MikroTik

Hi,
I'm building a small network of Hotspots each with their own different physical locations and IP's.
I have one central authentication server/UserManager.
Is it ideal to create a Vlan with EoIP to manage the different hotspot lans by creating one virtual subnet?
The benefits being?
My question being what is the ideal topology and simplest way to create a manageable network of hotspots?
Beginning to understand, the more I learn, the less I know.
Thanks

In my opinion the best deployment model is to create an individual Hotspot at each broadcast domain barrier, and use central authentication (RADIUS) as well as central login pages (allow that server in walled garden, use meta refresh redirects in the HTML on the router itself to point to the external server). Creating larger broadcast domains is bad practice, and Hotspots work best at the broadcast domain barrier.

In my opinion the best deployment model is to create an individual Hotspot at each broadcast domain barrier, and use central authentication (RADIUS) as well as central login pages (allow that server in walled garden, use meta refresh redirects in the HTML on the router itself to point to the external server). Creating larger broadcast domains is bad practice, and Hotspots work best at the broadcast domain barrier.

Thanks fewi,
I believe my plan is as sort of inline with your layout, without making it too complex. So, I guess I may have confused the issue by thinking one needs to create one big subnet. Not really, to my understanding what needs to be done per your suggestion.

To connect each individual hotspot to the central authentication (radius) via EoIP, one would avoid making this one large subnet. Simply interconnect the IP's with EoIP? or?

So, creating large broadcast domains bad practice? Unnecessary traffic? Unsecure? Less manageable?
And, so is there any real need to create a secure tunnel between the Hotspots and Central Radius?
You recommend "https" on each hotspot?
Thanks

There's no need for EoIP in the deployment model I suggested. RADIUS is unicast.

Large broadcast domains are less secure as more clients can talk to one another (at least usually, unless you filter traffic between clients on layer 2), are harder to troubleshoot and manage and cause overhead as broadcasts (DHCP, for example) are propagated through the entire domain, that particularly becomes an issue with wireless.

I do heartily recommend HTTPS on the Hotspot.

Well done!
Muchisimas Gracias

Last question fewi (hopefully)
To get each separate Hotspot to work properly with Paypal.
Do I make the "return url" for which paypal gateway uses, the url of the ONE central Usermanager which does all authenticating?
Is this IP configured on each Hotspot, or does each hotspot get it's own "return URL" to work with paypal?
Thanks