Welcome Icaro Hotspot!

I guess that these people are really interested in that announcement :slight_smile:
@Tohid_Tamboli @amitetw @m.src @Vinny74 @edi @clinton @robb @a4rgl @Fred
Folks we want to see your feedback!

1 Like


Sounds quite interesting, although I’m using the Hotspot / Captive Portal of OPNsense.

However a few but’s or gotcha’s: Almost every page of the documentation focuses or contains the word Ad - it seems the emphasis is on generating leads (A Terminology implying spam or unsolicited mails).

The next BIG But is a server out of house…

I don’t quite like the idea of having a server in house that can do almost anything, then having to go to an outside hosted server for permissions. I only see the reason as collecting more spamming data.

Have any dude log in twice - as excuse give html limitations or caching - and presto, you’ve got your double opt-in.

I hate spamming lingo like this…

There are other hotspot GUIs that don’t focus on marketing (Online that is known usually as spam…).

I see a hotspot with captive portal - say for schools or elsewhere in education, or a hospital or other institution like a hotel - as a good method for controlling misuse and bandwidth. But collecting data and reselling clients data is a No-Go for me!

In a Hotel, for example, we offer free WLan for guests. Clients LapTops with trojans led to the Internet Service be denied by our provider, for spamming reasons. With the captive portal, and traffic shaping, everything works quite well. All clients can send mail. If they want to send 2-3 mails, also no problem. If they want to send 1-2 thousand mails, they will be delayed by traffic shaping. They would need to stay a couple of Months to send that much… ;-). Any trojan will be “held up”.
Since two years working for almost all guests - no further problems…

My 2 cents, even if it may be harsch. But still within Open Source and against overly commercial pushes…





I just received 2 more AP’s that I can use to test the icaro hotspot module.
Big quetion (for me) is: Is it possible to create timeframes when the hotspot is available? If so, can this be differentiated for certain users or groups?

Timeframe should be mandatory.
Also walled garden (sites without necessity of registration), bandwidth management (don’t know if externally or internally the hotspot managemente interface), protocol filtering (who want to let torrent or TOR be available from hotspot?)

I am missing why you should have user or groups access, @robb. It’s an hotspot, therefore no users, only guests. IMHO if you need timeframe for users you should focus on content filtering… and a different subnet/zone.

@davide_marini a little question: which is the zone of the hotspot-role interface?

1 Like

Is possible to install in an existing enviroment with 2 red 1 green 1 blue?
I have 10 TP-link EAP with many tagged SSID ( voip, Guest, principal, admin, plc )

@robb there isn’t the possibility to create timeframe to enable or disable the service.
It should be quite easy to do it with a cron script, but may be I could miss the point… could you please explain your needs about that?
Perhaps we can find a workaround for that.

@pike the content filtering could be a solution for @robb, actually the content filter for the hotspot still needs some work, but we think we will have it quite early.
The zone for the hotspot interface is a dedicated zone called hotsp , that zone can only go to internet, no traffic allowed toward green, blue and orange zones.

I think it should work also on a vlan, but I didn’t tested it yet.
You just need to create a vlan, remove the role and assign the vlan to the hotspot, if you want to try just :

  • Create a VLAN with a role (not important what, it’s going to be removed immediately)

  • remove role and network with the following script (substitute variables $PHYSINTERFACE and $VLANTAG with real values)

    db networks setprop $PHYSINTERFACE.$VLANTAG ipaddr '' netmask '' role ''

  • update interfaces accordingly to the new configuration
    signal-event interface-update

Go to the Hotspot Unit and configure it choosing the vlan interface just created.

@davide_marini, please, think as final user perspective…
Do restaurants should keep Internet access always open? Or only during working time (for instance from 11:30 to 14:30, from 18:30 to 23:00)?. And disable it during days off.
Beach-related services… maybe from 06:30 to midnight should be enough. But only during opening period.
Or diners, dealers, car selling places… they always have wworking hours and off hours.

Only exception for timeframe IMO are hotels and automated stores like fuelstations.

The ISP subscriber is responsible for traffic made by it’s connection. Therefore, no traffic allowed for no-customers.

1 Like

Thank you for your clarification @pike,
There is not a specific timeframe for this service, but I think we can solve it easily with the firewall, we just need to block any traffic from the hotspot zone.
I just did a little test ad it seems to work.
Users take an ip address but , apart from that they can’t do anything.

obviuosly we need more rules if we have multiple timeframes.


i have tagged port on hp switch, do not specify the vlan on the network configuration.
I think it’s not a problem

Yes, a really good news…

Is it in alpha version, ok but is it interctive with the Ubnt Solution?

Hi @davide_marini and thnx a lot for your effort!
I think @pike nailed the why for timeframes. The use of different groups don’t make sense for a hotspot feature, so disregards that. I was just thinking out loud to be able to differentiate between different (groups of) people. Allowing some people internet access and others not…

it should work with every AP (or AP network) cause the APs don’t do anything, they just put in communication the clients with the hostpot service in Nethserver.
you’re welcome!
About the groups, I suggest you to create 2 separate SSIDs, one linked to the hotspot service, the other one (protected by password e.g. wpa2 ) linked to a green or blue zone.
You can do everything with a single AP putting the hotspot in a VLAN as explained above, letting the green (or blue) untagged.

1 Like

Looks an interesting comparison! Please help us to improve the product basing on your experience

Ehm, what do you mean?

Nice to see hotspot is getting some love, definitely interested! I’m moving to a new appartment these days and dont have much free time but i’ll try to test it as soon as possible and give some feedback!



Almost every page of the documentation focuses or contains the word Ad - it seems the emphasis is on generating leads (A Terminology implying spam or unsolicited mails).

Ehm, what do you mean?


Well, if you read through the Docs here,

There are a lot of references to Marketing - almost too many for my liking… :wink:

Hotspot / Captive Portal of OPNsense

This component, like the Traffic Shaper, seems to have originated in MonoWall, continued in PFsense, and landed now in OPNsense.
Advantages: All built into the firewall / router, can use external auth like LDAP, but also “internal” users.

I’m using this for Hotel Guests, and we’re proud of being one of the first Hotels in Switzerland to have always provided free WiFi Service…

Before, we used the captive portal for authentification (Internal Users / Voucher) for Hotel and/or Restaurant Guests. Since 3 years now, we have open access with a landing page.

I’m using the function “Traffic Shaper” with an emphasis on SMTP - that’s been our major problem in this setup. Hotel Guests with Laptops infested with trojans, and sending Spam from our IP - and getting us blocked by our Provider. This has worked far better than the tried commercial solutions like from Juniper. and costs far less! Since using Traffic Shaper (5 years now) Not a single issue!

Another function I’m using: DHCP Reservations and a selective Firewall Passthru. The Hotel Owner always works from his Laptop, has no desktop PC, and always works from the Hotel Hotspot, usually in the restarant. For this reason, certain Devices NEED access to the “Green” LAN, others only need Internet Access. I’m doing this by

  1. Passing the Internal DNS Server to these Clients, instead of the Providers DNS. This way they can find the internal Mail Server.

  2. DHCP splitting. We’re using a Subnet. Reserved DHCP match the Network (!), other DHCP start at The Firewall will only allow the Clients thru to the Green LAN.

As in the Icaro Hotspot docs, all our APs are in ONE LAN Network subnet. This subnet is specifically for Hotel Guests, with the exception of a few Laptops and a couple of Cameras for surveillance, which can’t be reasonably hooked to another LAN subnet (To far / No wiring / etc).

A combination of these features / best practice usage would certainly be advantageous in almost any situation, client, institution, or other potential user of a Hotspot.

My 2 cents


1 Like

I follow your reasoning and I wouldn’t know if and/or how the info is used that might be or isn’t collected server side.
I also know there are several commercial parties that have implemented a similar way of managing AP’s. Examples are:

Maybe @giacomo can give some more info about what and how the data available through icaro hotspot manager and if there can be a local version of this available too so you can keep everything private.

I have used Unifi AP’s for quite some time, but never used the cloudkey solution and always installed the controller locally…

@robb this should answer your concerns :slight_smile:
It’s ALL Open Source, server and client component. I don’t think that you get the huge OPEN effort Davide and his team did, everything is open and free on github :slight_smile:

The demo server icaro-server.neth.eu has now been dismissed.

A post was split to a new topic: Icaro: install scripts seems stuck