructure. When cafe patrons, office clients, or visiting friends connect to the internet, they shouldn't have access to your local files, printers, or router settings. This is precisely why an authorization mechanism, often called Captive Portal or HotSpot.

Creating a custom login page not only secures your network but also displays important information, rules of conduct, or promotional messages before granting access. The setup process can range from simply enabling the feature in consumer routers to complex configuration of authorization servers on professional equipment. In this article, we'll cover the basic operating principles, preparation steps, and specific implementation steps.

Before embarking on technical implementation, it's essential to clearly understand the architecture of the future network. Are you planning a simple access point with passwords for each guest, or a full-fledged portal requiring SMS codes or vouchers? The chosen strategy will determine the choice of hardware and software. MikroTik, Ubiquiti And Keenetic offer different tools to solve this problem, and their capabilities vary significantly.

How Captive Portal and HotSpot Work

Captive Portal technology works by intercepting HTTP requests from clients attempting to access external resources. When the user's device connects to an access point, the router redirects any request to a special local page. Until successful authorization, all other traffic is blocked by firewall rules. This creates a "jail" effect for the browser, hence the technology's name.

The key element here is HTTP-redirect, which forces the browser to open a login window instead of the requested page. Modern operating systems, such as Windows 10/11 or Android, automatically detect this behavior and open the authorization window in a separate pop-up window. This improves the user experience, as it eliminates the need to manually navigate to the address.

⚠️ Note: The HTTPS protocol significantly complicates traffic interception. Modern browsers may block redirects or display security warnings if the authorization page certificate is not trusted. For commercial use, SSL certificates are strongly recommended.

There are two main approaches to implementation: local authorization on the router itself and external (External Portal). In the first case, the page is stored in the device's memory, which limits design and functionality. In the second, the router simply redirects the request to a separate web server, where complex logic and integration with databases and billing systems can be implemented.

📊 Which use case is closer to yours?
Simple guest WiFi for friends
Paid access in cafes/hotels
Corporate access for employees
Public network in the park

Preparing equipment and network architecture

To implement a high-quality login page, a standard home router may not be enough. You'll need a device that supports HotSpot or Guest Portal features with customization options. Devices based on RouterOS, as well as business series from TP-Link Omada And Ubiquiti UniFi.

The most important step is proper network zoning. Guest traffic must be isolated from the main traffic. This is achieved by creating a separate VLAN (Virtual Local Area Network). This logical separation allows you to apply different security rules and speed limits to different groups of users, even if they are connected to the same physical access point.

☑️ Network preparation checklist

Completed: 0 / 5

When planning your architecture, consider the router's processor load. Encrypting traffic and processing HTTP requests for hundreds of users can overload a weaker device. If you're planning a network for a shopping mall or a large office, consider a remote controller or cloud management, where more powerful servers handle the heavy-duty computing.

Setting up HotSpot on MikroTik RouterOS

Routers MikroTik are considered the de facto standard for building hotspots due to the flexibility of the system RouterOSThe setup process begins with creating an address pool and configuring a DHCP server for the guest network. Then, in the menu IP -> HotSpot the setup wizard starts (HotSpot Setup), which will automatically create the necessary firewall rules and pools.

To create your own login page, you'll need access to the router's file system via FTP or SFTP. The page files are stored in the directory /hotspotThe main file is login.html, which contains HTML markup and special variables processed by the router. You can edit this file to add logos, CSS styles, and scripts.


Example command for downloading page files

/login name=admin password=your_password

/upload /hotspot/login.html

It is important to correctly configure the login form variables. The key elements are the fields username And password, as well as hidden fields that convey session status. Error in variable syntax (for example, $(link-login-only)) will result in the "Login" button not transmitting data to the authorization server, and the user will remain on the login page.

Secrets of MikroTik Variables

Use $(identity) to display the router name, $(mac) for the client MAC address, and $(error) to display authorization error messages directly on the page.

Implementing a Guest Portal on Keenetic

Devices Keenetic offer a more user-friendly interface for configuring a guest network that doesn't require extensive command-line knowledge. In the web configurator, go to the My Networks and WiFi and create a new network with the "Guest" profile. Here you can immediately activate the "Forced Authorization" (Captive Portal) option.

The system allows you to choose the authorization type: vouchers, SMS, or social media. You can use the built-in editor or upload your own HTML file to create your own page. Keenetic supports uploading archives with resources (images, styles), simplifying access point branding. The interface automatically adapts to mobile devices.

Parameter MikroTik HotSpot Keenetic Guest Portal Ubiquiti UniFi
Difficulty of setup High Low Average
HTML/CSS Flexibility Full (manual editing) Limited (templates + HTML) High (via controller)
SSL support Requires manual installation Automatic (Let's Encrypt) Automatically
Billing Built-in or RADIUS Through external services Via Hotspot 2.0 / services

Don't forget to limit the speed for guest users. In the guest network profile settings, set download and upload limits to prevent one active user from hogging the entire bandwidth. It's also a good idea to set a session timeout, forcibly disconnecting the connection after a certain period of time.

Customization of design and HTML code of the page

Standard login pages often look unpresentable and create distrust in users. To create a professional one, you need to edit the HTML code. The basis of any page is a form (<form>), which sends a POST request to the router's address. Attribute action This form must strictly comply with the HotSpot protocol requirements.

Use CSS for styling. It's best to embed styles directly into the file. login.html or connect them locally, since external links may not work until authorization (unless they are added in Walled Garden). Responsive design is critical: over 80% of users will access the web from a smartphone.

The page code must contain data entry fields. If voucher authentication is used, typically only one field (password/code) is required, where the code itself serves as the login. If registration is required, more fields may be required. Don't forget to add the meta tag. viewport for correct display on mobile screens.

⚠️ Note: When editing HTML code, carefully check the syntax. Missing closing tag </div> or <form> This may cause the page to not load at all or the login button to be inactive. Always test your changes on a test device.

Security and legal aspects of deployment

By providing internet access, you assume responsibility for the actions of users. Many countries, including Russia, have laws requiring connection logs and user identification. Using open networks without authorization can lead to legal consequences if an offense is committed using your IP address.

Technical security is also paramount. Ensure the router's administrative panel is closed to the guest VLAN. Guest network users should not be able to scan ports on your equipment or attempt to brute-force the administrator password. Use strong passwords for the access point itself and the management interface.

Regularly update your equipment's firmware. Vulnerabilities in WiFi protocols or the router's web server could allow an attacker to bypass the login page or inject malicious script (XSS attack) into the login page displayed to all clients.

Frequently Asked Questions (FAQ)

Is it possible to create a login page without buying a new router?

Yes, if your current router supports the installation of alternative firmware, such as OpenWrt or DD-WRTA full-fledged HotSpot can be deployed on them. However, for stable operation of a commercial network, it's better to use specialized equipment.

What is a Walled Garden and why is it needed?

Walled Garden (Walled Garden) is a list of domains and IP addresses available to users before authorization. It's essential to include authorization servers (if external), payment sites, and popular resources (Google, Yandex) so users can find information or top up their balance.

Why doesn't the login page pop up automatically on iPhone?

iOS uses a mechanism Captive Network Assistant, which checks the availability of the Apple address. If the router doesn't process this request correctly, or if the user has accessed a site that uses strictly HTTPS without the ability to redirect, the window may not open. Advise the user to navigate to any http site (for example, neverssl.com) to force the page to be called.

Do I need a static IP address from my ISP for the login page?

For basic local authorization, a static IP is not required. However, if you plan to use an external authorization portal, integration with SMS gateways, or remote access point management from the cloud, having a public IP address or a configured one is essential. DDNS will greatly simplify the task.