Walled Garden
ISPbills automatically pushes Walled Garden rules to MikroTik routers via the RouterOS API so unauthenticated hotspot users can reach the payment gateway.
The Walled Garden is a whitelist of network destinations that hotspot users can reach before they have paid and authenticated. Without it, a new customer who connects to your WiFi cannot reach the payment gateway — so they can never complete the purchase to get online.
ISPbills automates the entire Walled Garden setup. It reads your configured payment gateways and pushes the required firewall rules directly to the MikroTik router via the RouterOS API — no manual RouterOS configuration required.
Walled Garden rules apply only to unauthenticated hotspot users. Once a user is logged in, normal access policies apply.
How ISPbills Configures the Walled Garden
When you click Push to Router, ISPbills connects to the MikroTik router via the RouterOS API and creates three sets of rules — all tagged with the comment hotspot_walled_garden so they can be cleanly removed or replaced later:
| What is created | RouterOS path | Purpose |
|---|---|---|
| Layer7 protocol patterns | /ip/firewall/layer7-protocol |
Regexp rules that identify each payment gateway's traffic by domain |
| Firewall filter rules | /ip/firewall/filter |
Adds matched destination IPs to the payment_gateways address list |
| Walled-garden IP entry | /ip/hotspot/walled-garden/ip |
Accepts all traffic destined for the payment_gateways address list |
Pushing Walled Garden Rules
- Navigate to Routers & Packages → Routers.
- Find your hotspot router and click Actions → Walled Garden.
- Click Push to Router.
ISPbills will connect to the router via the RouterOS API and push rules for every payment gateway you have enabled in Settings → Payment Gateways.
If no payment gateways are configured in ISPbills, the push will be skipped. Configure at least one payment gateway first.
Supported Payment Gateways
ISPbills generates Layer7 patterns for the following gateways when they are enabled:
| Gateway | Domain pattern matched |
|---|---|
| bKash Checkout | bka.sh |
| bKash Tokenized Checkout | bkash.com |
| Nagad | mynagad.com |
| Shurjopay | shurjopayment.com |
| SSLCommerz | sslcommerz.com (+ bKash and Nagad patterns added automatically) |
| Razorpay | razorpay.com |
| Paytm | paytm.in |
| Instamojo | instamojo.com |
| eSewa | esewa.com.np |
| Khalti | khalti.com |
| IME Pay | imepay.com.np |
| JazzCash | jazzcash.com.pk |
| Easypaisa | easypaisa.com.pk |
| HBL Konnect | cybersource.com |
| Stripe | stripe.com |
| PayPal | paypal.com |
| Authorize.net | authorize.net |
Removing Walled Garden Rules
From Actions → Walled Garden, choose Delete to remove all Walled Garden rules from the router. ISPbills will remove only the rules it created (identified by the hotspot_walled_garden comment tag) — your other firewall rules are not affected.
A separate Delete Layer7 option removes only the Layer7 protocol patterns while leaving the address-list rules in place.
Re-Pushing After Gateway Changes
If you add or remove a payment gateway in ISPbills, run Push to Router again. ISPbills clears the existing rules first, then recreates them for the current set of enabled gateways — ensuring the router always has an up-to-date and consistent ruleset.
There is no need to edit RouterOS rules manually. Every push starts clean and replaces the previous rules automatically.
Troubleshooting
Payment page is blank or won't load for unauthenticated users
The Walled Garden rules are missing or incomplete. Run Push to Router again. After pushing, verify the rules exist on the router:
/ip firewall layer7-protocol print
/ip firewall filter print where comment=hotspot_walled_garden
/ip hotspot walled-garden ip print where comment=hotspot_walled_garden
Push fails or router shows "Could not connect"
Verify the router's API credentials in ISPbills (Routers & Packages → Routers → Edit). The API service must be enabled on the MikroTik (IP → Services → api, port 8728) and reachable from the ISPbills server.
Payment gateway added but not in walled garden after push
Confirm the gateway is enabled in Settings → Payment Gateways and its provider_name matches one of the supported gateways listed above. Then run Push to Router again.