General Setup:
2 internet lines (eth1 and eth2) come into first mikrotik device (MT1) on the ethernet ports, there is a wireless connection between MT1 and a second Mikrotik Device (MT2). MT2 has 3 wireless interfaces, one connects it back to MT1 and the other two connect it to the clients. MT2 also has 2 ethernet ports, 1 is used to connect clients, the 2nd is used as an emergeny backup connection (it has a cable modem). MT2 runs the hotspot (using radius authentication) and dhcp server. It has an ip address and the necessary routes for all 3 internet connections (eth1 and eth2 on MT1 and the backup cable modem on eth0 of MT2)
Scenario:
On MT2
What i’m trying to do is mark traffic so that i can send marked traffic (normal tcp and udp traffic on ports 0-1024) out route-main-r and all other traffic (p2p etc..) out default route.
I have rules in place which mark traffic on MT2 and have routes setup accordingly to route the traffic to the respective connections on MT1.
Problem:
Once i set up all the rules and routes accordingly i get mixed results. Some users are able to connect and pullup the login page but then they get a radius serer is not responding. Other users just get a page can not be displayed. I know the radius is not responding error is because the radius request/traffic are not being routed correctly so they are not originating on the authenticated ip address (i know all i need to do is add the other ip addresses into the radius server, but i’m trying to get the traffic routing done first so i know it is running on the correct marked routes for failover.)
Test:
I have a test device i have setup in my office which mimics the configuration as closely as possible so i’ve been trying it there as well as on the main site to no avail. See below for the necessary code from the live device.
interface> pr
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether0 ether 0 0 1500
1 R etherIDF4 ether 0 0 1500
2 ether3 ether 0 0 1500
3 R Backhaul1 wlan 0 0 1500
4 R Backhaul3 wlan 0 0 1500
5 R Backhaul2 wlan 0 0 1500
6 R bridge1 bridge 0 0 1500
7 R wdsIDF1 wds 0 0 1500
8 R wdsIDF2 wds 0 0 1500
9 R wdsIDF3 wds 0 0 1500
10 R wdsIDF5 wds 0 0 1500
11 R wdsIDF6 wds 0 0 1500
12 R LeaseBackhaul wds 0 0 1500
13 R pptp-HomeBase pptp-out 0 0 1460
/int bridge port
<e port> pr
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 Backhaul1 bridge1 128 10
1 LeaseBackhaul bridge1 128 10
LeaseBackhaul is the wds connection on Backhaul1 connecting MT2 to MT1
ip address
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.250.0.17/28 10.250.0.16 10.250.0.31 LeaseBackhaul
1 10.250.0.33/32 10.250.0.33 10.250.0.33 wdsIDF1
2 10.250.0.65/32 10.250.0.65 10.250.0.65 wdsIDF2
3 10.250.0.97/32 10.250.0.97 10.250.0.97 wdsIDF3
4 10.250.0.129/32 10.250.0.129 10.250.0.129 etherIDF4
5 10.250.0.161/32 10.250.0.161 10.250.0.161 wdsIDF5
6 10.250.0.193/32 10.250.0.193 10.250.0.193 wdsIDF6
7 10.2.11.1/24 10.2.11.0 10.2.11.255 wdsIDF1
8 10.2.12.1/24 10.2.12.0 10.2.12.255 wdsIDF2
9 10.2.13.1/24 10.2.13.0 10.2.13.255 wdsIDF3
10 10.2.14.1/24 10.2.14.0 10.2.14.255 etherIDF4
11 10.2.15.1/24 10.2.15.0 10.2.15.255 wdsIDF5
12 10.2.16.1/24 10.2.16.0 10.2.16.255 wdsIDF6
13 ;;; user xar vpn
192.168.196.1/24 192.168.196.0 192.168.196.255 wdsIDF3
14 ;;; Backup Cable Modem Address
X.Y.Z.130/29 X.Y.Z.128 X.Y.Z.135 ether0
15 ;;; MT1 eth1 Fiber Connection
A.B.C.3/23 A.B.C.0 A.B.C.255 LeaseBackhaul
16 ;;; MT1 eth2 Network
J.K.G.171/29 J.K.G.168 J.K.G.175 LeaseBackhaul
17 D 10.250.0.3/32 10.250.0.2 0.0.0.0 pptp-HomeBase
ip route> pr detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
0 ADC dst-address=10.2.11.0/24 pref-src=10.2.11.1 interface=wdsIDF1 scope=10
target-scope=0
1 ADC dst-address=10.2.12.0/24 pref-src=10.2.12.1 interface=wdsIDF2 scope=10
target-scope=0
2 ADC dst-address=10.2.13.0/24 pref-src=10.2.13.1 interface=wdsIDF3 scope=10
target-scope=0
3 ADC dst-address=10.2.14.0/24 pref-src=10.2.14.1 interface=etherIDF4
scope=10 target-scope=0
4 ADC dst-address=10.2.15.0/24 pref-src=10.2.15.1 interface=wdsIDF5 scope=10
target-scope=0
5 ADC dst-address=10.2.16.0/24 pref-src=10.2.16.1 interface=wdsIDF6 scope=10
target-scope=0
6 ADC dst-address=10.250.0.2/32 pref-src=10.250.0.3 interface=pptp-RockyPoin>
scope=10 target-scope=0
7 A S ;;; Route to Main Backhaul
dst-address=10.250.0.0/28 gateway=10.250.0.17 interface=bridge1
gateway-state=reachable scope=255 target-scope=10
8 ADC dst-address=10.250.0.16/28 pref-src=10.250.0.17 interface=bridge1
scope=10 target-scope=0
9 ADC dst-address=10.250.0.33/32 pref-src=10.250.0.33 interface=wdsIDF1
scope=10 target-scope=0
10 A S ;;; Route to IDF1
dst-address=10.250.0.32/27 gateway=10.250.0.33 interface=wdsIDF1
gateway-state=reachable scope=255 target-scope=10
11 ADC dst-address=10.250.0.65/32 pref-src=10.250.0.65 interface=wdsIDF2
scope=10 target-scope=0
12 A S ;;; Route to IDF2
dst-address=10.250.0.64/27 gateway=10.250.0.65 interface=wdsIDF2
gateway-state=reachable scope=255 target-scope=10
13 ADC dst-address=10.250.0.97/32 pref-src=10.250.0.97 interface=wdsIDF3
scope=10 target-scope=0
14 A S ;;; Route to IDF3
dst-address=10.250.0.96/27 gateway=10.250.0.97 interface=wdsIDF3
gateway-state=reachable scope=255 target-scope=10
15 ADC dst-address=10.250.0.129/32 pref-src=10.250.0.129 interface=etherIDF4
scope=10 target-scope=0
16 A S ;;; Route to IDF4
dst-address=10.250.0.128/27 gateway=10.250.0.129 interface=etherIDF4
gateway-state=reachable scope=255 target-scope=10
17 ADC dst-address=10.250.0.161/32 pref-src=10.250.0.161 interface=wdsIDF5
scope=10 target-scope=0
18 A S ;;; Route to IDF5
dst-address=10.250.0.160/27 gateway=10.250.0.161 interface=wdsIDF5
gateway-state=reachable scope=255 target-scope=10
19 ADC dst-address=10.250.0.193/32 pref-src=10.250.0.193 interface=wdsIDF6
scope=10 target-scope=0
20 A S ;;; Route to IDF6
dst-address=10.250.0.192/27 gateway=10.250.0.193 interface=wdsIDF6
gateway-state=reachable scope=255 target-scope=10
21 A S ;;; Route back to office for interAddress communication
dst-address=10.250.254.0/24 gateway=10.250.0.2
interface=pptp-RockyPoint gateway-state=reachable scope=255
target-scope=10
22 A S dst-address=X.Y.Z.129/32 gateway=X.Y.Z.130 interface=ether0
gateway-state=reachable scope=255 target-scope=10
23 ADC dst-address=X.Y.Z.128/29 pref-src=X.Y.Z.130 interface=ether0
scope=10 target-scope=0
24 ADC dst-address=J.K.G.168/29 pref-src=J.K.G.171 interface=bridge>
scope=10 target-scope=0
25 ADC dst-address=A.B.C.0/23 pref-src=A.B.C.3 interface=bridge1
scope=10 target-scope=0
26 ADC dst-address=192.168.196.0/24 pref-src=192.168.196.1 interface=wdsIDF3
scope=10 target-scope=0
27 S ;;; Cable Modem Gateway (extreme failover) for regular traffic
dst-address=0.0.0.0/0 gateway=X.Y.Z.129 interface=ether0
gateway-state=reachable distance=2 scope=255 target-scope=10
routing-mark=main-r
28 X S ;;; Fiber Gateway (Main Backhaul)
dst-address=0.0.0.0/0 gateway=A.B.C.2 check-gateway=ping
interface=bridge1 gateway-state=reachable scope=255 target-scope=10
29 A S ;;; Fiber Route for regular traffic
dst-address=0.0.0.0/0 gateway=A.B.C.2 check-gateway=ping
interface=bridge1 gateway-state=reachable scope=255 target-scope=10
routing-mark=main-r
30 S ;;; eth1 on MT1 (failover) route for main traffic
dst-address=0.0.0.0/0 gateway=J.K.G.169 interface=bridge1
gateway-state=reachable distance=1 scope=255 target-scope=10
routing-mark=main-r
31 S ;;; eth1 on MT1 Default route (p2p etc..)
dst-address=0.0.0.0/0 gateway=J.K.G.169 check-gateway=ping
interface=bridge1 gateway-state=reachable distance=1 scope=255
target-scope=10
ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting in-interface=!bridge1 protocol=icmp
action=mark-connection new-connection-mark=main-c passthrough=yes
1 chain=prerouting in-interface=!bridge1 protocol=tcp dst-port=0-1024
hotspot=auth action=mark-connection new-connection-mark=main-c
passthrough=yes
2 chain=prerouting in-interface=!bridge1 protocol=udp dst-port=0-1024
hotspot=auth action=mark-connection new-connection-mark=main-c
passthrough=yes
3 chain=prerouting connection-mark=main-c action=mark-route routing-mark=main-r
4 chain=postrouting dst-address='radius-address' protocol=udp
action=mark-route routing-mark=main-r
I would appreciate any suggestions or advice anyone has. i’ve gone through the docs (docs/ros/2.9/ip/mangle , flow, and route) and still seem to be missing something. I’ve tried numerous incarnations of this but just can’t seem to get the radius/hotspot thing figured out. everything else is working flawlessly though.
-Adam