feature requests

mohsen1981 · February 4, 2010, 7:38am

Its about 2 years that I’m using mikrotik. I have switched some services from cisco to MT. there are some features that cisco has implemented from long time ago. but there is no effort from MT developers to check and add these features:

here are some that i need…

pppoe server could not ignore “service name”
the client should provide an exact service name that matches on server or use empty
service name.while cisco when receives a PADI replies with a PADO with the service name
that client has sent.
there is no option to let client connect with any user password( for example while
maintaining radius server)
proxy-arp does not work like cisco. its only enough to enable proxy-arp on two interfaces and set 0.0.0.0/0 default gateway on MT. then whatever ip clients set on its NIC it will receives ip conflict.and when disable 0.0.0.0/0 it will not happen…

Chupaka · February 5, 2010, 1:08am

if you use mschapv2 (default for Windows) - it’s impossible to do that because in that case server also should prove that he knows user’s password. in other cases it’s RADIUS’ task - to accept any password. I can’t even imagine what should RADIUS do with accounting information, if it denied client’s access, but NAS (RouterOS) allowed client’s connection =)

hm… IPs having routes to those interfaces should not receive conflicts…

diegotormes · March 5, 2010, 1:03am

Chupaka:

mohsen1981:

there is no option to let client connect with any user password( for example while
maintaining radius server)

if you use mschapv2 (default for Windows) - it’s impossible to do that because in that case server also should prove that he knows user’s password. in other cases it’s RADIUS’ task - to accept any password. I can’t even imagine what should RADIUS do with accounting information, if it denied client’s access, but NAS (RouterOS) allowed client’s connection =)

mohsen1981:

proxy-arp does not work like cisco. its only enough to enable proxy-arp on two interfaces and set 0.0.0.0/0 default gateway on MT. then whatever ip clients set on its NIC it will receives ip conflict.and when disable 0.0.0.0/0 it will not happen…

hm… IPs having routes to those interfaces should not receive conflicts…

hm…yes this cause ip conflicts…proxy-arp feature of RouterOS don’t work like linux(funny no?), cisco or 3com and produce several complications for few escenarios…

I can solve this issue by creating a dummy bridge with an Ethernet interface and create filtering rules in the OUTPUT chain for the ARP protocol

I hope this issue can be resolved in one of the new versions 4.x!!!

roadracer96 · March 5, 2010, 1:40am

I configured ROS on my RB1000 the exact same way I have previously configured custom Linux firewalls… Configured it the same and so far it appears to work the same.

Dunno about the RADIUS thing. Seems to me a backup RADIUS sever would be in order.

diegotormes · March 5, 2010, 1:07pm

you can post your config?

roadracer96 · March 5, 2010, 2:43pm

Its way to big to post ~250 filter rules and 50ish static routes.

This is the jist of it:

ether1 = 1.2.3.2/24
ether2 = 1.2.3.2/32
ether3 = 1.2.3.2/32
gateway 0.0.0.0/0 1.2.3.1
proxy-arp on all 3 interfaces
/ip route add disabled=no dst-address=1.2.3.3/32 gateway=ether2
/ip route add disabled=no dst-address-1.2.3.4/32 gateway=ether3

Clients have a default gateway of 1.2.3.1 just like the router does.

Then all the associated filter rules allowing traffic in and out as required (forward). The above setup puts clients 1.2.3.3 and 1.2.3.4 behind the firewall with their public ip addresses.

mohsen1981 · March 16, 2010, 4:56am

Chupaka:

mohsen1981:

there is no option to let client connect with any user password( for example while
maintaining radius server)

if you use mschapv2 (default for Windows) - it’s impossible to do that because in that case server also should prove that he knows user’s password. in other cases it’s RADIUS’ task - to accept any password. I can’t even imagine what should RADIUS do with accounting information, if it denied client’s access, but NAS (RouterOS) allowed client’s connection =)

mohsen1981:

proxy-arp does not work like cisco. its only enough to enable proxy-arp on two interfaces and set 0.0.0.0/0 default gateway on MT. then whatever ip clients set on its NIC it will receives ip conflict.and when disable 0.0.0.0/0 it will not happen…

hm… IPs having routes to those interfaces should not receive conflicts…

on cisco you can let any user and any password to be connected or even with blank user and password! even when no radius is defined

and about proxy-arp, the user gets conflict with the MAC of MT ether interface_NOT other clients!

Chupaka · March 16, 2010, 10:51pm

is it about mschapv2 authentication?..

roadracer96 · March 16, 2010, 11:39pm

I have 4 linux servers and 1 windows 2008 server behind a RB1000 in proxy-arp and they dont get IP conflicts. Couple of the servers have more than 1 public IP addresses (4 in one case). Always works like a champ.