Wed May 04, 2011 2:08 am
Well, I have been jacking with the config for 2.5 hours now. I appear no closer although the steps to getting these two to see each other is straight forward.
I could use some additional eyes on this setup. Below is my exports:
Network is Radius Server-->450G (pptp server)-->DSL<--Interwebs-->DSL-->Router-->750 (pptp client)-->Test PC
I can ping radius machine through tunnel and 750 NAS going the other way. Tunnel is open. There is only 4 fields needed for nas info in radiusmanager-nas name (test), ip (192.168.8.1), type (mikrotik), secret (xxxxxxxx).
750 pptp client
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; default configuration
192.168.8.1/24 192.168.8.0 192.168.8.255 ether2-local-master
1 D 192.168.0.104/24 192.168.0.0 192.168.0.255 ether1-gateway
2 D 192.168.8.1/32 10.0.2.1 0.0.0.0 radius
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.1 1
1 A S 10.0.2.0/24 10.0.2.1 1
2 ADC 10.0.2.1/32 192.168.8.1 radius 0
3 ADC 192.168.0.0/24 192.168.0.104 ether1-gateway 0
4 ADC 192.168.8.0/24 192.168.8.1 ether2-local-ma... 0
[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether1-gateway ether 1500 1526
1 R ether2-local-master ether 1500 1524
2 ether3-local-slave ether 1500 1524
3 R ether4-local-slave ether 1500 1524
4 ether5-local-slave ether 1500 1524
5 R radius pptp-out 1460
[admin@MikroTik] >
[admin@MikroTik] > ip firewall export
# jan/09/1970 04:23:33 by RouterOS 4.11
# software id = MASG-KBWU
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1700 in-interface=radius protocol=tcp to-addresses=10.0.2.188 to-ports=\
1700
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=8291 in-interface=radius protocol=tcp to-addresses=192.168.8.1 to-ports=\
8291
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.8.198 \
to-ports=443
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=192.168.8.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
450G pptp server and location of radius server
ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.2.1/24 10.0.2.0 10.0.2.255 lan
1 ;;; bridge for user manager
10.0.0.1/32 10.0.0.1 10.0.0.1 bridge1
2 216.x.x.x/x 216.x.x.x 216.x.x.x wan
3 X 10.0.1.1/24 10.0.1.0 10.0.1.255 lan2
4 X ;;; test vlan Users ID 1
10.0.3.1/24 10.0.1.0 10.0.1.255 vlan1
5 D 10.0.2.1/32 192.168.15.1 0.0.0.0 <pptp-scenice>
6 D 10.0.2.1/32 192.168.88.1 0.0.0.0 <pptp-theoaks>
7 D 10.0.2.1/32 192.168.5.1 0.0.0.0 <pptp-scenicd>
8 D 10.0.2.1/32 192.168.3.1 0.0.0.0 <pptp-nb937939>
9 D 10.0.2.1/32 192.168.4.1 0.0.0.0 <pptp-nb782784>
10 D 10.0.2.1/32 192.168.8.1 0.0.0.0 <pptp-radius>
11 D 10.0.2.1/32 10.0.0.1 0.0.0.0 <pptp-lofts>
[admin@MikroTik] > ip firewall export
# may/03/2011 17:56:03 by RouterOS 4.11
# software id = 7JCH-G18A
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes \
src-address=10.10.10.1
add action=accept chain=input comment="Accept established connections" connection-state=established \
disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=accept chain=input comment="from my lan" disabled=no in-interface=lan src-address=\
10.0.0.0/24
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=drop chain=forward comment="" connection-state=invalid disabled=yes protocol=tcp
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=log chain=input comment="Log everything else" disabled=no log-prefix="Drop Input"
add action=accept chain=input comment=udp disabled=yes protocol=udp
add action=accept chain=input comment="allow limited pings" disabled=yes limit=50,1 protocol=icmp
add action=accept chain=input comment="" disabled=yes in-interface="(unknown)"
add action=drop chain=input comment="drop excessive pings" disabled=yes protocol=icmp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no out-interface=wan \
src-address=10.0.2.0/24
add action=dst-nat chain=dstnat comment=sysaid disabled=no dst-port=8080 in-interface=wan protocol=tcp \
to-addresses=10.0.2.191 to-ports=8080
add action=dst-nat chain=dstnat comment="ubnt manager" disabled=no dst-port=9443 in-interface=wan \
protocol=tcp to-addresses=10.0.2.191 to-ports=9443
add action=dst-nat chain=dstnat comment="radius server port 22" disabled=no dst-port=8081 in-interface=\
wan protocol=tcp to-addresses=10.0.2.188 to-ports=22
add action=dst-nat chain=dstnat comment="radius server port 10000" disabled=no dst-port=10000 \
in-interface=wan protocol=tcp to-addresses=10.0.2.188 to-ports=10000
add action=dst-nat chain=dstnat comment="radius server forward to port 80" disabled=no dst-port=8082 \
in-interface=wan protocol=tcp to-addresses=10.0.2.188 to-ports=443
add action=dst-nat chain=dstnat comment="Radius accounting" disabled=no dst-port=1812 in-interface=wan \
protocol=udp to-addresses=10.0.2.188 to-ports=1812
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1813 in-interface=wan protocol=udp \
to-addresses=10.0.2.188 to-ports=1813
add action=dst-nat chain=dstnat comment="radius accounting" disabled=yes dst-port=1700 in-interface=\
"(unknown)" protocol=tcp to-addresses=10.0.2.188 to-ports=1700
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 wan 1
1 A S 10.0.0.0/24 10.0.0.1 1
2 ADC 10.0.0.1/32 10.0.0.1 bridge1 0
<pptp-lofts>
3 ADC 10.0.2.0/24 10.0.2.1 lan 0
4 ADC 192.168.3.1/32 10.0.2.1 <pptp-nb937939> 0
5 ADC 192.168.4.1/32 10.0.2.1 <pptp-nb782784> 0
6 ADC 192.168.5.1/32 10.0.2.1 <pptp-scenicd> 0
7 ADC 192.168.8.1/32 10.0.2.1 <pptp-radius> 0
8 ADC 192.168.15.1/32 10.0.2.1 <pptp-scenice> 0
9 ADC 192.168.88.1/32 10.0.2.1 <pptp-theoaks> 0
10 ADC 216.x.x.x/x 216.x.x.x wan 0