Thank you for your fast reply sindy. I'll try it and see the results in the log. I'm using the embedded radius server of the Mikrotik./system logging add topics=radius
/log print follow-only where topics~"radius"
Then try to connect a client and see whether there is a corresponding radius message in the log. The subsequent steps depend on whether you use the embedded RADIUS server of Mikrotik (user manager) or an external RADIUS server as I assume.
11:05:28 radius,debug,packet sending Access-Request with id 203 to 127.0.0.1:1812
11:05:28 radius,debug,packet Signature = 0xdf70e93e8e6e5832e3b1bd81023ad2ec
11:05:28 radius,debug,packet Service-Type = 2
11:05:28 radius,debug,packet Framed-Protocol = 1
11:05:28 radius,debug,packet NAS-Port = 15728700
11:05:28 radius,debug,packet NAS-Port-Type = 15
11:05:28 radius,debug,packet User-Name = "ppp2"
11:05:28 radius,debug,packet Calling-Station-Id = "CC:2D:E0:F8:49:F0"
11:05:28 radius,debug,packet Called-Station-Id = "service1"
11:05:28 radius,debug,packet NAS-Port-Id = "ether5"
11:05:28 radius,debug,packet Acct-Session-Id = "8120003a"
11:05:28 radius,debug,packet MS-CHAP-Challenge = 0x05947c4143589abc446a95dfece7fc7f
11:05:28 radius,debug,packet MS-CHAP2-Response = 0x0100894811b2faff4c46429ec8fdcd25
11:05:28 radius,debug,packet edc900000000000000000e6b20ab7fd5
11:05:28 radius,debug,packet 013ec705260fd92c8418bb5568a10e1e
11:05:28 radius,debug,packet 1511
11:05:28 radius,debug,packet NAS-Identifier = "HOTspot Server"
11:05:28 radius,debug,packet NAS-IP-Address = 127.0.0.1
11:05:28 radius,debug timeout for 1b:4d
11:11:23 radius,debug,packet sending Access-Request with id 236 to 127.0.0.1:1812
11:11:23 radius,debug,packet Signature = 0xd7c957083352249716220ba92a36226d
11:11:23 radius,debug,packet NAS-Port-Type = 19
11:11:23 radius,debug,packet Calling-Station-Id = "D4:53:83:79:4E:DF"
11:11:23 radius,debug,packet Called-Station-Id = "hs-wlan1"
11:11:23 radius,debug,packet NAS-Port-Id = "wlan1"
11:11:23 radius,debug,packet User-Name = "mmhh"
11:11:23 radius,debug,packet NAS-Port = 2162163737
11:11:23 radius,debug,packet Acct-Session-Id = "80e00019"
11:11:23 radius,debug,packet Framed-IP-Address = 192.168.50.250
11:11:23 radius,debug,packet MT-Host-IP = 192.168.50.250
11:11:23 radius,debug,packet CHAP-Challenge = 0xced5c597b1e2d707346ea94be80d83a8
11:11:23 radius,debug,packet CHAP-Password = 0x1d2f3dc6be93722d05c8ce97d2254bf5
11:11:23 radius,debug,packet 38
11:11:23 radius,debug,packet Service-Type = 1
11:11:23 radius,debug,packet WISPr-Logoff-URL = "http://192.168.50.1/logout"
11:11:23 radius,debug,packet NAS-Identifier = "HOTspot Server"
11:11:23 radius,debug,packet NAS-IP-Address = 127.0.0.1
11:11:23 radius,debug timeout for 1b:6d
11:11:23 radius,debug timeout for 3f:bb
# PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS
27 C s udp 127.0.0.1:35747 127.0.0.1:1812 9s 0bps 0bps 3 0
What is surprising here is the s (src-nat) indicator in the connection attributes. So try /ip firewall connection print detail where dst-address~":1812" and see what the reply-dst-address is.This is the output of the /ip firewall connection print interval=1 where dst-address~":1812" command :
Code: Select all# PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS 27 C s udp 127.0.0.1:35747 127.0.0.1:1812 9s 0bps 0bps 3 0
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 S C protocol=udp src-address=127.0.0.1:37012 dst-address=127.0.0.1:1812 reply-src-address=127.0.0.1:1812
reply-dst-address=127.0.0.1:37012 timeout=0s orig-packets=1 orig-bytes=229 orig-fasttrack-packets=0 orig-fasttrack-bytes=0
repl-packets=1 repl-bytes=219 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp in-interface=vlan20 dst-port=443
9 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp in-interface=vlan30 dst-port=443
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
11 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
12 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
13 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
14 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
15 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
16 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
17 chain=srcnat action=masquerade src-address=192.168.95.0/24 out-interface=pppoe-out1 log=no log-prefix=""
18 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.50.0/24
19 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.10.0/24
20 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.20.0/24
21 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.30.0/24
22 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp in-interface=wlan1 dst-port=443
add action=masquerade chain=srcnat
This one with detail shows the connection when the RADIUS server does respond, so it is unusable for the analysis.the output of the /ip firewall connection print detail where dst-address~":1812" command:
...
add action=masquerade chain=srcnat
chain=srcnat action=masquerade src-address=192.168.95.0/24 out-interface=pppoe-out1