Community discussions

MikroTik App
 
feris
just joined
Topic Author
Posts: 12
Joined: Tue May 16, 2017 3:58 pm

User Manager source interface.

Tue May 16, 2017 5:10 pm

Hello
Is there any option to set source IP of the Userman response ? I have routers, in test setup, connected via GRE tunnel. When I use IP of the far side of the tunnel its working fine. But if I use bridge interface IP ( created as loopback ) I have no response. There are no filter rules and connection is ok. Torch shows returning packets with IP of the far side of GRE tunnel instead that of loopback.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: User Manager source interface.

Tue May 16, 2017 10:09 pm

Check your srcnat rules - apparently your srcnat rules are matching the replies - which means that you may have stateless nat (action=netmap) somewhere in the mix as well.
 
feris
just joined
Topic Author
Posts: 12
Joined: Tue May 16, 2017 3:58 pm

Re: User Manager source interface.

Wed May 17, 2017 3:30 pm

Check your srcnat rules - apparently your srcnat rules are matching the replies - which means that you may have stateless nat (action=netmap) somewhere in the mix as well.
Hello
Thanks for response.
I have no NAT configured at all, its just a test setup with basic CHR configured. Torch shows on radius client router packets 1812 udp port from adress of remote gre tunnel and from loopback at once if I setup client to connect userman router loopback interface instead of far end gre.
WAN ip supplied by DHCP of VBox NAT-ed network: 10.0.50.0/24.

Also I have tried 6.39.1, still dont work.
# may/17/2017 12:56:38 by RouterOS 6.37.5
# software id = 
#
/interface bridge
add name=loopback0
/interface gre
add allow-fast-path=no ipsec-secret=12345 local-address=10.0.50.4 name=gre-tunnel1 remote-address=10.0.50.5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw password=12345
/tool user-manager profile
add name=test name-for-users="" override-shared-users=off owner=admin price=0 starts-at=now validity=0s
/ip address
add address=10.0.100.1/30 interface=gre-tunnel1 network=10.0.100.0
add address=10.0.101.1 interface=loopback0 network=10.0.101.1
/ip dhcp-client
add disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=ether2
/routing ospf network
add area=backbone network=10.0.100.0/30
add area=backbone network=10.0.101.1/32
/system identity
set name=chr1
/system package update
set channel=bugfix
/tool user-manager database
set db-path=user-manager
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=10.0.100.2 log=auth-ok,auth-fail name=chr2 shared-secret=12345 use-coa=no
/tool user-manager user
add customer=admin disabled=no password=12345 shared-users=1 username=mtadmin wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
# may/17/2017 11:35:13 by RouterOS 6.37.5
# software id = 
#
/interface gre
add allow-fast-path=no ipsec-secret=12345 local-address=10.0.50.5 name=gre-tunnel1 remote-address=10.0.50.4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=10.0.100.2/30 interface=gre-tunnel1 network=10.0.100.0
/ip dhcp-client
add disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=ether2
/radius
add address=10.0.101.1 secret=12345 service=login
/routing ospf network
add area=backbone network=10.0.100.0/30
/system identity
set name=chr2
/system package update
set channel=bugfix
/user aaa
set default-group=full use-radius=yes
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: User Manager source interface.

Thu May 18, 2017 6:09 pm

Okay - I got ya - unless there's a "use interface address" option in the configuration (I don't use Userman so I have no experience with it) then this is going to happen because UDP is a connectionless transport - so the reply packet is unrelated to the request, at least as far as layer 4 is concerned, and so it appears that the IP stack in the Mikrotik is using the IP of the egress interface as the SRC IP whenever the response packets are being sent.

Internal to linux, this would be like having Listen=*

Anyway, long story short, if that configuration option isn't available, you could make a srcnat rule which matches the reply packets (be very specific in the matches so other traffic doesn't also match):

/ip firewall nat
add chain=srcnat src-address-type=local protocol=udp src-port=1812 action=src-nat to-address=ip.of.loopback.interface

That'll fix the problem.
 
ludvik
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Mon May 26, 2008 4:36 pm

Re: User Manager source interface.

Wed Dec 06, 2017 1:18 pm

This not working.
NAT rule change source-port to 1024.

to-ports parametr not working, if is same as src-port.

Who is online

Users browsing this forum: No registered users and 9 guests