Comments:
1)Make your own chain for accounting purposes (just don’t forget to add jumps from forward chain.) In the end of this chain add return rule.
2)Make a custom action when the user reaches the limit. By default the scripts writes message to logs (use /log print without-paging command to view logs)
With pppoe, I think you can set this based on a radius attribute. See the radius attributes that are supported for AAA in the AAA section of the manual.
Eugene, could you please be a bit more specific on it.
I have 50 customers woth pppoe. With 3 profiles (so that I have 3 fw rules, one each profile below ppp fw rule).
where should I put the rules for counting bytes?
I imagine that to put an identifier on each rule, I have to base the rule on the IP address of the customer. This means I have to fix the IP address of teh customer to his username on the pppoe secrets.
afaik ‘Alive’ packets are sent back to the radius server with the updates. These are usually sent every 5min, but you can change that using either the MT Router or the Radius server. Otherwise the total session data will be sent with the Stop packet.
The difficult thing is enforcing the quota. Ie, a user is connected, exceeds their limit - how do you disconnect them? Currently I just disable and enable the PPPoE service every 24hrs, which is pretty dodgy. I’d like to know a more elegant solution that only affects the users in question.
can you expand a little more on this im attempting to set transfer limits so userx gets 1 GB transfer/month / week whatever. if they exceed it they get throttled to 64 K. This is my first run with mikrotik ect… so im still trying to figure out the firewall ect …
well figured out what the deal with not seeing the chain is. DONT PUT A SCRIPT IN VIA WINBOX. found the pico clone and entered it via cli script starts working except now it spits an error to the log script error: empty string value where some kind of specific value expected
So far everyone has addressed the issue of throttling using local user accounts.
Our network is in the situation where users authenticate via PPPOE, and are assigned an IP address either statically or from the routers dynamic pool, no matter where they enter the network.
The PPPOE server then talks to a freeradius server to get the appropriate attributes (static / dynamic IP, any queues that need to be applied, routes that need to be added etc). The PPPOE server is also set to send interim accounting updates every 5 minutes to let the radius server know how much data a user has used.
To make this work with a radius server either a script would need to run on the mikrotik PPPOE server (where the queue is applied) to check the value of the data usage on the radius server and set the queue appropriately, or a script would have to run on the radius server and somehow tell the mikrotik router to alter the queue if the user had gone over their allocated data cap.
We can not check the amount of data on the local mikrotik box, as users may come into the network from different entry points through different PPPOE servers. The mikrotik router would also loose all accounting information if it was rebooted.
I notice in 2.9 there is a feature where you can specify an incoming raidus server. Does anyone have any information on how this works? What it does?
Alternatively does anyone have a working solution for this?
The “radius incoming” features is to let a RADIUS server actively disconnect PPP(oE) sessions without using SSH scripts on the RADIUS server or the like. See here for example: http://forum.mikrotik.com/t/how-to-disconnect-user/1016/1
Regarding your question of changing queues: I suppose the only way will be to run a script on the RADIUS server that connects to the appropriate PPPoE server (MikroTik) via SSH and then switches queues for the active user. Have never tried this, though…
found the pico clone and entered it via cli script starts working except now it spits an error to the log script error: empty string value where some kind of specific value expected