Setting up a commercial internet access point isn't just about installing a router; it's about building a full-fledged business model that requires a technical and legal approach. Owners of hotels, hostels, cafes, shopping centers, and even private parking lots are increasingly considering monetizing their traffic, turning internet access into an additional source of revenue. Paid Wi-Fi This not only helps recoup the cost of the communication channel, but also creates a comfortable environment for clients willing to pay for stability and speed.
From a technical point of view, the implementation of such a system is based on an authorization mechanism known as Captive PortalThis is the page that automatically opens on the user's device when attempting to connect to the network, requiring a code, payment, or registration. This gateway is the heart of the entire system, separating public access from commercial access. Unlike a home router, flexible settings and the ability to integrate with payment systems are critical here.
However, before moving on to complex configurations, it's important to clearly understand the project's scope. Will it be a single point in a small cafe or a distributed network across several buildings? The answer to this question will determine the choice of hardware platform. For small projects, budget-friendly MikroTik-based solutions are sufficient, while larger hotspots will require professional controllers and RADIUS servers.
Selection of hardware and software platform
The foundation of any network is equipment that must withstand high loads and ensure stable operation 24/7. There are many solutions on the market, but for an organization paid access Specialized equipment lines have proven themselves to be the most effective. Standard consumer routers are unsuitable here due to their lack of support for complex authorization and billing scenarios.
The company traditionally considered the leader in this segment is MikroTikTheir operating system RouterOS has powerful built-in functionality Hotspot, which allows you to configure pricing, speed limits, and traffic redirection without purchasing additional software. For larger networks, solutions from Ubiquiti UniFi or TP-Link Omada, which require a separate authorization server, but provide a convenient graphical management interface.
When choosing hardware, it's important to consider the number of simultaneous connections. Cheap models can crash with only 10-15 active users, which is unacceptable for businesses.
- 📡 MikroTik — ideal for flexible configuration and operation without third-party servers, but requires deep knowledge of the CLI.
- 🌐 Ubiquiti UniFi — excellent scalability and a beautiful interface, but requires a dedicated server (Cloud Key or PC) to operate the portal.
- ☁️ Cloud solutions - services like Keenetic Subscription-based or specialized SaaS platforms that simplify management but require a monthly fee.
Don't forget about access points either. While the router manages traffic, the access points (APs) provide coverage. For commercial purposes, it's best to choose models that support the standard. Wi-Fi 6 (802.11ax), which work more effectively in conditions of heavy traffic and a large number of clients.
Network architecture and Hotspot configuration
Network organization begins with a well-designed topology. A standard design includes a wide-area network (WAN), a router with gateway functionality, a switch, and access points. Isolation of client traffic is key. Users should not be able to see the equipment's administrative interfaces or each other.
To achieve this, VLAN (Virtual LAN) is used. A separate VLAN is allocated for the guest network, which is routed through the authentication gateway. Hotspot On MikroTik, for example, it is done through the menu IP -> Hotspot, which launches the configuration wizard. It will automatically create the necessary address pools, server profiles, and firewall rules.
It's important to configure your DNS correctly. Before authorization starts, all requests must be redirected to the gateway IP address so that the login page opens on any website the user attempts to access. This is called "DNS hijacking."
⚠️ Attention: When setting up firewall rules, make sure you don't block access to payment gateways before authorization. A mechanism often used is Walled Garden, which allows access to certain domains without payment.
If you use a bundle FreeRADIUS And MikroTik, the logic changes: the router becomes a client sending requests to the authorization server. This is a more complex but also more scalable architecture, allowing for centralized management of thousands of users.
Billing and tariffication systems
The heart of commercial Wi-Fi is billing. It determines how much time or data a user receives after payment. The simplest option is a voucher system built into the router. The administrator generates codes with a specific limit (for example, "1 hour" or "500 MB") and sells them to customers.
A more advanced level is integration with payment systems. In this case, the user selects a plan on the portal page, pays by card or QR code, and the system automatically grants access. This is achieved using intermediary scripts or ready-made billing platforms.
The main types of pricing to consider are:
- ⏱ Temporary — payment for a fixed period of time (30 minutes, 1 hour, 24 hours).
- 📉 Traffic — payment for the volume of transferred data (relevant for satellite or expensive 4G Internet).
- 🚀 High-speed — different tariffs for different speeds (the basic tariff is slow, VIP is fast).
When setting up profiles in IP -> Hotspot -> User Profiles you can set limits Rate Limit (incoming/outgoing speed) and Total Limit (total traffic volume). This allows for flexible channel load management.
What is a Walled Garden?
A Walled Garden is a list of IP addresses or domain names that a user is allowed to access WITHOUT authorization or payment. This typically includes payment system websites, partner pages, or news resources so that the user can select a payment method even if they don't yet have access.
Portal design and user experience
Login page (Captive Portal) is the face of your service. If it takes a long time to load, looks suspicious, or isn't mobile-friendly, customers will leave. MikroTik's default homepage looks outdated, so it's recommended to customize it.
The page's HTML code can be edited to include modern CSS and your establishment's logo. It's important that the password entry or plan selection form is visible and clear. Mobile responsiveness is essential, as 90% of connections are made from smartphones.
Technical requirements for the portal:
- 📱 Adaptability — correct display on screens of any size.
- ⚡ Ease - a minimum amount of graphics for fast loading even on a weak signal.
- 🔒 HTTPS — Using a secure protocol for the login page inspires more trust in users.
Many modern systems allow you to embed contact collection forms (email, phone) into your portal in exchange for free access. This is an excellent marketing tool, but it requires setting up an SMTP server to send confirmation codes.
Legal aspects and security
Providing public internet access places significant responsibility on the network owner. In the Russian Federation, according to legislation (RF Government Decree No. 758 and FSB/Roskomnadzor requirements), public Wi-Fi providers are required to identify users. This means that simply handing out the password "12345" is not an option—authentication via phone number (SMS) or through the Unified Identification and Authentication System (Gosuslugi) is required.
Furthermore, you are required to maintain connection logs and provide them to law enforcement upon request. Failure to comply may result in large fines and resource blocking.
From a cybersecurity perspective, an open network is a risk. Attackers may attempt to attack other users or use your network for illegal activities.
| Protective measure | Description | Difficulty of implementation |
|---|---|---|
| Client Isolation | Prevents data exchange between devices on the same Wi-Fi network | Low |
| Port filtering | Blocking suspicious ports (SMTP, P2P) | Average |
| Logging | Recording MAC addresses, time, and IP addresses of connections | Average |
| Network Separation (VLAN) | Separating the guest network from the internal business network | High |
⚠️ Attention: Telecommunications legislation is changing. Be sure to check user identification and data storage requirements against current regulatory standards at the time of project launch.
☑️ Safety checklist
Launching and testing the system
The final stage is debugging. Don't launch the system into production without thorough testing. Test the entire scenario from start to finish: network search, portal opening, plan selection, payment (or code entry), access, plan expiration, and disconnection.
Pay special attention to connection stability when roaming. If a client moves through a large area, their device should switch to the closest access point without interrupting the session. To achieve this, the access points must be configured with the same SSID and non-overlapping channels.
Also, check your router's CPU load. With a large number of clients, the CPU can reach 100%, resulting in a drop in speed. Resource monitoring is a must.
Frequently Asked Questions (FAQ)
Do you need a special permit to sell Wi-Fi?
A provider license is generally not required to provide access within your own establishment (cafe, hotel), unless you provide communications services as a separate business outside your local area. However, you must comply with user identification requirements. For a definitive answer, it's best to consult a lawyer in your jurisdiction.
Is it possible to set up paid Wi-Fi on a regular TP-Link or Asus router?
Standard consumer routers do not have built-in functionality for billing and creating payment portals. This requires installing alternative firmware (for example, OpenWrt or DD-WRT) and configure additional packages, or use an external connection to a RADIUS server. It's simpler and more reliable to use specialized equipment.
How to accept payments automatically?
To automate this, you need to integrate your authorization gateway (MikroTik, UniFi, etc.) with a payment aggregator (Yukassa, Robokassa, etc.). This is most often done via an API: after a successful payment, the payment system sends a request to the router or billing server, which activates access for a specific MAC address or login.
What should I do if the client can't open the login page?
This is a common issue with HTTPS. If a client attempts to access a secure site (https://), the browser will block the redirect to your portal. Solution: The client should try accessing any http site (e.g. neverssl.com) or use Apple CNA / Android Hotspot 2.0 technology, which force the portal to open.