how can I "unlock" the internet (in PHP)?

MBAGA · Wed Oct 08, 2014 12:44 pm

hi in a captive portal with sites allowed in walled garden, after login, how can I "unlock" the internet (in PHP)?

Deantwo · Wed Oct 08, 2014 2:23 pm

I am guessing this is related to your other thread.
Other reader, read this: http://forum.mikrotik.com/viewtopic.php?f=9&t=89867

MBAGA · Wed Oct 08, 2014 3:00 pm

yes. Sorry perhaps I should have to do only one thread?

Deantwo · Wed Oct 08, 2014 3:35 pm

yes. Sorry perhaps I should have to do only one thread?

Just trying to help whoever else may read this forum.

As for your question. I have no idea what your asking.
More information is needed.

Also, if this has nothing to do with Mikrotik scripting, I would suggest you ask in the Beginner Basics forum section.
But most of your questions seem to have very little to do with Mikrotik, so I don't know.

Wed Oct 08, 2014 4:00 pm

It's not exactly related to the other question.

And to answer this question of yours... What you're trying to do is not possible "directly" via PHP (or any other language). You can't login a hotspot user (or any kind of user) remotely, and to log in is the thing one does to unlock the internet.

The only way to log in is if the client device ITSELF sends an HTTP request to the router, with the username and password as part of the request.

You can have a form on your web server that will look and feel different, and you can also configure the router so that it redirects to that page before and after login, but DURING login - once the user presses that login button on your web page - your form must send the request back to the router, where it's up to the router to verify the credentials, and either decline login or let the user in.

MBAGA · Wed Oct 08, 2014 4:33 pm

after logging in via social networks, users are redirected to a PHP page that gets the data from the profile ... Then?

Wed Oct 08, 2014 4:40 pm

after logging in via social networks, users are redirected to a PHP page that gets the data from the profile ... Then?

Well... If your application knows that the facebook login was a success, and is somehow notified about it...

You could use the API to create a temporary hotspot username and password (also set the account to remove itself on log out), and then redirect the user to the router with the generated username and password in the URL.

That way, the "real" credentials are the ones randomly generated by your app, but since they're generated as a response to the facebook login, and the user is never presented a separate login form, it looks to the user as if their facebook login "unlocked the internet".

MBAGA · Wed Oct 08, 2014 4:44 pm

You could use the API to create a temporary hotspot username and password (also set the account to remove itself on log out), and then redirect the user to the router with the generated username and password in the URL.

yes! but how?

Wed Oct 08, 2014 5:05 pm

Well, once PHP can connect to the router (i.e. once we solve your other problem):

$addRequest = new RouterOS\Request('/ip hotspot user add');
$addRequest
    //->setArgument('profile', 'facebook') //Maybe?

    //The line below might be needed so that the router and facebook login expire together.
    //Otherwise, the router login will persist even after the facebook login has expired.
    //->setArgument('limit-uptime', ($facebookExpiresIn - time()) . 's')

    ->setArgument('name', 'FACEBOOK_' . $facebookUserID) //The prefix is in case you have non-facebook users on the router.
    ->setArgument('password', $facebookAccessToken);

$client($addRequest);

$routerQuery = http_build_query(
    array(
        //'dst' => $_SEVER['HTTP_REFERER'], //Optional.
        'username' => 'FACEBOOK_' . $facebookUserID,
        'password' => $facebookAccessToken
    )
);
header('Location: http://192.168.5.1/login?' .  $routerQuery);

But prior to having that code, also add to your users profile's on-logout script:

ros code

/ip hotspot user remove $user

If you have non-facebook users on the same router, you'll want to create a separate profile for facebook users, and only add the above to that profile.

MBAGA · Wed Oct 08, 2014 8:40 pm

header('Location: http://192.168.5.1/login?' .  $routerQuery);

I don't understand which page is that and what should I do there

Wed Oct 08, 2014 9:07 pm

Dude!

At this point, you're asking me to make the entire login system for you... At least try to get the pieces you'll be working with.

The entire code above should be part of the web page that receives the login information from facebook, after the point you've actually received the session information. How do you do that, you should check with facebook's API.

The IP in the header() call should be your router's LAN IP address, as seen by the guest computer, since what you're doing with header('Location:...') is instructing the browser to make a new HTTP request, and THAT request must be to the local hotspot router.

MBAGA · Wed Oct 08, 2014 9:31 pm

NoNo wait I had already done this part. What I was wondering is:
once I create the hotspot user after login, he is still stuck in the walled garden, how can I "unlock" him?
Sorry for the bad English

Wed Oct 08, 2014 9:37 pm

how can I "unlock" him?

That's what the header() call does - it makes the client device send a separate HTTP request to the router. The router will "unlock" the client device if the username and password are correct... Which they are certain to be in this case, since you just generated them earlier in the same file.

Once a user has logged in with the hotspot, they have internet access.

I've used the local IP of your MikroTik router, as we've seen it in the other topic, so you should NOT need change anything on that line.

MBAGA · Wed Oct 08, 2014 9:50 pm

The router will "unlock" the client device

ok so since the router can't interpret php I imagine that there is some javascript that "unlocks" the client device... how?

Wed Oct 08, 2014 9:58 pm

The router will "unlock" the client device
ok so since the router can't interpret php I imagine that there is some javascript that "unlocks" the client device... how?

There's no programming code of any sort. You can't login/unlock a user remotely in any fashion. Not with PHP, not with JavaScript, not with anything else.

That's what I've been trying to tell you since the start of this topic.

The entire procedure above is a workaround for the absence of any PHP/JavaScript/[any-other-programming-language] means to cause a login/unlock.

The idea is that the guest computer will send an HTTP request to RouterOS with a username and password, without the user actually "seeing" a form on their screen. RouterOS has it's own internal means of checking the username and password that you (from the web server) can't change or trigger.

The ONLY way to log into hotspot is for a client device to send an HTTP request to RouterOS which logs them in. A device cannot cause another device to be logged in. You keep asking if you can make the web server authenticate the client device, and I keep telling you RouterOS does not allow that. The web server can only log in the web server, and only the client device can log in the client device.

I'm starting to run out of ways to explain this...

OK, one last attempt... Check the following image:

FACEBOOK_AUTH.png

Each network request is denoted with a number. The device making the request is with a blue square, and the device that responds to this request is with a red circle.

I'm telling you RouterOS login can only happen between the two devices on step 5. It can't happen between any other two devices.

MBAGA · Wed Oct 08, 2014 10:45 pm

ok if I have understood is the http request which gives users access to ...
So I have a problem with this because after the http request I get redirected to the captive portal page

Wed Oct 08, 2014 10:50 pm

ok if I have understood is the http request which gives users access to ...
So I have a problem with this because after the http request I get redirected to the captive portal page

You should be able to configure RouterOS so that it appends the originally requested URL to the URL of the PHP page (the one which will in turn request login from Facebook). That URL can in turn be placed in the "dst" query parameter, near the end of the PHP code snippet above (see the commented line).

With those two pieces in place, after login, the user will be redirected to the page they requested originally.

MBAGA · Thu Oct 09, 2014 12:00 am

So:
1 - I have user, password ($user, $pwd)
2 - I create the hotspot user

php code

$addRequest = new RouterOS\Request('/ip hotspot user add');
$addRequest
    ->setArgument('name', $user)
    ->setArgument('password', $psw);
$client($addRequest);

3 - Which http request for logging user in?

Thu Oct 09, 2014 12:03 am

The next one.

The one that your web server won't make, but which the client device will make when you ask them to do so with the header() call.

MBAGA · Thu Oct 09, 2014 12:23 am

This?

$routerQuery = http_build_query(
    array(
        'username' => $user,
        'password' => $psw
    )
);
header('Location: http://192.168.5.1/login?'.$routerQuery);

Thu Oct 09, 2014 12:48 am

MBAGA · Thu Oct 09, 2014 12:55 am

Doesn't work
What is "login" in the URL?

Thu Oct 09, 2014 1:01 am

Doesn't work

Can you elaborate more on that? Any error messages on screen or in PHP/RouterOS logs? Can you see the username added in the router?

What is "login" in the URL?

> sigh <

Read this manual page.

MBAGA · Thu Oct 09, 2014 1:15 pm

understood
Thanks a lot!

MBAGA · Tue Oct 28, 2014 7:36 pm

$addRequest = new RouterOS\Request('/ip hotspot user add');
$addRequest
    //->setArgument('profile', 'facebook') //Maybe?

    //The line below might be needed so that the router and facebook login expire together.
    //Otherwise, the router login will persist even after the facebook login has expired.
    //->setArgument('limit-uptime', ($facebookExpiresIn - time()) . 's')

    ->setArgument('name', 'FACEBOOK_' . $facebookUserID) //The prefix is in case you have non-facebook users on the router.
    ->setArgument('password', $facebookAccessToken);

$client($addRequest);

$routerQuery = http_build_query(
    array(
        //'dst' => $_SEVER['HTTP_REFERER'], //Optional.
        'username' => 'FACEBOOK_' . $facebookUserID,
        'password' => $facebookAccessToken
    )
);
header('Location: http://192.168.5.1/login?' .  $routerQuery);

Everything works on my server but now I'm changing host and I get this error
Fatal error: Function name must be a string on

$client($addRequest);

Tue Oct 28, 2014 7:51 pm

Do you have the line

$client = new RouterOS\Client('2.34.107.153', 'admin', 'password');

earlier on in that same file?

Please show the full contents of that file.
(replace the username and password with dummy ones of course, for security's sake)

MBAGA · Tue Oct 28, 2014 8:19 pm

<?php
        include('config.php');
        include('hybridauth/Hybrid/Auth.php');
use PEAR2\Net\RouterOS;
require_once 'PEAR2/Autoload.php';
try {$client = new RouterOS\Client('2.34.107.153', 'admin', 'password');}
catch (Exception $e) { ?> <div>Unable to connect to RouterOS.</div> <?php }
$addRequest = new RouterOS\Request('/ip hotspot user add');
$addRequest
    ->setArgument('name', $name)
    ->setArgument('password', $password);
$client($addRequest);
$routerQuery = http_build_query(
    array(
        'username' => $name,
        'password' => $password
    )
);
header("location: http://172.16.0.1/login?".$routerQuery);
?>

Tue Oct 28, 2014 8:38 pm

Try to replace

$client($addRequest);

with

$client->sendSync($addRequest);

MBAGA · Tue Oct 28, 2014 8:49 pm

Try to replace
Code: Select all
$client($addRequest);
with
Code: Select all
$client->sendSync($addRequest);

Fatal error: Call to a member function sendSync() on a non-object

Tue Oct 28, 2014 8:59 pm

Move

$addRequest = new RouterOS\Request('/ip hotspot user add');
$addRequest
    ->setArgument('name', $name)
    ->setArgument('password', $password);
$client($addRequest);
$routerQuery = http_build_query(
    array(
        'username' => $name,
        'password' => $password
    )
);
header("location: http://172.16.0.1/login?".$routerQuery);

inside the "try" block.

While you're at it, you may clean up your includes too, i.e.

<?php
use PEAR2\Net\RouterOS;

require_once 'PEAR2/Autoload.php';
include 'config.php';
include 'hybridauth/Hybrid/Auth.php';

try {
    $client = new RouterOS\Client('2.34.107.153', 'admin', 'password');
    $addRequest = new RouterOS\Request('/ip hotspot user add');
    $addRequest
        ->setArgument('name', $name)
        ->setArgument('password', $password);
    $client($addRequest);
    $routerQuery = http_build_query(
        array(
            'username' => $name,
            'password' => $password
        )
    );
    header("location: http://172.16.0.1/login?".$routerQuery);
}
catch (Exception $e) {
 ?> <div>Unable to connect to RouterOS.</div> <?php
 }

It seems the connection to the router is failing. You may have even seen the "Unable to connect to RouterOS message"... But then you've made the code continue as if things are fine and dandy, despite that, leading to the fatal error.

In contrast, you'll notice the example "print logs" script has a line with "isset($client)". This does just that - checks whether the connection was previously made. That approach is required when you plan to do stuff later on. In YOUR case however, you're doing stuff immediately upon connection, so you may as well put the thing in the try block.

MBAGA · Wed Oct 29, 2014 3:20 am

I'm going mad caus I have noticed that works intermittently !
I'm making a few attempts using "Print router logs" http://wiki.mikrotik.com/wiki/API_PHP_p ... outer_logs that MUST work, and so is, it immediately prints the results. also reloading the page or re-opening the browser it still works. Then trying from a different PC it processes for a minute and Then "Unable to connect to RouterOS.". and from there it does not work more anywhere ...
any idea?

Wed Oct 29, 2014 8:14 pm

"From a different PC"?!?

You mean you move the PHP file to a different PC (same PHP file, located at a different place), or just access the same web server (the same PHP file, located at the same place) from a different PC?

MBAGA · Wed Oct 29, 2014 8:19 pm

This

just access the same web server (the same PHP file, located at the same place) from a different PC?

Wed Oct 29, 2014 8:24 pm

Hmm... Odd... Where is that different PC in terms of IP and physical place?

Like, is it on the same level as the PC from which it all works? Behind maybe just a switch more? Behind a different router? In front of a different router?

("behind" meaning further away from "the internet")

Oh, and where did

172.16.0.1

come from? I thought your MikroTik's local IP was 192.168.5.1.

MBAGA · Wed Oct 29, 2014 9:02 pm

>/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE

0 X 192.168.23.1/24 192.168.23.0 bridge2

1 ;;; hotspot network
172.16.0.1/24 172.16.0.0 ether5-GUEST

2 192.168.5.1/24 192.168.5.0 ether2-TX

3 D 192.168.1.3/24 192.168.1.0 ether4_OUTSIDE

Port Forwarding
Indirizzo locale Protocollo Porta esterna Porta interna
192.168.1.3 TCP 8728 8728

I'm trying from ether2-TX, from ether5-GUEST and from my smartphone
( PUBLIC IP 2.34.105.123 )
The php page is on a hosting of a third-level domain

$client = new RouterOS\Client('2.34.105.123', 'admin', 'XXXXX');

Wed Oct 29, 2014 9:11 pm

Well, first things first, you'll notice that in the shippets above, we're both using .153, not .123... So which one is it? I'm guessing .123, since that's what your router says.

WAIT...

Does your public IP change?!?! If that's the REAL problem here, you need to perhaps use RouterOS' "/ip cloud" menu to set up a domain name for it, and then use that name with the API. If your MikroTik router is NOT an x86 PC, it should have that menu.

MBAGA · Wed Oct 29, 2014 9:20 pm

yes it change occasionally now is 2.34.105.123

Wed Oct 29, 2014 9:28 pm

Then go to the "/ip cloud" menu, and enable it. Then check out your domain name, and use that in place of the IP.

See this wiki page for details.

MBAGA · Wed Oct 29, 2014 9:30 pm

i haven't it

Wed Oct 29, 2014 9:31 pm

Upgrade to at least 6.14, if you haven't already.

Also... Is your MikroTik router a PC, or a RouterBOARD?

MBAGA · Wed Oct 29, 2014 9:40 pm

RouterBOARD

but I don't need to do this . this is a temporary Situation just to tryy

Thu Oct 30, 2014 2:57 pm

On second though, you can easily make the script agnostic towards the public IP by replacing the concrete IP with $_SERVER['REMOTE_ADDR'], i.e.

$client = new RouterOS\Client($_SERVER['REMOTE_ADDR'], 'admin', 'XXXXX');

That way, the script will make a connection to the router as long as it is accessed from a PC behind ANY MikroTik router.

Do that. It should not only work now in testing, but should also work with your other router (after you configure hotspot on it, and do port forwards if necessary, of course).

Or don't do that if your REAL device doesn't change IPs.

MBAGA · Thu Oct 30, 2014 5:30 pm

Ok but $_SERVER['REMOTE_ADDR'] is anyway 2.34.105.123 which doesn't work

The php page with:
$client = new RouterOS\Client('2.34.105.123', 'admin', 'XXXXX');
Works on my Easyphp localhost

Instead the same page on my hosting doesn't work!
unless sometimes (and this is the funny thing) which it works perfectly until i try from another client (i.e. the other pc or my smartphone) and it doesn't work more anywhere

Thu Oct 30, 2014 5:59 pm

The first possibility here is that the Vodafone station has some sort of malicious activity detection. It works flawlessly when PHP runs from localhost, because it's ultimately inside the network, and thus no intrusion is detected.

Checks your Vodafone station for any "intelligent" "intrusion" "protection" "filtering" stuff, and turn it off, if there's any.

The second most likely problem is if your web host has a firewall that does just that. Contact your host, and ask them to explicitly allow all connections to TCP port 8728, i.e. instruct their firewall to not ever block such traffic.

If they say they don't have any such barriers in place, then the other possibility is that your web host is connected to the internet from several ISPs at once, but SOME of them can't reach your router for some reason, and thus some connections (those done on a broken ISP) fail. Ask them to ping your IP from all of their ISPs, and either lock your account into one that works or (better yet) that they contact their broken ISPs to fix this.

MBAGA · Thu Oct 30, 2014 7:00 pm

Now i tried from ether2-TX and it worked, from ether5-GUEST and it worked, from my smartphone and it worked. Then i retried from ether2-TX and it didn't work, from ether5-GUEST and it didn't work, from my smartphone and it didn't work.
about 15 minutes later i retried from ether2-TX and it worked, then i reload the page and it didn't work
?!?!?!
I don't think that the problem is my vodafone station, because on the old server hosting i didn't had any problem. anyway on my vodafone station all the "protections" are "off", i tried also to disable firewall but nothing.

On hosting management settings the only thing i found is the "FTP access filter" (WhiteListFTP) but i don't think this has anything to do with my problem.

I can't understand this "intermittence" without changing anything.

Thu Oct 30, 2014 7:10 pm

If the problem is at your host, it's one that's outside of your control, i.e. you won't find any settings to change it. You need to contact their support staff (you know, humans).

MBAGA · Wed Nov 05, 2014 7:00 pm

Going back to my server I creatd a VPN PPTP-CLIENT and I added a static route
now trying to print the log at the beginning it worked. Then I tried again and after minutes (!) appeared only the first row of the table

                <tr>
                    <th>Time</th>
                    <th>Topics</th>
                    <th>Message</th>
                </tr>

as if there were no logs . but that row is inside the block isset ($ client) so it should not be a connecting problem ...
So what ?

Wed Nov 05, 2014 7:31 pm

Check your error logs to make sure there are no PHP errors... Or if you don't have logs, add at the top (right after the "use" line):

ini_set('display_errors', 'On');

to make sure we see any errors, if any.

Also, in the output: is the table closed properly? Like, is "</tbody>" and the rest in there?

If there are no errors AND the "</tbody>" is there, this can only mean that for some reason, RouterOS is reporting the logs as empty. Why? Maybe a bug with your particular RouterOS version, I don't know. If there are errors during the communication between PHP and RouterOS, they should be visible on screen with the above setting.

MBAGA · Wed Nov 05, 2014 8:00 pm

Table is ok
with your setting I get :

Fatal error: Uncaught exception 'PEAR2\Net\Transmitter\SocketException' with message 'Failed while receiving word' in C:\inetpub\wwwroot\prova\PEAR2\Net\Transmitter\TcpClient.php:199 Stack trace: #0 C:\inetpub\wwwroot\prova\PEAR2\Net\Transmitter\Stream.php(356): PEAR2\Net\Transmitter\TcpClient->createException('Failed while re...', 4) #1 C:\inetpub\wwwroot\prova\PEAR2\Net\Transmitter\TcpClient.php(348): PEAR2\Net\Transmitter\Stream->receive(9, 'word') #2 C:\inetpub\wwwroot\prova\PEAR2\Net\RouterOS\Communicator.php(526): PEAR2\Net\Transmitter\TcpClient->receive(9, 'word') #3 C:\inetpub\wwwroot\prova\PEAR2\Net\RouterOS\Response.php(214): PEAR2\Net\RouterOS\Communicator->getNextWord() #4 C:\inetpub\wwwroot\prova\PEAR2\Net\RouterOS\Response.php(112): PEAR2\Net\RouterOS\Response->_receive(Object(PEAR2\Net\RouterOS\Communicator), false, NULL, 0) #5 C:\inetpub\wwwroot\prova\PEAR2\Net\RouterOS\Client.php(779): PEAR2\Net\RouterOS\Response->__construct(Object(PEAR2\Net\RouterOS\Communicator), false, NULL, 0, NULL) #6 C:\inetpub\www in C:\inetpub\wwwroot\prova\PEAR2\Net\Transmitter\TcpClient.php on line 199

Wed Nov 05, 2014 8:19 pm

Right, as I primarily suspected... What this means is that the connection is sometimes terminated in the middle of the receiving process for some reason.

Maybe faulty cables on your premises, or the web host's premises? Some sort of hourly data limit? Also again: An "intelligent" firewall (maybe not from your modem, but on your ISP or web host)?

This is not something that you can "really" workaround. The only thing you can do in PHP is to show a nicer error message when that happens, but you can't make it work when it doesn't.

The easiest way to show a nicer error message is to simply move all table related code into the "try" block, i.e.

<?php
use PEAR2\Net\RouterOS;
require_once 'PEAR2/Autoload.php';

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" />
        <title>RouterOS log</title>
        <style type="text/css">
            table, td, th {border: 1px solid black;}
            td span {outline: 1px dotted black;}
        </style>
    </head>
    <body>
        <?php
        try {
            $client = new RouterOS\Client('192.168.0.1', 'admin', 'password');
        ?><table>
            <thead>
                <tr>
                    <th>Time</th>
                    <th>Topics</th>
                    <th>Message</th>
                </tr>
            </thead>
            <tbody><?php
                $logEntries = $client->sendSync(
                    new RouterOS\Request('/log print')
                )->getAllOfType(RouterOS\Response::TYPE_DATA);
                foreach ($logEntries as $entry) {
                    ?>

                <tr>
                    <td><?php echo $entry('time'); ?></td>
                    <td><?php
                    $topics = explode(',', $entry('topics'));
                    foreach ($topics as $topic) {
                        ?>
                        
                        <span><?php echo $topic; ?></span><?php
                    }
                    ?>

                    </td>
                    <td><?php echo $entry('message'); ?></td>
                </tr><?php } ?>

            </tbody>
        </table>
    <?php }
        } catch (Exception $e) {
        ?><div>Unable to retrieve logs.</div>
    <?php
        }
        ?>
        </body>
</html>

This will show "Unable to retrieve logs" regardless of whether the reason is failed connection, or a sudden disconnect.

HOWEVER, doing the same for the hotspot authentication isn't really a good idea, since if you fail in the middle, this would mean that the hotspot user IS created, but despite being created, the user is not logged in.

The only thing you can do to work around this is contact your ISP and web host for assistance. Refer them to this topic if you must.

MBAGA · Wed Nov 05, 2014 8:39 pm

I dont care to make nicer the error message , but to avoid it
Then something "physical" , not "logical" ... I mean , HW or cables ?

I just registered the domain with dns management . Could this got to do?

Wed Nov 05, 2014 8:47 pm

Then something "physical", not "logical" ... I mean, hardware or cables?

I don't know. Could be anything between the MikroTik and your web host, including the modem fault/"protection", an ISP level fault/"protection", or a web host level fault/"protection", or any cables in between any one of those.

I just registered the domain with dns management. Could this got to do?

Registered which domain with which DNS management? Actually, never mind... It shouldn't be an issue, since you're contacting the router by its IP, and the router doesn't care what IP you're accessing it from. Besides, it's the connection is established, it means any such sort of obstacles are already avoided.

Here's an idea... You can try to place your computer OUTSIDE the modem, and then try to connect from INSIDE the modem to it, allowing it to connect to your MikroTik from the outside, instead of from the inside. If that's always reliable, at least you'll be able to eliminate your modem (or the cable between MikroTik and it) as the cause.

MBAGA · Wed Nov 05, 2014 9:00 pm

Probably some "protection" . I'll check
Thanks