Good day, I would like to know if the following setup is possible:
I have a RB411 that I use to connect to a wireless network. This network is free and open, and I want to have a read only user on my RB that anybody on that network can use to see what is going on on my RB.
The problem is that I also want to use my RB to dial 2 ADSL connections and do routing over them for myself. The wireless network has nothing todo with that.
Is it possible to hide the username and password for the ADSL pppoe connections from read only users?
If you give a user read rights, then they will be able to read the ppp secrets (inc passwords). They will not be able to see user passwords, but they will be able to see everything else.
What exactly do you want them to know about that is going on in your RB?
I use the RB411 to connect to a wireless users group network. That network is free and open for everybody to use. We have read only users on all the high sites and on most of the client nodes. The idea is to learn and having access to the entire network and inspect how traffic flows from one side of the city to the other is very helpful.
We also keep graph charts of all traffic, uptime and cpu usage for all the high sites and most of the clients.
Now my problem comes in that I want to also use my RB for something else. I want to dial my own personal ADSL connections using the RB. Unfortunately you can never trust everybody on a free and open network with something like ADSL account details. I wish I could, but I cannot.
Now my request is simple: I want to be able to hide pppoe passwords from readonly users.
I do understand the concept of “a readonly user can read everything” but in my opinion things like passwords should have an option to be hidden
password is one parameter, routeros doesn’t have the ability to control viewability of certain parameters. we could hide certain functions though, but that won’t help you.
I suggest using a RADIUS server to store all your passwords, in this case you will not have this problem. Even user-manager could help you.
Is it possible to hide the entire pppoe section from readonly users?
And how would I use a RADIUS server to hide my passwords? Here is my setup:
2x Desktop computers and 1x laptop all connect to a 5 port ADSL modem/hub. RB411 also connects to this hub.
The ADSL modem is in bridged mode. The RB411 dials the ADSL modem. For whatever reason I want to dial 2 or 3 accounts at once, and route certain internet ip ranges over one account (eg. blizzard WoW servers over an expensive unshaped ADSL account and youtube over a cheap, slow ADSL account. All the rest over a 3rd account)
That is where the RB is awesome, all the computers on the network only have to point to it as the default gateway and boom, internet works, online gaming has less lag and youtube is nice and cheap.
I assume if I want to use RADIUS i have to have another computer connected that acts as the server? In that case I could just as well run Smoothwall and do the routing on it. I don’t want to run a dedicated “internet gateway server”.
The big problem is I also want to give read only access (not internet access) to a bunch of ppl on a wireless network. The only problem is I cannot trust them with my ADSL passwords
Mikrotik, can you please, please huge please add some feature where you can choose if read only users can see either your pppoe passwords (but like you said they are just a generic parameter, so that is not as easy) or a way to hide the entire pppoe section. That way the read only users cannot see the passwords
no, RADIUS is just an external database of user credentials. RouterOS ppp section will be told to look in the RADIUS if a user exists or not. That way, only people with access to RADIUS will see passwords. This is useful for situations where you have multiple access locations (like country wide hotspots) and you don’t want to keep the same username in all routers, therefore you configure all routers to use a RADIUS, and enter the username only once.
Will I need to run a dedicated Radius server then? The problem I have with running a dedicated server is that it means one pc must always be on, and that is not the case. The 2x desktop computers I have is my and my wifes computer, and sometimes she uses hers while mine is off, or I use mine while hers is off.
That is why I want the routerboard to do the dialing and routing, no other devices need to be on. Who knows, one day I may get a wifi enabled cellphone/kindle that can use the routerboard for internet access.
I realize this is outside of what RouterOS can do by default, and it is a very strange request
Would MetaRouters in v4 help here? One “public” router to connect to the wireless network, another “private” one to do the pppoe dialing?
But restricting access to the pppoe section would also help a lot…
not necessarily, you can run the user manager in the same device as your RouterOS (if the machine is powerful enough). it’s just another routeros package.
Thank you for looking into this, i realise it is a very strange request. But i know there are quite a few people on our wireless network that can use this functionality.
