Simple way to suspend and isolate pppoe clients

jjones · November 7, 2014, 3:10pm

I’m currently testing a pppoe setup using mikrotik as the concentrator with mysql radius for AAA. Details of the setup are here: http://forum.mikrotik.com/t/problems-with-mikrotik-pppoe-freeradius-sql-authentication/82026/1 . The Radius server is handing out a simple package with a single /32 ip address and a speed package using mikrotiks dictionary:

Framed-IP-Address := 10.3.0.2
Mikrotik-Rate-Limit = 512k/1536k

Clients connect fine and get the queue setup dynamically and speed works fine.
Now I’m stuck with 2 problems:

These clients on the /32 ip addresses can see/ping eachother and i would like to not have that.
Clients that are going to be suspended or disconnected are staying connected no matter what changes i make to the data.

I’ve read a few walkthroughs for shutoff including using “mikrotik-address-list” addition but i tried implementing them and got no results. And setting the session timeout on the mikrotik ppp profile causes the dialup box to pop up annoyingly constantly and would like to avoid that. I read that radius does not dynamically talk to the mikrotik but was hoping there is a way to get it to force an update to the mikrotik without manually killing the pppoe session in routeros.

Any help or examples on this problem? The mikrotik-address-list would work if i could get it to dynamically update from the radius table, or allow the radius server to send a kill session packet to the mikrotik to force individual clients to re-authenticate without bothering other clients.

Thank you for your time.

Feklar · November 7, 2014, 3:51pm

For the second issue, try using the Acct-Interim-Interval radius attribute to have the Mikrotik check back in with the Radius server every so often. I haven’t played around with this too much, but that should allow you to kick off a client. I don’t know if you need to define anything else.

http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client

For the first issue, try setting up the firewall to prevent communication through the routers interfaces. With a /32 when a computer tries to communicate to a different IP address, it will use it’s default route (the PPP end point) to see if it can reach it. If the router allows it, then it will be able to communicate. Something like this:

/ip firewall filter chain=forward in-interface=all-ppp out-interface=all-ppp action=drop

jjones · November 14, 2014, 9:38pm

Thanks for the reply Fekler!

I’m not sure if i am setting up the radius server correctly but it doesn’t seem like my ppp connection is reauthenticating using the acct-interim-interval. I set it in radreply “Acct-Interim-Interval := 60” and my test box authenticated normally. I changed the password on the test user but the ppp account stays authenticated even after the 60 second mark.

New issue, was trying to get the mikrotik_address_list to work and it will not add to the address list using the setting i have added to radius.