I am going to use Radius to check for DHCP attributes and I would like to have the clients in the ip pool “unauth” if their mac is not found in the radius db. Is there a way to setup a default ip pool for stuff to fall into if no other attribute is assigned to it?
How are other people doing this? What I am trying to do is set it up so that people who are unauthorized will be thrown in pool unauth and then the firewall rule xxx will direct all their traffict to page yyy.
Why don’t you use the hotspot service using Radius to do all of this for you?
Look in the hotspot examples, you may see what you are looking for.
I have been playing with hotspot all tonight, and it seems Filter-Id might be a good option, but whenever I do it, mikrotik creates the correct mangle rule, but nothing falls under it, ie. even with traffic being used nothing is marked.
Also hotspot just seems far too in-depth for what i am doing as what i am doing really is not that complicated it seems.
Is there really no way to set the ip pool to poolA if not found in the radius server?
I looked in hotspot aaa and hotspot gateway and saw no examples even mentioning filter-id or what to do with a user after they have been denied. unless i am missing another page?
Yup...
Just, setup from winbox with menu 'IP Hotspot' submenu and click 'setup' and follow in next screen window. after complete you can add 'Userman' as 'Radius Server'.
at this link i has good memory in my life: make confuse, but LOVE it....[User-Manager] - The User Manager - MikroTik community forum
regards
@balimore.com
that link didnt help me with getting filter-id working, what else needs to be done to get filter-id to become active?
Yes I do this… If I understand you correctly. Using DHCP Radius:
If they are in Radius, grab from DHCP POOL 1
If they are not in Radius, grab from DHCP POOL 2
You need to set a default ACCEPT rule in radius with framed-pool DHCP-POOL-2.
Then for the ones in Radius have framed-pool DHCP-POOL-1
ah, so set this in radius. I was thinking of this. only problem i had was that I wanted to use the radius for wireless auth and i cant have radius reporting back positive no matter what for that, but then i though i could run 2 different radius servers on different ports and just have dhcp run on port set 1 and wireless on port set 2.
I am still trying to figure out how to use either filter-id or mark-id to mark users packets, but havent figured it out. chris-oct i was reading some of your other posts and it looked like you were trying to do something similar to me? Are you running hotspot, and in your view which is better to run for my purpose just straight dhcp or hotspot?
Thanks
i got mark-id working with:
0 chain=prerouting action=jump jump-target=hotspot
1 D chain=hotspot src-address=10.1.60.75 action=mark-packet
new-packet-mark=test123 passthrough=yes
2 D chain=hotspot dst-address=10.1.60.75 action=mark-packet
new-packet-mark=test123 passthrough=yes
only problem now is that my nat rules dont seem to work:
0 chain=dstnat protocol=udp dst-port=53 packet-mark=test123 action=accept
1 chain=dstnat packet-mark=test123 action=dst-nat to-addresses=xxx
to-ports=80
any ideas? they just dont seem to do anything even though the packet marking thing seems to be getting data thrown its way.
We wanted to run straight hotspot-radius but we found when we hit appx 1000-2000 customers and pushing appx 50Mbit of data, hotspot was freaking out and we were never able to resolve it. The server would spontaneously reboot every few days and other issues. So we leave hotspot for small systems (under 100 customers), but for the large customer base we switched to dhcp-radius. The servers are much more stable now. And we also do run multiple radius servers to handle the default accept rule.
/etc/freeradius/users
#########################################################
Default Accept
DEFAULT NAS-Port-Type == Ethernet,Auth-Type := Accept
Rate-Limit = "2002K/2002K 10M/10M 2001K/2001K 60/60",
Fall-Through = Yes
ah, thats good to know.
My end goal is to have setup like:
if in raddb as normal group → give it appropriate attributes
if in raddb as a nopay → make all the traffic go to page nopay
if not in raddb → make all traffic go to page register mac
For dhcp/radius i had gottent his working by setting up different subnets, ie:
normal would have ips from 100-240, nopay would have ip 240-250, not in raddb would have 250-254 or something, and then i had routing rules that said if the traffic was to/from ip 250-254 goto page register mac, 240-250 goto page nopay, etc…
Only thing I dont like about this setup is that if the user is smart enough he/she could just set their ip address manually to a “normal” ip and thus bypass everything.
With hotspot i was trying to do this with mark-id, but as of yet have not gotten it to work, hotspot seems far more dubious than the dhcp method, but if i did get hotspot to work it seems like it would be harder to get around.
any ideas/thoughts on this?
Thanks chris-oct im glad to see your doing something similar, are you doing something like i just described?
Ive heard of some people disabling ARP in some way (in the interface). Then in DHCP-Server enable “Add ARP for leases”. This way, they only get in the arp table if they leave DHCP ON. and if they try to set an IP address manually, they can not communicate with the server (or it wont communicate with them)
huh, sounds crazy, but i could see that as working really good, is this how you do it? or are you not really concerned with it?
how do you disable arp at the interface does anybody know so I could do as described above?