What I have :-
Internet access provided by ADSLrouter.
RB750 but can get something else/bigger if needed.
Freeradius running on a linux box.
VLAN - able switches
I would like to have the following setup :-
I basically have a couple of types of clients, mainly wired.
Group 1 - no internet access.
Group 2 - access to email via SMTP/POP, but nothing else.
Group 3 - ‘speed throttled’ internet
Group 4 - full internet access.
Group 5 - Devices/guest with no access to local devices, expect for a projector via IP. Must also have internet access.
Guests in Group 5 will get access via wireless AP. It can also happen that someone from group 4 uses the same AP. I would like guests to be provided with some username/password.
More requirements :-
Measure how much bandwidth each user uses.
Some devices (printers/PLCs) must be able to auto authenticate and/or get specific IPs.
I am somewhat confused as to the roles DHCP and hotspot/Freeradius plays.
Firstly, would this type of setup be possible, and secondly I would appreciate any guidance.
Yes the setup is possible, but you will likely want a bigger box to handle everything. I’m not sure the 750 will have enough processing power, a 450G would likely be a better choice depending on how complex you want to get. Possibly a bigger box, but that would be a good place to start. You basically will probably want to tackle each requirement separately and then combine them into one box. This way you get one portion working and figured out, then add in the next and get them to work together.
1.) For the traffic monitor, netflows is going to likely be your best solution and setup depending on what kind of information that you want to collect and use. This will require a separate server that will collect and analyze the traffic flow data sent to it from the router. http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
There are free options and pay for options here, it all depends on how much time, effort, and money you want to spend setting this up, and what you require it to do.
2.) Based off of your requirements you are going to want to run at least 5 different subnets separated on 5 different VLANs. Each VLAN in a MikroTik is treated as a separate routed interface, so you can set up a different DHCP server, firewall rules, hotspot, or any other services you want on them. This way you can prevent certain VLANs from talking to other ones, or allow certain hosts through to other subnets via the firewall.
3.) Freeradius/hotspot would most likely be used on the guest portion of the network. The hotspot would require people to sign into the service before gaining access to the internet. You could assign each user a different username/password to access the internet that only one person or a couple could use, or one overall code that will change on a regular basis. There are plenty of ways to manage this portion and you could even sell access to this part if you so desired. There are solution out there that allow you to customize this and will handle all the back end services for you. This is the service we use to manage that for us. http://www.myinnsite.com/
5.) DHCP will hand out IP addresses to your hosts. You can run multiple servers on a single router by using different routed interfaces. You can sticky IPs so the same host will always get the same IP, or just let them pickup whatever the router will assign them.