Welcome Icaro Hotspot!

Welcome Icaro Hotspot!

Recently, here in Nethesis, we have spent some time working on a new open source project. It’s called
Icaro HotSpot
The project is still in alpha, but it can be already be used for basic tasks (and for testing of course :wink: ).

What is an hotspot?

Hotspot main goal is to provide internet connectivity via wi-fi to casual users.
Users are sent to a captive portal from which they can access the network by authenticating themselves via social login, sms or email.

Why Icaro?

We strongly believe in the Open Source collaborative model (the NethServer way!) and we have the opportunity to build together our own hotspot project on top of Nethserver. For this reasons Icaro is fully Open Source and free to download.

What is Icaro?

Icaro is complete Hotspot written in Go and Vue.js. It uses CoovaChilli as access controller which can be configured and installed inside NethServer.

Where can i find it?

You can find everything here: https://nethesis.github.io/icaro

How it works?

The implementation is based on 2 components:

  • a remote hotspot manager with a Web GUI running on a cloud server that allows you to:

    • Create a hotspot instance: usually each instance is referred to a specific location (e.g. Art Cafè, Ritz Hotel and so on)
    • Edit the captive portal page
    • Choose what type of login to use
    • See session and users logged
  • a client part (dedalo) installed in Nethserver physically connected to the Access Points network
    It assigns IP addresses to the clients of the Wi-Fi Network and redirects them to the captive portal for authentication.

You can find more info on this page https://nethesis.github.io/icaro/docs/components

How to contribute right now?

Install it!

The Server Side

If you’d like to test it immediately without install the server component in your infrastructure we already have a working Hotspot Manager for test reasons, you can freely access it and create our test hotspot. Just login to :


With user and password : communityuser

  • Create a hotspot instance giving it a quite original name so that it can not be confused with that of another user.

  • Create a manager of type customer and during the creation link it to the hotspot instance just created
  • Register your hotspot unit on Nethserver using customer authentication informations (need to install the client side first)

If you have more time to devote to testing you can install the server component in your infrastructure:

The Client Side

  • Install the client component in your NethServer
    Please remind that the installation requires at least 3 ethernet interfaces:
    one interface for normal LAN clients, marked with green role (you need it even if unused, can be a VLAN)
    one interface (or more) for Internet connection, marked with red role
    one interface for the Dedalo, marked with hotspot role

  • Connect an AP to the hostpot interface

    • The Wi-Fi network must be open without password
    • The AP must have DHCP disabled, it must behaviour like a dumb network switch

Use it!

  • Create a hotspot instance on the Hotspot Manager
  • Configure the captive portal and choose login mode
  • Configure and link the hotspot unit (the client) to the instance created
  • Connect your device to the Wi-Fi Network (pc, smartphone, tablet)
  • Open your browser and be redirected to the captive portal
  • Try to do login

Provide your feedback and report bugs here!

Be aware that

  • In the current version you can create a hotspot instance in the Hotspot Manager, clients can authenticate themselves using social login (Facebook, Instagram, Linkedin) as well as sms or email login.
  • If you do email login the email could go in the spam.

Which cases need to be tested:

  • Test interaction with the clients (redirects to captive portal and authentication)
  • Test social login (Facebook, Instagram, Linkedin), sms (need a twilio account) or email.

Known problems

The server part is very basic : the Hotspot Manager currently only allows you to perform very simple tasks.We need to improve the session management, adding reports, and many other features, we will work harder on that part to get to the beta version.

What are the next steps?

We are working on the server component in order to have an Hotspot Manager easier to use and full featured (session export, better management of units , reports and so on).


I guess that these people are really interested in that announcement :slight_smile:
@Tohid_Tamboli @amitetw @m.src @Vinny74 @edi @clinton @robb @a4rgl @Fred
Folks we want to see your feedback!

1 Like


Sounds quite interesting, although I’m using the Hotspot / Captive Portal of OPNsense.

However a few but’s or gotcha’s: Almost every page of the documentation focuses or contains the word Ad - it seems the emphasis is on generating leads (A Terminology implying spam or unsolicited mails).

The next BIG But is a server out of house…

I don’t quite like the idea of having a server in house that can do almost anything, then having to go to an outside hosted server for permissions. I only see the reason as collecting more spamming data.

Have any dude log in twice - as excuse give html limitations or caching - and presto, you’ve got your double opt-in.

I hate spamming lingo like this…

There are other hotspot GUIs that don’t focus on marketing (Online that is known usually as spam…).

I see a hotspot with captive portal - say for schools or elsewhere in education, or a hospital or other institution like a hotel - as a good method for controlling misuse and bandwidth. But collecting data and reselling clients data is a No-Go for me!

In a Hotel, for example, we offer free WLan for guests. Clients LapTops with trojans led to the Internet Service be denied by our provider, for spamming reasons. With the captive portal, and traffic shaping, everything works quite well. All clients can send mail. If they want to send 2-3 mails, also no problem. If they want to send 1-2 thousand mails, they will be delayed by traffic shaping. They would need to stay a couple of Months to send that much… ;-). Any trojan will be “held up”.
Since two years working for almost all guests - no further problems…

My 2 cents, even if it may be harsch. But still within Open Source and against overly commercial pushes…





I just received 2 more AP’s that I can use to test the icaro hotspot module.
Big quetion (for me) is: Is it possible to create timeframes when the hotspot is available? If so, can this be differentiated for certain users or groups?

Timeframe should be mandatory.
Also walled garden (sites without necessity of registration), bandwidth management (don’t know if externally or internally the hotspot managemente interface), protocol filtering (who want to let torrent or TOR be available from hotspot?)

I am missing why you should have user or groups access, @robb. It’s an hotspot, therefore no users, only guests. IMHO if you need timeframe for users you should focus on content filtering… and a different subnet/zone.

@davide_marini a little question: which is the zone of the hotspot-role interface?

1 Like

Is possible to install in an existing enviroment with 2 red 1 green 1 blue?
I have 10 TP-link EAP with many tagged SSID ( voip, Guest, principal, admin, plc )

@robb there isn’t the possibility to create timeframe to enable or disable the service.
It should be quite easy to do it with a cron script, but may be I could miss the point… could you please explain your needs about that?
Perhaps we can find a workaround for that.

@pike the content filtering could be a solution for @robb, actually the content filter for the hotspot still needs some work, but we think we will have it quite early.
The zone for the hotspot interface is a dedicated zone called hotsp , that zone can only go to internet, no traffic allowed toward green, blue and orange zones.

I think it should work also on a vlan, but I didn’t tested it yet.
You just need to create a vlan, remove the role and assign the vlan to the hotspot, if you want to try just :

  • Create a VLAN with a role (not important what, it’s going to be removed immediately)

  • remove role and network with the following script (substitute variables $PHYSINTERFACE and $VLANTAG with real values)

    db networks setprop $PHYSINTERFACE.$VLANTAG ipaddr '' netmask '' role ''

  • update interfaces accordingly to the new configuration
    signal-event interface-update

Go to the Hotspot Unit and configure it choosing the vlan interface just created.

@davide_marini, please, think as final user perspective…
Do restaurants should keep Internet access always open? Or only during working time (for instance from 11:30 to 14:30, from 18:30 to 23:00)?. And disable it during days off.
Beach-related services… maybe from 06:30 to midnight should be enough. But only during opening period.
Or diners, dealers, car selling places… they always have wworking hours and off hours.

Only exception for timeframe IMO are hotels and automated stores like fuelstations.

The ISP subscriber is responsible for traffic made by it’s connection. Therefore, no traffic allowed for no-customers.

1 Like

Thank you for your clarification @pike,
There is not a specific timeframe for this service, but I think we can solve it easily with the firewall, we just need to block any traffic from the hotspot zone.
I just did a little test ad it seems to work.
Users take an ip address but , apart from that they can’t do anything.

obviuosly we need more rules if we have multiple timeframes.


i have tagged port on hp switch, do not specify the vlan on the network configuration.
I think it’s not a problem

Yes, a really good news…

Is it in alpha version, ok but is it interctive with the Ubnt Solution?

Hi @davide_marini and thnx a lot for your effort!
I think @pike nailed the why for timeframes. The use of different groups don’t make sense for a hotspot feature, so disregards that. I was just thinking out loud to be able to differentiate between different (groups of) people. Allowing some people internet access and others not…

it should work with every AP (or AP network) cause the APs don’t do anything, they just put in communication the clients with the hostpot service in Nethserver.
you’re welcome!
About the groups, I suggest you to create 2 separate SSIDs, one linked to the hotspot service, the other one (protected by password e.g. wpa2 ) linked to a green or blue zone.
You can do everything with a single AP putting the hotspot in a VLAN as explained above, letting the green (or blue) untagged.

1 Like

Looks an interesting comparison! Please help us to improve the product basing on your experience

Ehm, what do you mean?

Nice to see hotspot is getting some love, definitely interested! I’m moving to a new appartment these days and dont have much free time but i’ll try to test it as soon as possible and give some feedback!



Almost every page of the documentation focuses or contains the word Ad - it seems the emphasis is on generating leads (A Terminology implying spam or unsolicited mails).

Ehm, what do you mean?


Well, if you read through the Docs here,

There are a lot of references to Marketing - almost too many for my liking… :wink:

Hotspot / Captive Portal of OPNsense

This component, like the Traffic Shaper, seems to have originated in MonoWall, continued in PFsense, and landed now in OPNsense.
Advantages: All built into the firewall / router, can use external auth like LDAP, but also “internal” users.

I’m using this for Hotel Guests, and we’re proud of being one of the first Hotels in Switzerland to have always provided free WiFi Service…

Before, we used the captive portal for authentification (Internal Users / Voucher) for Hotel and/or Restaurant Guests. Since 3 years now, we have open access with a landing page.

I’m using the function “Traffic Shaper” with an emphasis on SMTP - that’s been our major problem in this setup. Hotel Guests with Laptops infested with trojans, and sending Spam from our IP - and getting us blocked by our Provider. This has worked far better than the tried commercial solutions like from Juniper. and costs far less! Since using Traffic Shaper (5 years now) Not a single issue!

Another function I’m using: DHCP Reservations and a selective Firewall Passthru. The Hotel Owner always works from his Laptop, has no desktop PC, and always works from the Hotel Hotspot, usually in the restarant. For this reason, certain Devices NEED access to the “Green” LAN, others only need Internet Access. I’m doing this by

  1. Passing the Internal DNS Server to these Clients, instead of the Providers DNS. This way they can find the internal Mail Server.

  2. DHCP splitting. We’re using a Subnet. Reserved DHCP match the Network (!), other DHCP start at The Firewall will only allow the Clients thru to the Green LAN.

As in the Icaro Hotspot docs, all our APs are in ONE LAN Network subnet. This subnet is specifically for Hotel Guests, with the exception of a few Laptops and a couple of Cameras for surveillance, which can’t be reasonably hooked to another LAN subnet (To far / No wiring / etc).

A combination of these features / best practice usage would certainly be advantageous in almost any situation, client, institution, or other potential user of a Hotspot.

My 2 cents


1 Like

I follow your reasoning and I wouldn’t know if and/or how the info is used that might be or isn’t collected server side.
I also know there are several commercial parties that have implemented a similar way of managing AP’s. Examples are:

Maybe @giacomo can give some more info about what and how the data available through icaro hotspot manager and if there can be a local version of this available too so you can keep everything private.

I have used Unifi AP’s for quite some time, but never used the cloudkey solution and always installed the controller locally…

@robb this should answer your concerns :slight_smile:
It’s ALL Open Source, server and client component. I don’t think that you get the huge OPEN effort Davide and his team did, everything is open and free on github :slight_smile: