We are using a Mikrotik router do do natting onto local devices on our network. Each device has a private static ip but we nat via the firewall to the devices through the Mikrotik router and then link a public static IP to it. This way we can have public IPs on our devices for remote communication via the internet etc.
One of the natted devices is a freeradius server which we use for authentication of all our remote links. Every site that we manage has a mikrotik with a public static IP with the necessary usernames passwords and IPs to communicate with the free radius box via the internet. All this works well.
My problem is this:
We are issuing disconnect scripts from the free radius when a user has reached his/her cap. The problem is this that because the Radius is natted behind the main mikrotik the recieving router at the remote site(the one on which the user that has to be disconnected resides) gets the main IP of the mikrotik passed to it in the script and not the radius’s IP address. the disconnect script has to come from the radius’s IP otherwise the remote mikrotik ignores the request. this error happens because the radius is behind a NAT. This in turn causes that the script cannot run and disconnect the selected user.
Will it help to disable ARP on the main interface of the main mikrotik?
Is there any firewall rule or any additional settings i can use for the main mikrotik to pass the radius IP and not the main miktrotik’s interface IP?
If you want to mask the public IP addresses in that configuration, please just replace the first two octets with “172.16” or some other private space you’re not actually using in your setup - “x.x.x.15” makes things very hard to read.
