MikTik RB751 behind T-Com Speedport 504v

Cartman · June 25, 2012, 10:50am

Hello world !!!

I am trying to set up a hotspot network with the above mentioned config.
In our network we have a lot of MTs running without problems, so I blame
the Speedport.
We have

mysql> select id, nasname, shortname, type, ports,secret,community, description  from nas where id=84;;
+----+---------------+---------------+-------+-------+-----------+-----------+---------------+
| id | nasname       | shortname     | type  | ports | secret    | community | description   |
+----+---------------+---------------+-------+-------+-----------+-----------+---------------+
| 84 | 217.xxx.yy.zz| 217.xxx.yy.zz| other |  NULL | *******| NULL      | RADIUS Client |
+----+---------------+---------------+-------+-------+-----------+-----------+---------------+
1 row in set (0.00 sec)

but

Error: Ignoring request to authentication address * port 11812 from unknown client 217.xxx.yy.zz port 39753

So, it´s not really an “unknown” client, because it´s in the nas table. The port is OK, we use 11812 - 14, even changins to default does not change a thing.
clients.conf is empty, everything is processed by MySQL and works with other constellations.

Assumption :
I think the firewall of the speedport might be the problem. The device drops pings and requests to the WAN address, so it´s invisible from the internet.
Best of it all, the “holy” T-Com people have disabled the firewall configuration of the router, so it cannot be edited.

Is there a way to get this to work, or do we need some new device for the Speedport ?
Maybe it´s more a FreeRadius question, but the people here are a bit smarter, when it comes to helping people.

TIA

Feklar · June 25, 2012, 7:38pm

If the requests are getting to Radius and showing up in the logs, then the firewall on your speedport is not the issue. It would either be a Radius setting on the MikroTik or within FreeRadius that is causing it.

Cartman · June 25, 2012, 9:41pm

I do not think it´s a freeradius or miktik problem. because it works in a different environment.
Behind the speedport the miktik get an IP by DHCP (192.168.2.xxx). In my lab it has a global
static IP. IMHO it´s something like a port or protocol problem, but I do not know which one it could be.
Tested with a Speedport 700v with firewall turned off, but no change. Internet says the SP has some probs with GRE and VPN. Maybe there are some more problems affecting the communication between MT and FR.
Still do not know why the client is unknown, when it´s listed in NAS.

Thanks for any hints.

Cartman · June 26, 2012, 6:34am

Another thing is, that there are no DB requests, when I try to log in.
A normal login gives

SELECT nasname FROM nas WHERE nasname = '213.xxx.yyy.zzz'
SELECT shortname FROM nas WHERE nasname = '213.xxx.yyy.zzz'
SELECT secret FROM nas WHERE nasname = '213.xxx.yyy.zzz'
SELECT type FROM nas WHERE nasname = '213.xxx.yyy.zzz'

Behind the speedport nothing happens.

Cartman · June 26, 2012, 10:53am

Got it.
The problem was caused by the IP address renge in dynamic-clients
Set it to 0.0.0.0/0 and everything worked.
Seems not like the best solution, but it does what I want.

Now I just need to know, how to mark this as SOLVED