external radius not responding

aliwishstar · January 8, 2014, 7:58am

hi all my master.
i have problem for 3 week.
i install freeradius with dalloradius on centos 6.5 in my network and use it for mikrotik external radius.

but every time my mikrotik can not access to radius

please help, i have 2 wan link on mikrotik,i have webproxy on mikrotik,ntp server,dhcp,dns and other config and server.

i test radius with NTRadPing ,and radius work goods ,but when enable hot spot ,mikrotik cant ping radius,

my radius server:192.168.88.5
my mikrotik server:192.168.88.1

wan1:192.168.0.0/24
wan2:192.168.2.0/24

my radius on Ethernet 3 with static ip

client and user on Ethernet 4,5;
192.168.88.10-192.168.88.254

my firewall config

/ip firewall layer7-protocol
add name=EXE regexp="\\.(exe)"
add name=RAR regexp="\\.(rar)"
add name=ZIP regexp="\\.(zip)"
add name=7z regexp="\\.(7z)"
add name=CAB regexp="\\.(cab)"
add name=ASF regexp="\\.(asf)"
add name=MOV regexp="\\.(mov)"
add name=WMV regexp="\\.(wmv)"
add name=MPG regexp="\\.(mpg)"
add name=MPEG regexp="\\.(mpeg)"
add name=MKV regexp="\\.(mkv)"
add name=AVI regexp="\\.(avi)"
add name=FLV regexp="\\.(flv)"
add name=WAV regexp="\\.(wav)"
add name=RM regexp="\\.(rm)"
add name=MP3 regexp="\\.(mp3)"
add name=MP4 regexp="\\.(mp4)"
add name=RAM regexp="\\.(ram)"
add name=RMVB regexp="\\.(rmvb)"
add name=DAT regexp="\\.(dat)"
add name=DAA regexp="\\.(daa)"
add name=ISO regexp="\\.(iso)"
add name=NRG regexp="\\.(nrg)"
add name=BIN regexp="\\.(bin)"
add name=VCD regexp="\\.(vcd)"
add name=streaming regexp="^.*get.+\\.(c.youtube.com|cdn.dailymotion.com|metacaf\
    e.com|mccont.com).*\$"
add name=yahoo regexp="^.*get.+\\.(yahoo.com|yimg.com|mail.yahoo.com).*\$"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=yes tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=no
add action=accept chain=input comment=DC disabled=no protocol=icmp
add action=accept chain=forward comment=DC connection-state=established \
    disabled=no
add action=accept chain=forward comment=DC connection-state=related disabled=no
add action=drop chain=forward comment=DC connection-state=invalid disabled=no
add action=accept chain=input comment=DC connection-state=established disabled=\
    no in-interface=WAN1
add action=accept chain=input comment=DC connection-state=established disabled=\
    no in-interface=WAN2
add action=accept chain=input comment=DC connection-state=related disabled=no \
    in-interface=WAN1
add action=accept chain=input comment=DC connection-state=related disabled=no \
    in-interface=WAN2
add action=drop chain=input comment=DC connection-state=invalid disabled=no \
    in-interface=WAN1
add action=drop chain=input comment=DC connection-state=invalid disabled=no \
    in-interface=WAN2
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s \
    chain=input disabled=yes dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=2w chain=input comment="port-scanners-to-list " \
    disabled=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=yes \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=yes \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=2w chain=input comment=FIN/PSH/URG-Scan disabled=yes \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=2w chain=input disabled=yes protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=2w chain=input comment=NMAP-NULL-Scan disabled=yes \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=2w chain=input comment=NMAP-FIN-Stealth-Scan disabled=\
    yes protocol=tcp
add action=accept chain=input comment=ANTI-NETCUT disabled=yes dst-port=0-65535 \
    protocol=tcp src-address=192.168.88.0/24
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=2w chain=input comment=ALL/ALL-Scan disabled=yes \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s \
    chain=input disabled=yes dst-port=1337 protocol=tcp
add action=drop chain=virus comment="torrent fillter" disabled=yes p2p=all-p2p
/ip firewall mangle
add action=mark-packet chain=output comment="CACHE HIT/Zaib" disabled=no dscp=4 \
    new-packet-mark=cache-hits passthrough=no
add action=mark-connection chain=prerouting disabled=no new-connection-mark=\
    icmp-con passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp-con disabled=no \
    new-packet-mark=icmp-pkt passthrough=no protocol=icmp
add action=accept chain=prerouting disabled=no dst-address=192.168.2.0/24 \
    in-interface=Local
add action=accept chain=prerouting disabled=no dst-address=192.168.0.0/24 \
    in-interface=Local
add action=mark-connection chain=input disabled=no in-interface=WAN1 \
    new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN2 \
    new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=output comment=\
    "Marking Web Proxy Connection for WAN-1" disabled=no dst-port=80 \
    new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=output comment=\
    "Marking Web Proxy Connection for WAN-2" disabled=no dst-port=80 \
    new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "Excluding Port 80 from PCC - WAN1" disabled=no dst-address-type=!local \
    dst-port=!80 in-interface=Local new-connection-mark=WAN1_conn passthrough=\
    yes per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "Excluding Port 80 from PCC - WAN2" disabled=no dst-address-type=!local \
    dst-port=!80 in-interface=Local new-connection-mark=WAN2_conn passthrough=\
    yes per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp
add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=no \
    dst-address=!192.168.1.0/24 in-interface=Local new-routing-mark=to_WAN1 \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=no \
    dst-address=!192.168.1.0/24 in-interface=Local new-routing-mark=to_WAN2 \
    passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn disabled=no \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=no \
    new-routing-mark=to_WAN2 passthrough=yes
add action=mark-packet chain=prerouting comment="EXE MARK PACKET " disabled=no \
    layer7-protocol=EXE new-packet-mark=EXE passthrough=no
add action=mark-packet chain=prerouting comment="RAR MARK PACKET " disabled=no \
    layer7-protocol=RAR new-packet-mark=RAR passthrough=no
add action=mark-packet chain=prerouting comment="ZIP MARK PACKET " disabled=no \
    layer7-protocol=ZIP new-packet-mark=ZIP passthrough=no
add action=mark-packet chain=prerouting comment="7z MARK PACKET " disabled=no \
    layer7-protocol=7z new-packet-mark=7z passthrough=no
add action=mark-packet chain=prerouting comment="CAB MARK PACKET " disabled=no \
    layer7-protocol=CAB new-packet-mark=CAB passthrough=no
add action=mark-packet chain=prerouting comment="ASF MARK PACKET " disabled=no \
    layer7-protocol=ASF new-packet-mark=ASF passthrough=no
add action=mark-packet chain=prerouting comment="MOV MARK PACKET " disabled=no \
    layer7-protocol=MOV new-packet-mark=MOV passthrough=no
add action=mark-packet chain=prerouting comment="WMV MARK PACKET " disabled=no \
    layer7-protocol=WMV new-packet-mark=WMV passthrough=no
add action=mark-packet chain=prerouting comment="MPG MARK PACKET " disabled=no \
    layer7-protocol=MPG new-packet-mark=MPG passthrough=no
add action=mark-packet chain=prerouting comment="MPEG MARK PACKET " disabled=no \
    layer7-protocol=MPEG new-packet-mark=MPEG passthrough=no
add action=mark-packet chain=prerouting comment="MKV MARK PACKET " disabled=no \
    layer7-protocol=MKV new-packet-mark=MKV passthrough=no
add action=mark-packet chain=prerouting comment="AVI MARK PACKET " disabled=no \
    layer7-protocol=AVI new-packet-mark=AVI passthrough=no
add action=mark-packet chain=prerouting comment="FLV MARK PACKET " disabled=no \
    layer7-protocol=FLV new-packet-mark=FLV passthrough=no
add action=mark-packet chain=prerouting comment="WAV MARK PACKET " disabled=no \
    layer7-protocol=WAV new-packet-mark=WAV passthrough=no
add action=mark-packet chain=prerouting comment="RM MARK PACKET " disabled=no \
    layer7-protocol=RM new-packet-mark=RM passthrough=no
add action=mark-packet chain=prerouting comment="MP3 MARK PACKET " disabled=no \
    layer7-protocol=MP3 new-packet-mark=MP3 passthrough=no
add action=mark-packet chain=prerouting comment="MP4 MARK PACKET " disabled=no \
    layer7-protocol=MP4 new-packet-mark=MP4 passthrough=no
add action=mark-packet chain=prerouting comment="RAM MARK PACKET " disabled=no \
    layer7-protocol=RAM new-packet-mark=RAM passthrough=no
add action=mark-packet chain=prerouting comment="RMVB MARK PACKET " disabled=no \
    layer7-protocol=RMVB new-packet-mark=RMVB passthrough=no
add action=mark-packet chain=prerouting comment="DAT MARK PACKET " disabled=no \
    layer7-protocol=DAT new-packet-mark=DAT passthrough=no
add action=mark-packet chain=prerouting comment="DAA MARK PACKET " disabled=no \
    layer7-protocol=DAA new-packet-mark=DAA passthrough=no
add action=mark-packet chain=prerouting comment="ISO MARK PACKET " disabled=no \
    layer7-protocol=ISO new-packet-mark=ISO passthrough=no
add action=mark-packet chain=prerouting comment="NRG MARK PACKET " disabled=no \
    layer7-protocol=NRG new-packet-mark=NRG passthrough=no
add action=mark-packet chain=prerouting comment="BIN MARK PACKET " disabled=no \
    layer7-protocol=BIN new-packet-mark=BIN passthrough=no
add action=mark-packet chain=prerouting comment="VCD MARK PACKET " disabled=no \
    layer7-protocol=VCD new-packet-mark=VCD passthrough=no
add action=mark-packet chain=output comment="EXE MARK PACKET " disabled=no \
    layer7-protocol=EXE new-packet-mark=EXE passthrough=no
add action=mark-packet chain=output comment="RAR MARK PACKET " disabled=no \
    layer7-protocol=RAR new-packet-mark=RAR passthrough=no
add action=mark-packet chain=output comment="ZIP MARK PACKET " disabled=no \
    layer7-protocol=ZIP new-packet-mark=ZIP passthrough=no
add action=mark-packet chain=output comment="7z MARK PACKET " disabled=no \
    layer7-protocol=7z new-packet-mark=7z passthrough=no
add action=mark-packet chain=output comment="CAB MARK PACKET " disabled=no \
    layer7-protocol=CAB new-packet-mark=CAB passthrough=no
add action=mark-packet chain=output comment="ASF MARK PACKET " disabled=no \
    layer7-protocol=ASF new-packet-mark=ASF passthrough=no
add action=mark-packet chain=output comment="MOV MARK PACKET " disabled=no \
    layer7-protocol=MOV new-packet-mark=MOV passthrough=no
add action=mark-packet chain=output comment="WMV MARK PACKET " disabled=no \
    layer7-protocol=WMV new-packet-mark=WMV passthrough=no
add action=mark-packet chain=output comment="MPG MARK PACKET " disabled=no \
    layer7-protocol=MPG new-packet-mark=MPG passthrough=no
add action=mark-packet chain=output comment="MPEG MARK PACKET " disabled=no \
    layer7-protocol=MPEG new-packet-mark=MPEG passthrough=no
add action=mark-packet chain=output comment="MKV MARK PACKET " disabled=no \
    layer7-protocol=MKV new-packet-mark=MKV passthrough=no
add action=mark-packet chain=output comment="AVI MARK PACKET " disabled=no \
    layer7-protocol=AVI new-packet-mark=AVI passthrough=no
add action=mark-packet chain=output comment="FLV MARK PACKET " disabled=no \
    layer7-protocol=FLV new-packet-mark=FLV passthrough=no
add action=mark-packet chain=output comment="WAV MARK PACKET " disabled=no \
    layer7-protocol=WAV new-packet-mark=WAV passthrough=no
add action=mark-packet chain=output comment="RM MARK PACKET " disabled=no \
    layer7-protocol=RM new-packet-mark=RM passthrough=no
add action=mark-packet chain=output comment="MP3 MARK PACKET " disabled=no \
    layer7-protocol=MP3 new-packet-mark=MP3 passthrough=no
add action=mark-packet chain=output comment="MP4 MARK PACKET " disabled=no \
    layer7-protocol=MP4 new-packet-mark=MP4 passthrough=no
add action=mark-packet chain=output comment="RAM MARK PACKET " disabled=no \
    layer7-protocol=RAM new-packet-mark=RAM passthrough=no
add action=mark-packet chain=output comment="RMVB MARK PACKET " disabled=no \
    layer7-protocol=RMVB new-packet-mark=RMVB passthrough=no
add action=mark-packet chain=output comment="DAT MARK PACKET " disabled=no \
    layer7-protocol=DAT new-packet-mark=DAT passthrough=no
add action=mark-packet chain=output comment="DAA MARK PACKET " disabled=no \
    layer7-protocol=DAA new-packet-mark=DAA passthrough=no
add action=mark-packet chain=output comment="ISO MARK PACKET " disabled=no \
    layer7-protocol=ISO new-packet-mark=ISO passthrough=no
add action=mark-packet chain=output comment="NRG MARK PACKET " disabled=no \
    layer7-protocol=NRG new-packet-mark=NRG passthrough=no
add action=mark-packet chain=output comment="BIN MARK PACKET " disabled=no \
    layer7-protocol=BIN new-packet-mark=BIN passthrough=no
add action=mark-packet chain=output comment="VCD MARK PACKET " disabled=no \
    layer7-protocol=VCD new-packet-mark=VCD passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=no to-addresses=0.0.0.0
add action=redirect chain=dstnat comment=\
    "Redirect port 80 request to Mikrotik Web Proxy" disabled=no dst-port=80 \
    protocol=tcp to-addresses=0.0.0.0 to-ports=8080
add action=accept chain=pre-hotspot disabled=no dst-address-type=!local \
    hotspot=auth to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="Masquerade WAN1 Traffic" disabled=\
    no out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade WAN2 Traffic" disabled=\
    no out-interface=WAN2
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no src-address=192.168.88.0/24 to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

my hotspot config

/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
    cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
    split-user-domain=no use-radius=no
add dns-name=hp.heli3.local hotspot-address=192.168.88.1 html-directory=hotspot \
    http-proxy=192.168.88.1:8080 login-by=http-chap,http-pap name=hsprof1 \
    nas-port-type=wireless-802.11 radius-accounting=no radius-default-domain="" \
    radius-location-id="" radius-location-name="" radius-mac-format=\
    XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
    use-radius=yes
/ip hotspot
add address-pool=F1&F2 addresses-per-mac=1 disabled=no idle-timeout=5m \
    interface=Local keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] advertise=no idle-timeout=none keepalive-timeout=2m \
    name=default on-login="/system script run movestatic0" open-status-page=\
    always shared-users=1 status-autorefresh=1m transparent-proxy=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add disabled=no name=admin password=ws profile=default
/ip hotspot walled-garden
add action=allow comment="place hotspot rules here" disabled=yes dst-port=""
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=192.168.88.5 server=hotspot1
add action=accept disabled=no dst-host=hp.heli3.local server=hotspot1
add action=accept disabled=no dst-address=192.168.88.5 server=hotspot1 \
    src-address=192.168.88.1
add action=accept disabled=no dst-address=192.168.88.1 server=hotspot1 \
    src-address=192.168.88.5
add action=accept disabled=no dst-host=f1.heli3.local server=hotspot1
add action=accept disabled=no dst-host=f2.heli3.local server=hotspot1
add action=accept disabled=no dst-address=192.168.1.0/24 server=hotspot1
add action=accept disabled=no dst-address=192.168.88.2 server=hotspot1
add action=accept disabled=no dst-address=192.168.88.3 server=hotspot1
add action=accept disabled=no dst-address=192.168.88.1 server=hotspot1 \
    src-address=192.168.88.39
add action=accept disabled=no dst-address=0.0.0.0 server=hotspot1 src-address=\
    192.168.88.0/24
add action=accept disabled=no dst-address=192.168.88.5 server=hotspot1 \
    src-address=192.168.88.1
add action=accept disabled=no server=hotspot1 src-address=192.168.88.13
add action=accept disabled=no server=hotspot1 src-address=192.168.88.20
add action=accept disabled=no server=hotspot1 src-address=192.168.88.70
[admin@Internet-Server] >

my webproxy config

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=yes enabled=yes max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
    yes src-address=0.0.0.0
/ip proxy access
add action=deny comment="block telnet & spam e-mail relaying" disabled=no \
    dst-port=23-25
add action=deny comment=\
    "allow CONNECT only to SSL ports 443 [https] and 563 [snews]" disabled=no \
    dst-port=!443,563 method=CONNECT
[admin@Internet-Server] >

my radius config

[admin@Internet-Server] > radius export 
/radius
add accounting-backup=no accounting-port=1813 address=192.168.88.5 \
    authentication-port=1812 called-id="" disabled=no domain="" realm="" \
    secret=ws service=hotspot timeout=5s
/radius incoming
set accept=yes port=1700
[admin@Internet-Server] >

my log file mikrotik

free radius config

my radius access access ips
192.168.88.0/24

Nas type:other
nasclient ip:192.168.88.1

please help

how can i solve this porblem??

SurferTim · January 8, 2014, 11:12am

Is your radius server on the hotspot localnet? If so, you must disable the hotspot universal nat.

/ip hotspot
set X address-pool=none

aliwishstar · January 9, 2014, 9:43pm

i dont know ,how can i said thank you.thank you and thank you!
god bless you!