According to DMAsoftlabs, the providers of my radius system, I can not install the server on the same router interface as the one it is authenticating. Otherwise it would have to authenticate itself. That makes sense.
However,the router interface that is authenticating my clients has my XXX.YY.ZZ.0/24 network on it, and my radius server must have XXX.YY.ZZ.2 to be accessible inside and outside my physical network. So my radius server must be on a router interface that it is not authenticating, yet be on the same subnet as the network it is authenticating. I have tried to research this and have come up with the following ideas:
Create an internal IP subnet for the radius manager router interface and do a one-to-one NAT from the radius server’s internal IP address to XXX.YY.ZZ.2
Put the same subnet XXX.YY.ZZ.0/24 on two router interfaces, the one authenticating clients and the one belonging to the radius server, and use mangle rules and routing to sort the data.
As all my data goes through a /30 subnet provided by my fiber provider, and I only need one of the two available addresses from that /30, I could put the radius manager on the same router interface as my fiber provider, and assign it the other available ip address.
I have no idea of these ideas are ligit, if they would work, or if they are flakey. I am entertaining suggestions, and am grateful for any help.
Create an internal IP subnet for the radius manager router interface and do a one-to-one NAT from the radius server’s internal IP address to XXX.YY.ZZ.2
No need for NAT. RouterOS as its name implies Routes by default. See the end of the post.
Put the same subnet XXX.YY.ZZ.0/24 on two router interfaces, the one authenticating clients and the one belonging to the radius server, and use mangle rules and routing to sort the data.
Very common mistake. (same network range IP on different router interfaces) and bad practice (no need for mangle nor manipulating routing for this).
As all my data goes through a /30 subnet provided by my fiber provider, and I only need one of the two available addresses from that /30, I could put the radius manager on the same router interface as my fiber provider, and assign it the other available ip address.
Don’t. You have to protect and isolate your radius.
But that’s exactly the approach you should follow:
1.- Connect the radius server ethernet to a dedicated (now free and not part of any switch group or bridge) port of your router.
2.- Choose a private /30, and assign one IP to the router interface, and the other to radius.
Now radius can communicate directly with the router, and for other devices to communicate with the radius traffic has to pass across the router, making easy to put ip > firewall > filter rules in forward chain to control that; only your desktop or management IP should be able to reach the DMA management frontend.