A Wi-Fi hotspot is a physical location where people can access the internet using wireless devices. From coffee shops to airports, hotspots provide connectivity but require proper setup and authentication to function securely and efficiently.
What Is a Wi-Fi Hotspot?
A Wi-Fi hotspot is a wireless access point that provides internet access to connecting devices. It consists of:
-
Hardware: Wireless router or access point
-
Software: Authentication system (captive portal, password, etc.)
-
Network: Internet connection (fiber, DSL, cable)
Step 1: Hardware Selection
Access Point Types
Key specifications to consider:
-
Radio frequency: 2.4GHz (longer range) vs 5GHz (faster speed)
-
HTTP/HTTPS support: For captive portal redirects
-
DHCP server: Built-in or external
-
Firewall: Port blocking, ACL support
Recommended Hardware
-
TP-Link Omada: Cloud controller, VLAN support, captive portal built-in
-
Ubiquiti UniFi: Scalable, analytics dashboard, multi-location management
-
Mikrotik: RouterOS with hotspot manager, voucher system
Step 2: Network Planning
Coverage Mapping
-
Venue size: Calculate square footage
-
User capacity: Estimate peak concurrent users
-
Signal strength: Plan AP placement for 70+ dBm coverage
-
Dead zones: Identify areas with poor signal (thick walls, metal obstacles)
Bandwidth Requirements
Total Bandwidth = Users × Bandwidth per User
Example: 50 users × 5 Mbps = 250 Mbps minimum internet connectionPer-user bandwidth:
-
Basic browsing: 1–2 Mbps
-
Video streaming: 5–10 Mbps
-
HD video calls: 10–15 Mbps
Step 3: Internet Connection Setup
ISP Selection
-
Fiber: Fastest (100–1000 Mbps), reliable, low latency
-
Cable: Good speed (50–500 Mbps), variable latency
-
DSL: Slower (10–100 Mbps), noisy lines
-
5G: Wireless backup, portable, higher latency
Connection Configuration
-
Router setup: Connect modem to router’s WAN port
-
DHCP enabled: Router assigns IP addresses to devices
-
Static IP: Request static IP from ISP for remote access
-
Firewall rules: Block unnecessary ports (21, 23, 25)
Step 4: Access Point Configuration
Basic WiFi Settings
SSID: VenueName_Guest
Security: WPA2/WPA3
Password: Optional (if using captive portal)
Channel: Auto or fixed (2.4GHz: 1, 6, 11; 5GHz: 36, 40, 44)Advanced Settings
-
VLAN ID: Separate guest traffic (e.g., VLAN 10)
-
Client isolation: Prevent device-to-device communication
-
Bandwidth limits: 5 Mbps per user
-
Session timeout: 1 hour auto-disconnect
Step 5: Captive Portal Deployment
Choose Portal Type
-
Built-in: Mikrotik hotspot manager, Ubiquiti UniFi
-
Cloud-based: Powerlynx, XceedNet, YesSpot
-
Custom: Self-developed (requires web server)
Portal Configuration
-
Login methods: Email, social (Facebook/Google), password, voucher
-
Brand customization: Logo, colors, welcome message
-
Terms & Conditions: Add GDPR-compliant checkbox
-
Redirect URL: Set post-login destination (e.g., venue homepage)
DNS Configuration
-
DNS server: Set to firewall/router IP (
192.168.1.1) -
DNS redirection: Force all DNS queries to captive portal
-
Whitelist: Allow social network domains (facebook.com, api.twitter.com)
Step 6: Firewall Rules
Access Control List (ACL)
Rule 1: Block ALL → Internet (default deny)
Rule 2: Allow HTTP → Captive Portal (port 80)
Rule 3: Allow HTTPS → Any (port 443, after auth)
Rule 4: Allow DNS → Any (port 53)
Rule 5: Allow DHCP → Any (port 67/68)Port Forwarding
-
Port 80: Redirect to captive portal server
-
Port 443: HTTPS login (if using HTTPS pirouette)
-
Port 53: DNS queries
Step 7: Testing & Validation
Connectivity Test
-
Device connects to SSID: Verify WiFi signal strength
-
IP address assigned: Check DHCP lease (192.168.1.xx)
-
Captive portal displays: Open browser, attempt any website
-
Authentication works: Enter email, click login
-
Internet access granted: Visit google.com, load page successfully
Security Test
-
Client isolation: Device A cannot ping Device B
-
Bandwidth limit: User gets max 5 Mbps (traffic test)
-
Session timeout: Auto-disconnect after 1 hour
Step 8: User Authentication Flow
Standard Flow (Email Login)
1. User selects SSID → Connects to AP
2. DHCP assigns IP → Device gets 192.168.1.105
3. User opens browser → HTTP request to google.com
4. Firewall blocks → Redirects to captive portal
5. Portal displays login page → User enters email
6. POST request → Portal validates email
7. Session created → User ID + MAC + Expiration
8. Firewall ACL updated → Internet access granted
9. User browses freely → Session active for 1 hourSocial Login Flow (OAuth 2.0)
1. User selects SSID → Connects to AP
2. DHCP assigns IP → Device gets 192.168.1.105
3. User opens browser → HTTP request to google.com
4. Firewall blocks → Redirects to captive portal
5. Portal displays social buttons → User clicks "Login with Facebook"
6. Redirect to Facebook → User authenticates with Facebook
7. Facebook returns access token → Portal exchanges for user data
8. Session created → User profile saved (name, email, location)
9. Firewall ACL updated → Internet access granted
10. User browses → Data collected for CRMMonitoring & Maintenance
Daily Tasks
-
Check user count (peak hours)
-
Monitor bandwidth usage
-
Review failed authentication attempts
Weekly Tasks
-
Backup configuration files
-
Update firmware (if needed)
-
Review analytics reports
Monthly Tasks
-
Audit user data (GDPR compliance)
-
Test session expiration
-
Reboot access points (prevent cache buildup)
Common Issues & Solutions
Bottom Line
Setting up a Wi-Fi hotspot requires hardware selection, network planning, internet connection, AP configuration, captive portal deployment, firewall rules, and testing. The authentication flow ensures only authorized users access the internet while capturing data for marketing and analytics. Proper setup results in secure, efficient public WiFi that enhances user experience and business value.