Traffic account on a per MAC-address basis

RedShift · August 18, 2005, 3:08pm

Hello,

Is the following scenario possible with the RouterOS software:

Router functions, who keeps traffic logs on a MAC-address basis. Each
MAC-address is able to use an absolute volume of 4 GB per month. After
his limit is reached he is either denied access to outside networks (the
internet) or traffic is shaped so he is only able to reach speeds of 16
kbps or something similar. Ofcourse when the new month starts, the MAC
address has no more limitations untill he reaches his 4 GB limit again.

Ofcourse, if other means other than MAC addresses are available, I’m open for them. The last thing I would like to resort to is to IP-address. It’s easily changed. But maybe if there is an option somewhere to deny access to IP-addresses that weren’t hand out by the DHCP server.

The setup is a basic router that’s connected to the internet, and a local interface whichs, ironically, connects to the local network.

Thanks for your assistance,

Best Regards,

Glenn

rikerconsulting · August 19, 2005, 12:56am

Are you opposed to using RADIUS?

~ Jason

nikhil · August 19, 2005, 1:43am

how would this be done using radius . Provided that the client(mac-addres) need not have to login . How would we use it for servers whose bandwidth we want to restrict/monitor on kbps or data transfer ?

rikerconsulting · August 19, 2005, 2:59am

I was thinking use the MAC address for the Hotspot login. Just my initial thinking.

~ Jason

nikhil · August 19, 2005, 4:44am

Is it possible to do this for a set of servers . For example in a colocation environment

RedShift · August 19, 2005, 6:14am

Please tell me how. There’s not wireless involved, both sides are just regular ethernet, nor do I use a radius server. The setup is that my parents have a place where students stay for the school year (I don’t know what it’s called in English. It’s a dorm but not on a campus, we have a house with x rooms where the students rent them for a cheap price), and ofcourse they want internet. But we want to limit their usage, so they can’t use up all of the traffic, because the line itself has a monthly usage limit.

I’ve already started experimenting with some firewall rules and scripts I found here lying around in the forum. These are not MAC-based however (on IP-address), and far from automatic. The ideal situation would be for every MAC address the same, but now I have to add a firewall rule for every IP address the server hands out, + if the user sets a static IP it’s easily countered. And I also need a solution where the user can view his traffic…

wildbill442 · August 19, 2005, 6:23am

what about using PPPoE? or PPTP for authentication? Then you could use a RADIUS setup and limit bandwidth that way and add another layer of authentication/security to the network…

RedShift · August 19, 2005, 6:32am

I’m not going to install two computers so I would just have a radius server! These things cost money, the limit is one computer.

nikhil · August 19, 2005, 7:21am

I would like to know how to do mac based even if I have to setup a separate radius machine . I dont mind doing radius in a linux/bsd vmware box.

Thats one way to go and get radius without an additional machine .

wildbill442 · August 19, 2005, 10:40am

sorry someone mentioned radius so i just took off with it.. but you could do it all on 1 Mikrotik box without a seperate radius server.

wildbill442 · August 19, 2005, 10:44am

Well without using radius you could setup the local interface w/ the ARP setting set to “reply-only” build a static ARP entry for your users, the users will always get the same IP address, you could setup simple queues and bandwidth limit based on IP address.

That way any “unauthorized” users would have to know the IP address and MAC address of a user in order to gain access to the network.