hotspot change ip address after login

ryaba2003 · March 16, 2011, 3:34pm

I’m using external AAA server for the users, how can I change the ip address(private ip) to the public ip address after succesfull login. I’m using MK v5.0rc7. Looking forward for your support guys.

fewi · March 16, 2011, 3:41pm

http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Access-Accept

Not sure if this would work, but try making an IP pool of the public IPs and sending back the Framed-Pool attribute set to that pool name. That will cause 1:1 NAT if it works. You can’t trigger an actual IP change on the client.

ryaba2003 · March 16, 2011, 5:43pm

Let say I have 1000 public IP’s, I will defined this Public IP Range in the AAA server IP-Pool.
How could this be done in the Mikrotik Framed-Pool attribute.?

fewi · March 16, 2011, 6:40pm

If the attribute works (the documentation doesn’t say it doesn’t work for Hotspots, so it should), you would define the IP pool on the router (not the AAA):

/ip pool
add name=public range=1.1.1.1-1.1.1.255

and then send back the Framed-Pool attribute from the AAA to the router by name (‘public’ in that example). The router would then enter a 1:1 NAT rule for the client and to the world show an available IP from that pool.

Feklar · March 16, 2011, 6:46pm

That’s most of it, and yes it does work for hotspots. However there is one or two more things that need to be said to get it fully working.

1.) You need to stop the hotspot from processing packets from people coming from the “public” subnet. This is done with a simple NAT rule.

/ip firewall nat
add chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth src-address=1.1.1.0/24

2.) You NEED to have an address in that subnet assigned to the router on the appropriate interface (the LAN)
3.) If you are doing load balancing you need to mark for routing packets that come from that subnet to send them out of the right interface. Otherwise it will use the main routing table and whatever route with the lowest weight wins.

ryaba2003 · March 16, 2011, 7:05pm

fewi:

If the attribute works (the documentation doesn’t say it doesn’t work for Hotspots, so it should), you would define the IP pool on the router (not the AAA):
/ip pool
add name=public range=1.1.1.1-1.1.1.255
and then send back the Framed-Pool attribute from the AAA to the router by name (‘public’ in that example). The router would then enter a 1:1 NAT rule for the client and to the world show an available IP from that pool.

After I defined this Public IP Pool in the Mikrotik, do I need to assigned this Ip pool in the Hotspot->Server Profile

Feklar · March 16, 2011, 7:08pm

No, leave pool set to none. When specifying the framed-pool in the Radius server, it will change the to-address of the client.

ryaba2003 · March 16, 2011, 11:56pm

Feklar:

That’s most of it, and yes it does work for hotspots. However there is one or two more things that need to be said to get it fully working.

1.) You need to stop the hotspot from processing packets from people coming from the “public” subnet. This is done with a simple NAT rule.
/ip firewall nat
add chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth src-address=1.1.1.0/24
2.) You NEED to have an address in that subnet assigned to the router on the appropriate interface (the LAN)
3.) If you are doing load balancing you need to mark for routing packets that come from that subnet to send them out of the right interface. Otherwise it will use the main routing table and whatever route with the lowest weight wins.

Master, can you give me a complete config for this, let say my ip scheming private 10.0.0.0/23 and my public is 1.1.1.0/23 for authenticated users. In my router physical ip are internet port ip ether1=4.4.4.4/28,ether 2 =10.0.0.1/23.

Feklar · March 17, 2011, 2:01pm

1.) Make the IP address in your “public” subnet that will be put on a one-to-one NAT with the real IPs. Also be sure that the IPs you plan to NAT to are assigned to the WAN interface

/ip address 
add address=1.1.1.1/23 interface=ether2
add address=4.4.4.4/28 interface=ether1
add address=4.4.4.8/28 interface=ether1
...
...
...

2.) Set up your set up your “public” pool of addresses

/ip address pool add name=public ranges=1.1.1.2-1.1.1.254

3.) In your firewall NAT set it up so that packets coming from authorized users from that subnet are not processed against the firewall

/ip firewall nat
add chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth src-address=1.1.1.0/23

Or use the general catch all rule so no authorized users are processed against the hotspot. Pick one or the other depending on your needs.

/ip firewall nat
add chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth

4.) Set up your NAT rule for the “public” subnet. Best to use the netmap option for this since using src-nat as the action is rather random and appears to make broken connections more often than not for normal web browsing. Main downside to netmap is, you must feed it a complete subnet, so depending on how many addresses you have and what is already assigned to other devices, you may only be able to get away with a /30 or less of addresses you can pass out.

/ip firewall nat
add chain=srcnat action=netmap src-address=1.1.1.0/23 to-address=4.4.4.8/29

Just in the radius profile, when you use the framed-pool attribute, specify the real pool’s name, otherwise it won’t work.

ryaba2003 · March 17, 2011, 3:00pm

Feklar:

1.) Make the IP address in your “public” subnet that will be put on a one-to-one NAT with the real IPs. Also be sure that the IPs you plan to NAT to are assigned to the WAN interface
/ip address 
add address=1.1.1.1/23 interface=ether2
add address=4.4.4.4/28 interface=ether1
add address=4.4.4.8/28 interface=ether1
...
...
...
2.) Set up your set up your “public” pool of addresses
/ip address pool add name=public ranges=1.1.1.2-1.1.1.254
3.) In your firewall NAT set it up so that packets coming from authorized users from that subnet are not processed against the firewall
/ip firewall nat
add chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth src-address=1.1.1.0/23
Or use the general catch all rule so no authorized users are processed against the hotspot. Pick one or the other depending on your needs.
/ip firewall nat
add chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth
4.) Set up your NAT rule for the “public” subnet. Best to use the netmap option for this since using src-nat as the action is rather random and appears to make broken connections more often than not for normal web browsing. Main downside to netmap is, you must feed it a complete subnet, so depending on how many addresses you have and what is already assigned to other devices, you may only be able to get away with a /30 or less of addresses you can pass out.
/ip firewall nat
add chain=srcnat action=netmap src-address=1.1.1.0/23 to-address=4.4.4.8/29
Just in the radius profile, when you use the framed-pool attribute, specify the real pool’s name, otherwise it won’t work.

Thanks for you support!

Question:
Why is it I have 2 public ip’s in ether1

add address=4.4.4.4/28 interface=ether1
add address=4.4.4.8/28 interface=ether1

And in my Mikrotik.disc I will add this attribute
framed-pool = public
Am I correct?

Feklar · March 17, 2011, 3:05pm

The number of addresses you have is depending upon you, you need to have ALL the addresses you want to NAT to assigned to ether1. If that’s just 4.4.4.4 and 4.4.4.8 then yes. If you want to NAT to more than that, then you need more addresses (4.4.4.4 and 4.4.4.8-4.4.4.254 or anywhere inbetween). When using the netmap option you need a FULL subnet, this means both the broadcast and network IPs are used in that subnet, so you can only use a portion of the full subnet assigned to you by your ISP. Like with a /28 from your ISP, you can usually only get away with assigning a /30 to netmap.

Yes framed-pool=public in that case. Or public should be whatever you name that specific pool of addresses.