OK but "by does everything" I assume you mean uptime and data accounting kept in databases on the router itself. But where are they? When I do a > tool/userman/database print all I get is a 'yes' and a size report. Can they be shadowed to a remote db for security? Can they be directly accessed by a script to report certain potentially useful information like "between what times of day is the network busiest?" Can they be accessed via the userman web-pages even if the user info etc. isn't entered under tool/userman?You're about Halfway there.
Local users/AAA does everything dependent on the local MT box. Cannot be run from elsewhere.
I've been a fortnight trying to get FreeRADIUS and MySQL running on a Ubuntu box. I've had running servers but the morass of Linux etc. permissions and ownership defeated me as I could not get them to talk to each other let alone the Mikrotik client. I've just loaded RouterOS 3.05 onto the same machine in the hope it would do the same job as server but if you haven't succeeded I don't think I have a chance.Now, with Radius and User Manager, things get tricky.
The "/radius" thingy in RouterOS is simply a Radius Client daemon,
used to point your box to a Radius server - which can be Freeradius, or whatever, or User Manager. It does not have to be a Different machine - it can be the same machine.
But, keep in mind that User Manager runs independently, and is NOT MT's internal user/aaa.
For remote (or local radius/UM) auth to work, you must set /ppp/aaa use-radius=yes,
and make an entry into /radius pointing to your radius server, whether it's the same machine or otherwise. Apparently it is also possible to let your User Manager run on a different server, but I have not yet succeeded in achieving this.
The problem is that User-manager doesn't do what I need. My subscribers pay a monthly fee for unlimited time but a data limit. If they go over the limit they have to pay excess charges per MB as the Trust is potentially liable for the excess as it, too, has a data cap from the ISP. Our data cap is tx+rx. So 'all' I need is:User Manager behaves exactly the same as Radius. Essentially, it is a Radius engine.
In one of my previous posts Sergejs said that User Manager listens on ports 1812 and 1813, which is Radius' default ports of late. The web interface of User Manager is basically the equivalent of Radius' Dialup-Admin interface.
Your amended script would solve problem 2 above in that I assume I could either get the Mikrotik box running user-manager to email each subscriber once a day with their monthly usage to date, or run it every day set to email the subscriber if their monthly usage is, say, 75%, 90% and 100% of their monthly cap. However my 532 which User-manager is running on tells me that 'smtp.xtra.co.nz' is "invalid value for argument server" in /tool e-mail although it is the address we all use in our email clients. What is 'e-mail server=' expecting?I haven't done much programming beyond High School - Most of my stuff I write is mostly made up of spitballs and sticky tape. But I'll be happy to help with debugging.
I enjoy doing it.
I wish I could say that would be an interesting PHP script to see but it would be gobble-de-gook to me. It sounds, though, that I'd find it useful even if I don't understand itAs for your Reset Counters question - As far as I understand Radius, and I'm assuming User Manager is built on the same principles of Accounting - is that there are two separate database tables for users and accounting. Now in User Manager, the Users table show the users' total downloads, whereas the accounting table shows the downloads per individual session. What I've done in my FreeRadius accounting system is to write a PHP script that runs through the entire Accounting table and add up the downloads for each individual users, and separate the months or days in which the session took place. A bit of a drag, but it allows you the freedom of wiping the Total Downloads field in the Users table.
Do I ever! Thanks for you patience so far.I hope that helps. I've made a few tweaks and minor improvements on that Billing script in the meanwhile, will upload the new one to my webserver (and later to Wiki) for your viewing pleasure.
Let me know if you need any more help.
Krige
Most of the information is stored in /tool/user-manager/usersOK but "by does everything" I assume you mean uptime and data accounting kept in databases on the router itself. But where are they? When I do a > tool/userman/database print all I get is a 'yes' and a size report. Can they be shadowed to a remote db for security? Can they be directly accessed by a script to report certain potentially useful information like "between what times of day is the network busiest?" Can they be accessed via the userman web-pages even if the user info etc. isn't entered under tool/userman?
I've run FreeRADIUS and MySQL on a Fedora box, and successfully got Mikrotik to Auth against it. In my opinion, FreeRADIUS/MySQL/PHP will give you a LOT more versatility to do anything you need, and transgress the limitations that UserManager has. If you want to take another stab at it, I know Fedora pretty well, I can help you with that - As far as I know, Ubuntu is't too much different.I've been a fortnight trying to get FreeRADIUS and MySQL running on a Ubuntu box. I've had running servers but the morass of Linux etc. permissions and ownership defeated me as I could not get them to talk to each other let alone the Mikrotik client. I've just loaded RouterOS 3.05 onto the same machine in the hope it would do the same job as server but if you haven't succeeded I don't think I have a chance.
*chuckle* Sounds a lot like South Africa to me.The problem is that User-manager doesn't do what I need. My subscribers pay a monthly fee for unlimited time but a data limit. If they go over the limit they have to pay excess charges per MB as the Trust is potentially liable for the excess as it, too, has a data cap from the ISP. Our data cap is tx+rx. So 'all' I need is:
1. A monthly report of tx+rx data usage by subscriber, and
2. A way for subscribers to check their own usage so they can ration their cap over the month or choose to pay excess MBs.
User Manager already takes care of all that.One of my subscribers is paranoid about wireless radiation and so only powers up his Mikrotik box when he needs to go on-line, switching it off afterwards. In addition very shonky mains electricity in this remote part of New Zealand means we get two or three power interruptions a week at least (plus fried possum each time!) each of which takes most subscribers' Mikrotik boxes down and creates a new PPPoE session when the power returns. So our user reports:
a) don't begin and end neatly with the month beginning and end, being session-based, and
b) can add up to 20 - 30 or more sessions per month which I have to sit down and manually total up per customer just to make sure they didn't exceed their cap.
I haven't amended my script yet to send out E-mails when a user reach a percent of cap.Your amended script would solve problem 2 above in that I assume I could either get the Mikrotik box running user-manager to email each subscriber once a day with their monthly usage to date, or run it every day set to email the subscriber if their monthly usage is, say, 75%, 90% and 100% of their monthly cap. However my 532 which User-manager is running on tells me that 'smtp.xtra.co.nz' is "invalid value for argument server" in /tool e-mail although it is the address we all use in our email clients. What is 'e-mail server=' expecting?
When I started, it was gibberish to me too. Didn't understand a thing of it. So hang in there - It's loads of fun to spend a weekend or so just ripping apart code and learning what it does, and the get the satisfaction of writing something, using bits of code you got from somewhere else, to make something that you can actually use.I wish I could say that would be an interesting PHP script to see but it would be gobble-de-gook to me. It sounds, though, that I'd find it useful even if I don't understand it
Thanks k.Your Monthly TX/RX report can be done in User Manager - It has that function.
Click on Reports, tick Unlimited Only, tick Amount, tick the two dropdown fields,
select This and Month from the two fields, and click Generate.
How about cooking up a script that kills all connections at midnight on the last day of the month? I've just finished writing one that can determine whether or not it is the last day of the month. If it returns "True", you can tell it to set a Scheduler event for that same day to trigger at 23:59:55 (5 secs before midnight) to kill all PPPoE sessions.The problem with generated reports as per above is that they're session based, not date based. So if a session spans a month change-over it all gets allocated to the previous month - ie. if I generate a 'this month' report it only includes sessions that start during the month. Hence on my userman report my own usage for this month STARTS on September 15 as I have a UPS on my Mikrotik box and the AP is battery-powered anyway. I'm not even sure what happened on the 15th to trigger a new session but the one that ended that day commenced on August 25th. During that one session I clocked up a couple of GB in downloads, but have no way of telling how much was in August and how much in September.
Bless his soul.The only subscriber who I have an accurate September usage figure for is the guy who turns his CPE on and off every day!
I noticed that too. I think it's because the reports generate it's information from the info that you'll see under /tool/user-manager/log, whereas reset-counters only resets the counters under /tool/user-manager/users.I did some 'reset-counter'ing today but although it seems to have done away with the 9GiB, 26 week uptime, type of records I get the same userman and individual reports I had before.
Just disable and re-enable your /interface/pppoe-server/server entry,It's now 11.26pm on Sunday 30th September, and the only think I can think to do is to use Winbox to individually reboot every subscriber's CPE now in the hope it will trigger a new session for an accurate October reading.
I think this is the way to go - less of a sledgehammer approach than forcing a reboot. From what I understand from the manual I think an attempt to start a new PPPoE session terminates the previous one - as long as there is a 'one connection only' limit on the link, I guess. So a simple script that disables the PPPoE interface, waits 5 seconds and then enables it should trigger a new session.Just disable and re-enable your /interface/pppoe-server/server entry,
or type "/interface print" and remove all PPPoE entries. That will kill the session, and force the CPEs to reconnect - Assuming that they are capable of auto-reconnecting when the connection gets dropped, but judging from what you tell me, I think they should be fine.
-Krige
Yep, you understand correctly - That'll do the trick - under /interface/pppoe-server/server, you can set the "one-session-per-host" to "yes". That will allow one connection per MAC. If you're using PPTP, you can set the "only-one" attribute in the /ppp/profile for your vpn links. I'm using both PPPoE and PPTP, but I allow multiple connections.From what I understand from the manual I think an attempt to start a new PPPoE session terminates the previous one - as long as there is a 'one connection only' limit on the link, I guess.
Good point, I didn't even think about that. Of course, implementing it in every single CPE could take a while, and could be difficult to monitor. Possibly a few CPEs might not execute the script. So, my suggestion - Do that. Implement the script in every single CPE, and as a safety measure, should one of them not run the script, implement a little script that kills all remaining PPPoE links under "/interface" or /interface/pppoe-server/As an alternative to running such a script on each subscriber's CPE would disabling/enabling the PPPoE interface at the AP which they all connect to have the same effect of forcing a reconnection/new session? Perhaps staggering it on a subscriber basis would be easier on resources than doing it at the AP and getting everyone trying to reconnect at the same time, though.
Dunno. I raised it in the Beta forum and it seems someone else had the problem with 3.rc5 on i386 but says it's fixed with 3.0rc6.Is that a bug, perhaps in that particular release for that particular board or system type?
Yeah, it's hair-tearing when you can't see why something isn't working and can't refer to any error messages or call up a log to see where the problem is.The crappy thing about 2.9.46 not being able to :put stuff, is that I can't tell if my :set (and Get) commands were successful. Which makes debugging downright impossible. Unless I'm just missing something somewhere. I mean - I wrote my first scripts on 2.9.46 - a script which re-resolves an FQDN and replaces the Address under /radius with the freshly resolved one, and also updates the Netwatcher with the freshly resolved address, to monitor it for changes.
I haven't tried using /ip/route, since the basic setup that you can run from the root menu does all the gateway adding I need. The rest I do with NAT - so unfortunately I can't give you feedback on that one.
I'll fiddle with it again in the morning - Need some sleep...
-K
No, it's fine on the 532. It just refuses to accept any gateway at all under /ip route on the i386 with 3.0rc 5/6 ('cept that it's an i586 - an AMD-K6 -2 - but I didn't have this problem running 2.9.35 thro' 46 on the same machine.)Not sure why you can't set up a default gateway on the 532 running rc6... I just did mine in the /setup.
With carrier losses and power-cuts taking the CPEs down (and some of our subscribers just switch their CPEs off at the wall at night!) most of them get 20 -30 sessions clocked against them in a month, so accessing the User area of U-M just presents them with a long table of entries. Towards the end of the month they'd have to sit down with a calculator and add 30 - 50 upload AND download entries to get their usage, 'cept that they don't. They ring me up instead and get me to do it for 'em!For me, the whole E-mail thing was a big one. Spent 3 days writing and testing that script. So I guess you have to weigh risk against cool admin features. I mean, sure, you can urge your clients to log into the User area of User-Manager and view their own usage, but many of my clients just don't do that, and then phone in a fit of rage, demanding to know what's going on.
Warning mails solved that problem...
Uncapped broadband? Oh, how the rest of the world lives.But now I have people demanding uncapped services.
Hey. If they want to pay for uncapped, thet can have uncapped.
Couldn't have done it without you.I'm glad to see you could use my script, even though it wasn't without a few migraines, bumps and bruises.
OK. The next step is to trigger a user counter-reset [find] immediately after the last emails for the month are sent, ie in the witching-hours of the first day of the next month. Why the Hell doesn't this work?:-Let me know if you need more help.
-K
...so accessing the User area of U-M just presents them with a long table of entries.
It is INSANELY expensive. But hey. If my clients can fund it, why not?Uncapped broadband? Oh, how the rest of the world lives.
Not entirely sure, but you just introduced me to the :pick command which solves a lot of problems for me!! Thanks for that one.OK. The next step is to trigger a user counter-reset [find] immediately after the last emails for the month are sent, ie in the witching-hours of the first day of the next month. Why the Hell doesn't this work?
I guess that would be a solution if you run the script on the First of the following month. That is an easier way than what I attempted! Good one. However I am quite a perfectionist. I need my mails and Accounts notifications be done and dusted by the time the new month strikes. But that's just me.You put the current month in the user's 'pool-name' field ... which is compared with the value returned by the :get month from the system date. If they differ it must be the first run of a new month so reset-counters is triggered ...
The drawback of my entire approach is that the subscriber's data-cap (and the month) is set in fields he has access to on his User-Manager web-page, so it will probably be advisable not to let him have access to it at all.
Ah. In a perfect word, yes. I have a few customers who need more than one session, but if you charge them for a certain amount of throughput, then in my opinion it's OK for them to have 20 active sessions, and clock up their 3 gigs in one day, but then they get cut off and have to buy more gigs. Quite frankly, that's the client's problem if they wanna go and do that.I'm not sure about this 'session' business. All our subscribers are allowed only one unlimited session at a time and I can't envisage any circumstances where that might be a problem for me/them. What would suit me would be for each subscriber to have just one session per month.
No, that won't help. The session will just remain active, according to the Mikrotik router, until a new session is established from that particular MAC/Client. Then the previous one will be forcibly closed, and you'll have a brand new session.One of the problems is that at the moment new sessions are triggered by CPE's re-booting and kicking-off new PPPoE connections, sometimes without closing the previous ones. Could this be avoided if I set the 'session time-out' value to zero so that (presumably) the session at the radius client (ie the Mikrotik router) isn't broken?
But then how do I actively trigger a session-close and new session at the start of the month as I can't see any way of getting the MTrouter/radius-client to send radius stop-start ...
:foreach i in=[/interface pppoe-server find service-name=YourServiceName] do={
/interface pppoe-server remove [/interface pppoe-server find $i]
Well, if they can get one 30-day continuous session, then that would be great. But we all know that it ain't happening. They have unlimited amount of Uptime, and therefore they can have unlimited consecutive sessions. But each session clocks up a certain amount of throughput that needs to be accounted for. In order to do this accurately, the open sessions at the end of the month must be closed, Radius must do it's final accounting update, the counters will be updated, and the E-mails sent out.Does it really matter? Our subscribers pay for 'always on' internet, ie one endless session. As long as the counters are re-set at the beginning of each month so we can track monthly usage 'sessions' are irrelevant?
I can live with that cheat, but I'm perfectionist enough to be offended by the lower-case initial letter of the month returned by $date. I think it looks horrid in an email, viz: "data usage to oct/21/2007." Your month referencing idea gives me a way around that. Thanks.However I am quite a perfectionist. I need my mails and Accounts notifications be done and dusted by the time the new month strikes. But that's just me.
Most of us are on 1GB or more a month but a couple of light users are on less - only 250MB in one case. So some will need four character places and others only three. I 'could' use "0250 MB" but think it looks ugly in an email to the user. I haven't checked but I'm guessing in my case I have the 'group' and 'pool' fields free and beyond user-interference for this.The next four denotes data cap. Pick that out with :pick $comment 4 8 ==> 3000
And the last 3 could be your Last Month that the script was run. ==> sep
Perhaps that could be a solution if you run out of non-user-accessible fields to use.
What Rugby World Cup? If the the All-Blacks didn't win it, it ain't worth winning.I'm on my way to a friend's place to watch the finals of the Rugby World Cup. Will try it tomorrow, if I'm not too hung over.
Our setup is much more simple. Each user has a CPE on his roof which connects to the AP and one PPPoE session across the link for internet access. Even trying to imagine more complicated set-ups makes my brain hurt, let alone thinking about implementing them.I have a few customers who need more than one session, but if you charge them for a certain amount of throughput, then in my opinion it's OK for them to have 20 active sessions, and clock up their 3 gigs in one day, but then they get cut off and have to buy more gigs. Quite frankly, that's the client's problem if they wanna go and do that.
Gigs are expensive in this country.
From my limited understanding of the RADIUS protocol there are two kinds of session terminations, voluntary (ie. user or admin request, idle and session-timeouts etc) and involuntary (lost-carrier, NAS reboots, lost-service etc.). As these are listed on the Mikrotik RADIUS dictionary I'm assuming User-Manager can use them. Presumably I can control the former kind and stop them from occuring. But is it not possible to fix a static session id on a 'one-user one-NAS' basis so that even if the CPE or NAS reboots or the connection goes down the same session is simply picked up again on reconnection?The session will just remain active, according to the Mikrotik router, until a new session is established from that particular MAC/Client. Then the previous one will be forcibly closed, and you'll have a brand new session.
So a new session will only be started when next the user tries to connect to the Internet over his CPE's default route, which is his PPPoE interface?See how that works. May be buggy. I just sucked that out of my thumb.Code: Select all:foreach i in=[/interface pppoe-server find service-name=YourServiceName] do={ /interface pppoe-server remove [/interface pppoe-server find $i]
When the session/connection is terminated, Mikrotik will automatically send the session close accounting information to the radius/usermanager server.
Yes. On my test rig I sent a reset-counter - which worked - but subsequent radius interim-updates with the same session id created complete garbage. I couldn't even work out how the (huge) download and upload figures following a small update were created.If the connections are NOT terminated, and the counters are reset, the active connection still has a "memory" of what the current usage for that session is. If the counters in User Manager are reset, and the month lapses over, and you have an active session that has 2 gigs clocked up, that active session will, when it closes, update it's 2 gigs of throughput onto the User Manager database AFTER the reset has been done. Which is a no-no if you have interim-update on.
Killed at both ends. But if it's normally the client that does the killing by sending an accounting-stop terminate-session packet how do we do it with a script running at the server end? ie your script above kills the pppoe connection at the server end, but how does the client know it's been killed to terminate the session at its end?An interim update could have told Radius that the user has used 2 gigs. Then you go and wipe the radius counters. 10 minutes later, Interim-update logs the same 2 gigs again. because the session is still active. In order for the active session's counter to ALSO be reset, the connection must be killed.
A whole lot more than MT's effort!Am I making sense?
-K
You can use an :if statement to check if the Cap = 0250, and Do something that assigns "250" to the variable instead of "0250".Most of us are on 1GB or more a month but a couple of light users are on less - only 250MB in one case. So some will need four character places and others only three. I 'could' use "0250 MB" but think it looks ugly in an email to the user.
All Radius does, is to keep track of what is happening. Radius cannot actually Control the CPEs and sessions. It just logs the information, and returns authentication information, when requested.From my limited understanding of the RADIUS protocol there are two kinds of session terminations, voluntary (ie. user or admin request, idle and session-timeouts etc) and involuntary (lost-carrier, NAS reboots, lost-service etc.). As these are listed on the Mikrotik RADIUS dictionary I'm assuming User-Manager can use them.
Nope, sorry. No way of that happening.Presumably I can control the former kind and stop them from occuring. But is it not possible to fix a static session id on a 'one-user one-NAS' basis so that even if the CPE or NAS reboots or the connection goes down the same session is simply picked up again on reconnection?
The new session will be created when the CPE fires up the PPPoE tunnel.So a new session will only be started when next the user tries to connect to the Internet over his CPE's default route, which is his PPPoE interface?
Well, my suggestion is to run a script on the CPEs that pings your Access Concentrator's Local Address, i.e. the address that will only be 'visible' to the CPE if the PPPoE tunnel is active and working on both sides. Should the reply be negative, then kill the active session and connect again. So even if your CPEs are not aware of the fact that you've just killed all sessions on the server, the Local Address of your PPPoE server will cease to respond. And thus force a reconnect.... That requires port forwarding but if the PPPoE connection to the CPE has been terminated and not restarted from inside there'll be no connection to use?
Not that I am aware of. One way that you can go about doing it though is if all your CPEs are Access Concentrators, and your NAS just dials into all those access concentrators. But if you think multiple sessions on client side was overcomplciating things, this would be insanity.I'm assuming you can't set-up a PPPoE service backwards, from the NAS to the CPE? ... In fact the same script would need to be run any time the CPE reboots to create the PPPoE connection and make it available for any connection attempt ...
Again, Radius only logs what's happening. It's not the Client that sends the Accounting-Stop packet to Radius - it's the Server, once it detects that the tunnel has terminated.Killed at both ends. But if it's normally the client that does the killing by sending an accounting-stop terminate-session packet how do we do it with a script running at the server end? ie your script above kills the pppoe connection at the server end, but how does the client know it's been killed to terminate the session at its end?
Thanks! I stopped drinking when the match started. Quite a nailbiting one. No big hangover. Cape Town was on fire last night! Was quite interesting.Congratulations on the Rugby. Hope the hang-over isn't too big!
Hugely, thank you, but I would query some of what you say.
Does that help a little?
-K
Hmm. I'll look into that one. Radius can force an Accounting session to stop, but kill an actual connection? I'll need to try that.under the heading 'Connection Termination from RADIUS' which suggests (to me) that the MT implementation of Radius CAN terminate an accounting session on a NAS. It just doesn't tell you how. There is a command under /tool user-manager session = close-session which might do it ...
The objective of sending out such a message is to kill the PPPoE link. If the CPE on the other side is not on, the link is dead to begin with. What will happen is that the attempt will just fail/time-out. Whether this will halt your script - I'm not entirely sure. I know that if your E-mail outgoing server can't be reached when sending mails with scripts, it doesn't affect the operation of the rest of the script.IF 'close-session' run at the server causes it to send a 'Disconnect-Message' to the client, causing it to disconnect the user by terminating the pppoe session it would do the trick - except what happens if the user's CPE isn't switched on at the time the script is run amd message is due to be sent?
HUH?! Same accounting-session-id? OK now I'm confused too. I guess one must distinguish between (connection) session ID and Accounting session ID, since Connections and Accounting are two distinctly separate concepts in the Radius scheme of things."An active session is closed when the same router asks to start a new session with the same accounting-session-id."
True, Mikrotik is an extremely cheap all-in-one.I have toyed with running FreeRADIUS and MySQL on a remote server which the router/client reports to but that leaves me with the problem that I kicked this thread off with - actually using the information on MySQL and giving our subscribers easy self-access to their usage in 'real-time', without having to spend a fortune on ISP-type software.
At the least the ability of RouterOS to send emails is a cheap and easy solution to this problem, but does force me to use a router and RouterOS as my main server.
I'm going to assume that what you mean here is to let your routerboard open a tunnel to a "superior" router/server in the network, but simultaneously have an access concentrator running for it's "inferior/subordinate" clients to connect to it. This can be done, yes.Question - can the same router act as client and server?
I've started running one of my networks like this. The only crappy thing is that then you have to maintain several user managers instead of just one. Which isn't a trainsmash if you have only two or three user managers running on two or three routers......but I'm thinking of running a pppoe-server, radius client AND User-manager on each AP to look after its own half-dozen users using the email system.
Let me ponder that one in depth, and reply with a full-scale thought-through solution.However I still don't know how best to deal with the month-end terminate session start new one/reset-counters problem and any advice on that would be most appreciated.
Correct. That is the dillemma which forces us to terminate the Connection session entirely, until one can find a way of forcing it to start a new Accounting session. As long as the Connection Session remains active, it will continue clocking up data, and will keep sending that data to Radius, regardless of what Radius' counters are. Connection session doesn't care, all it does is passing the data on to Radius. Connection session must be terminated in order to get the connection session's counters down to Zero as well.Running what I have in the script appears to simply re-set the up-time, upload and download fields to nil but the session remains active. As the client is presumably unaware of the 'reset-counters' run on the server it continues sending accounting updates with the same accounting-session id (?) and when I do it from NTRadPing, three times out of four the user field meekly and accurately accepts the updates from the zero re-set.
Sounds like a bug yes, I've not seen anything like that happening here.Then one will respond to an update (recorded accurately and successfully in the log) with utter nonsense - up-time in the thousands of weeks and astronomical data use. It can't be simple addition. And I've no idea what triggers it. I guess it might be a bug in the NTRadPing application, but I've no way of testing that out.
I'll take a stab at it.I've looked at the 'close-session' command, which does terminate active sessions on the server and must communicate with the client ... However the command has to be directed at a register number in the '/tool user-man session print' list, ... inactive session stops any script dead.
Hahaha! I'm flattered.And even if I did where would I be then? Too late at night to keep on at this. I'm going to bed and hoping some Guardian Angel will point me the way overnight!
Hmmm. I'm sure you're right, but it uses commands Mikrotik don't bother to declare in the manual so I'm afraid I can't follow it. [EDIT: It doesn't. My apologies, MT.] And as I don't have a pppoe server on my test-bench I can't see it in action anyway.Here she is!
When there is an active session from UserName, and UserName for some reason gets disconnected, but the Connection session (and therefore also the Accounting session) remains active, should UserName connect again, the previous session will be automatically ended (both the connection session and the accounting session) before a completely new one is started.Currently our keepalive time-out is set to 10s but given that we have one-session-per-host anyway isn't the 'no disconnect' situation what I want?
I don't follow. If there has been any disconnects happening in the month, you'll have more than one session.Triggering the 'close-session' script following the reporting at 2.00 am on the First of the Month would take me to a 'one-session-a-month' situation ...
But if you set Keepalive-Timeout in the pppoe-server to 0s the server will never ping the client so even if the client is switched off the server sits there twiddling its thumbs with an open connection just waiting to hear from it? That's what I take the above quote from the manual to mean.
The Keepalive Timeout is only a delay that you set for ping timeouts before connection gets terminated. If server pings client, client doesn't respond, server will keep pinging it as usual, but if the client doesn't respond within 10 seconds of last ping, the connection is terminated, along with it's accounting session.
With Keepalive-timeout (and Idle-timeout?) set to 0s 'disconnects' won't occur. The problem is 're-connects' triggering new pppoe sessions when the CPE re-boots. Is there no way of avoiding the need for the CPE to do that, but just get it to resume the session it was running when it shutdown?I don't follow. If there has been any disconnects happening in the month, you'll have more than one session.Triggering the 'close-session' script following the reporting at 2.00 am on the First of the Month would take me to a 'one-session-a-month' situation ...
Can't see the problem. Under our set-up all I need to know at the end of every month is whether the user stayed within the monthly data-cap he paid for or is liable to the Trust for any excess MB's over it. Having just one session per month makes that a lot easier than the present situation, where a list of sessions have to be totalled. It would also provide the most useful information for the user accessing his User-Man web-page - a record of usage month-by-month each in a single entry plus a up-to-date usage figure in the box for the current month.How are you going to manage only a single Accounting session for the whole month, even if there are multiple connects/disconnects from a user?
Yes. I'm still not sure what the 're-set counters' command in '/tool user-man user' does. Or even what the user entry under 'user print' displays. All our subscribers have 'sessions' going back to when the network was switched on last November but the user entry doesn't go back that far - from the 'uptime-used- figure. (They should all be 'permanently on'.) Yet neither does it record just the current one session each is allowed - the 'uptime-used' covers >12 'session' periods on the session list as does the up and downloads recorded.So now that we are at least getting a new accounting session to be generated at the beginning of the month, are we sure that the counters within the active session is also going to be reset to Zero? Otherwise your interim update will log the data on those counters (incorrectly) on the new accounting sessions.
Amen. And all so unnecessary, if MT would just produce some decent documentation for U-M.So many things *head hurt*
-K
Yes. Pretty much.Keepalive Timeout: ...the server sits there twiddling its thumbs with an open connection just waiting to hear from it?
Well, it needs to fire up the interface, connect, identify itself and some such. This connection-ID will have it's own unique number. PPPoE runs on OSI Level 2, which is MAC/Hardware level. THe IP Address is assigned on top of that, which is OSI Level 3 - i.e. Routing. I understand what it is you're asking, but unfortionately, No. Won't work.But why does the CPE need to start a new session? Just because it needs an address for its pppoe-out interface? But my pppoe addresses don't come from a pool. They're static.
Well, have you explored using IP/Router users instead of PPPoE users?Could I not just assign a static IP address to the CPE's pppoe-out interface so the client's first packet to a default IP address knows where to go, and when it arrives at the server it doesn't need any authentication. It just says, "Oh, there you are. Where've you been?" and passes it on as part of the already-existing session on that connection.
And User/Pass? Also someone trying to "hijack" an active connection will need to open his end of the tunnel first before attempting to send packets to your server. I'm not even sure that is possible. But I get what you're saying.I guess there's a security risk .. but you'd need to spoof the client's MAC address and know the security profile... And if you don't have a "one-connection' limit on the service anyone can do that anyway?
Not to my knowledge. Perhaps a completely different protocol altogether.With Keepalive-timeout (and Idle-timeout?) set to 0s 'disconnects' won't occur. The problem is 're-connects' triggering new pppoe sessions when the CPE re-boots. Is there no way of avoiding the need for the CPE to do that, but just get it to resume the session it was running when it shutdown
*chuckle*Guess the Trust could make it condition of membership that all subscribers put their CPEs on UPS, and never switch them off!
It wipes the Uptime Used, Download Used and Upload Used fields to Zero.I'm still not sure what the 're-set counters' command in '/tool user-man user' does.
That is just a total time of all sessions' connection uptime since the last Reset Counters. [/quote]...the 'uptime-used- figure. (They should all be 'permanently on'.)
None whatsoever.And what effect does 'reset-counters' have on the current session?
Correct. Userman-user is a Radius system that runs completely independent of the PPPoE-Server. PPPoE server relays it's information to the radius protocol, but the two remain very much separate entities, with their separate counters. The Current Active session data is recorded in the PPPoE-server, until the session ends, and PPPoE will relay the information to UserMan. The logs of the previous sessions (and interim updates of current session) are kept in the Userman system.The 'user-man user' entry must be a separate ledger to the one the data for the current session is actually recorded on, else resetting the counters would wipe the record of all the previous detail of that session?
No. Our network was set up by an expert in a flying visit which was all we could afford. I've spend most of the last year trying to work out what he did and why. However as it works I'm reluctant to interfere too deeply as getting him back to sort out my mess would wipe out our R&R fund and then some. I've never really understood why he used pppoe in the first place.Well, have you explored using IP/Router users instead of PPPoE users?
Yes. After I've read it carefully half-a-dozen times and had a good long think over a cup of coffee! Very many thanks.Hopefully that sheds just a little more light on it...
Not sure exactly what you're asking or what you need to know so I'll give you everything that might be relevant in the hope you can find something useful in it.Okay, now time for me to ask for your help -
You say you run a couple of RB500 APs running PPPoE Server, and do all the Auths against a remote User Manager. How is it set up?
This is from the 'gateway' machine running User-manager:
Just one more thing - What is written in the Address field of the Routers entryin /tool/user-manager/routers?
And how is /radius/incoming set up?
Thanks. Did some reading in the IT manual yesterday but there seem to be so many ways of doing 'virtually' the same thing - PPPoE, EoIP, PPP, L2TP &etc - all no doubt with their peculiar pros and cons for specific situations I know nothing of - that it's hard to know where to start.If you need help exploring IP accounting options, let me know.
I want to use it for my inter-base-station links, so I'm gonna delve into it as well.
Cheers!
-K
Well I'm gonna do my own reading a bit, and I'll post my honest opinion about the different methods and their pros and cons, and also try and se which methid I believe will work beat in your setup. PPPoE is a pretty simple way of doing things to begin with. When you start fiddling with EoIP, you immediately need to consider an additional layer of the OSI model in the network design - namely Routing. (Layer 3)Thanks. Did some reading in the IT manual yesterday but there seem to be so many ways of doing 'virtually' the same thing - PPPoE, EoIP, PPP, L2TP &etc - all no doubt with their peculiar pros and cons for specific situations I know nothing of - that it's hard to know where to start.
Hahahaha! Funny. Well same here - I'm the only one who knows how my network works. If the dairy cow is on Speed or LSD and makes it across the Indian Ocean and bumps into me, well let's just say that my company will die with me.... if I were to be mown down by a rampaging dairy cow tomorrow no-one else in the Trust would have the slightest idea how the network actually works...