pppoe problem

dhiaahmed · Fri Mar 26, 2021 12:14 pm

I have mikrotik 951g routerbord with hotspot server and radius server configured. My problem is that when I setup the pppoe server with the radius server the pppoe and hotspot clients connect successfully. However ,after a period of time the pppoe client and the hotspot client can not be authenticated by the radius server and get the message says "Radius Server is not responding " with the hotspot clients and the pppoe clients can not connect again. I don't know where is the problem is it with the routerboard model ,the pppoe server settings or the radius server ???

sindy · Fri Mar 26, 2021 12:57 pm

/system logging add topics=radius
/log print follow-only where topics~"radius"

Then try to connect a client and see whether there is a corresponding radius message in the log. The subsequent steps depend on whether you use the embedded RADIUS server of Mikrotik (user manager) or an external RADIUS server as I assume.

dhiaahmed · Fri Mar 26, 2021 1:14 pm

/system logging add topics=radius
/log print follow-only where topics~"radius"

Then try to connect a client and see whether there is a corresponding radius message in the log. The subsequent steps depend on whether you use the embedded RADIUS server of Mikrotik (user manager) or an external RADIUS server as I assume.

Thank you for your fast reply sindy. I'll try it and see the results in the log. I'm using the embedded radius server of the Mikrotik.

dhiaahmed · Sat Mar 27, 2021 10:10 am

These are the messages from the log :
this is for the pppoe user

11:05:28 radius,debug,packet sending Access-Request with id 203 to 127.0.0.1:1812 
11:05:28 radius,debug,packet     Signature = 0xdf70e93e8e6e5832e3b1bd81023ad2ec 
11:05:28 radius,debug,packet     Service-Type = 2 
11:05:28 radius,debug,packet     Framed-Protocol = 1 
11:05:28 radius,debug,packet     NAS-Port = 15728700 
11:05:28 radius,debug,packet     NAS-Port-Type = 15 
11:05:28 radius,debug,packet     User-Name = "ppp2" 
11:05:28 radius,debug,packet     Calling-Station-Id = "CC:2D:E0:F8:49:F0" 
11:05:28 radius,debug,packet     Called-Station-Id = "service1" 
11:05:28 radius,debug,packet     NAS-Port-Id = "ether5" 
11:05:28 radius,debug,packet     Acct-Session-Id = "8120003a" 
11:05:28 radius,debug,packet     MS-CHAP-Challenge = 0x05947c4143589abc446a95dfece7fc7f 
11:05:28 radius,debug,packet     MS-CHAP2-Response = 0x0100894811b2faff4c46429ec8fdcd25 
11:05:28 radius,debug,packet       edc900000000000000000e6b20ab7fd5 
11:05:28 radius,debug,packet       013ec705260fd92c8418bb5568a10e1e 
11:05:28 radius,debug,packet       1511 
11:05:28 radius,debug,packet     NAS-Identifier = "HOTspot Server" 
11:05:28 radius,debug,packet     NAS-IP-Address = 127.0.0.1 
11:05:28 radius,debug timeout for 1b:4d

this one is for the hotspot user witch couldn't sign in too

11:11:23 radius,debug,packet sending Access-Request with id 236 to 127.0.0.1:1812 
11:11:23 radius,debug,packet     Signature = 0xd7c957083352249716220ba92a36226d 
11:11:23 radius,debug,packet     NAS-Port-Type = 19 
11:11:23 radius,debug,packet     Calling-Station-Id = "D4:53:83:79:4E:DF" 
11:11:23 radius,debug,packet     Called-Station-Id = "hs-wlan1" 
11:11:23 radius,debug,packet     NAS-Port-Id = "wlan1" 
11:11:23 radius,debug,packet     User-Name = "mmhh" 
11:11:23 radius,debug,packet     NAS-Port = 2162163737 
11:11:23 radius,debug,packet     Acct-Session-Id = "80e00019" 
11:11:23 radius,debug,packet     Framed-IP-Address = 192.168.50.250 
11:11:23 radius,debug,packet     MT-Host-IP = 192.168.50.250 
11:11:23 radius,debug,packet     CHAP-Challenge = 0xced5c597b1e2d707346ea94be80d83a8 
11:11:23 radius,debug,packet     CHAP-Password = 0x1d2f3dc6be93722d05c8ce97d2254bf5 
11:11:23 radius,debug,packet       38 
11:11:23 radius,debug,packet     Service-Type = 1 
11:11:23 radius,debug,packet     WISPr-Logoff-URL = "http://192.168.50.1/logout" 
11:11:23 radius,debug,packet     NAS-Identifier = "HOTspot Server" 
11:11:23 radius,debug,packet     NAS-IP-Address = 127.0.0.1 
11:11:23 radius,debug timeout for 1b:6d 
11:11:23 radius,debug timeout for 3f:bb

they both keep trying but can't connect

sindy · Sat Mar 27, 2021 12:21 pm

OK, so it may be a firewall issue (not much likely, but possible), or the networking stack is broken (even less likely), or the UserManager stopped responding. Since /tool sniffer doesn't seem to work on the loopback interface, you have to use alternative means: what does /ip firewall connection print interval=1 where dst-address~":1812" show during these unsuccesful attempts to connect?

dhiaahmed · Tue Mar 30, 2021 9:20 am

This is the output of the /ip firewall connection print interval=1 where dst-address~":1812" command :

 #          PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS
27    C  s  udp  127.0.0.1:35747       127.0.0.1:1812                    9s               0bps      0bps            3            0

sindy · Tue Mar 30, 2021 10:39 am

This is the output of the /ip firewall connection print interval=1 where dst-address~":1812" command :
Code: Select all
 #          PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS
27    C  s  udp  127.0.0.1:35747       127.0.0.1:1812                    9s               0bps      0bps            3            0
 

What is surprising here is the s (src-nat) indicator in the connection attributes. So try /ip firewall connection print detail where dst-address~":1812" and see what the reply-dst-address is.

Then, use /ip route check that.ip.add.ress to see whether there is a route to that address. If my assumption is correct, the User Manager process is unable to send the response, because either a route to that address doesn't exist, or it is a dynamically added route as the address is in a connected subnet but doesn't respond to ARP requests.

In any case, post the export of your configuration - there must be some action=srcnat or action=masquerade rule, which is not selective enough and causes the internal RADIUS requests to be src-nated.

dhiaahmed · Tue Mar 30, 2021 4:16 pm

the output of the /ip firewall connection print detail where dst-address~":1812" command:

Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  S C     protocol=udp src-address=127.0.0.1:37012 dst-address=127.0.0.1:1812 reply-src-address=127.0.0.1:1812 
            reply-dst-address=127.0.0.1:37012 timeout=0s orig-packets=1 orig-bytes=229 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=1 repl-bytes=219 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps

this is the nat configuration on the pppoe server side :

       
       
Flags: X - disabled, I - invalid, D - dynamic 
 0  D chain=dstnat action=jump jump-target=hotspot hotspot=from-client 
 1  D chain=hotspot action=jump jump-target=pre-hotspot 
 2  D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53 
 3  D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53 
 4  D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80 
 5  D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443 
 6  D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth 
 7  D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth 
 8  D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp in-interface=vlan20 dst-port=443 
 9  D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp in-interface=vlan30 dst-port=443 
10  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80 
11  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128 
12  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080 
13  D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25 
14  D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http 
15  D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25 
16 X  ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough 
17    chain=srcnat action=masquerade src-address=192.168.95.0/24 out-interface=pppoe-out1 log=no log-prefix="" 
18    ;;; masquerade hotspot network
      chain=srcnat action=masquerade src-address=192.168.50.0/24 
19    ;;; masquerade hotspot network
      chain=srcnat action=masquerade src-address=192.168.10.0/24 
20    ;;; masquerade hotspot network
      chain=srcnat action=masquerade src-address=192.168.20.0/24 
21    ;;; masquerade hotspot network
      chain=srcnat action=masquerade src-address=192.168.30.0/24 
22  D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp in-interface=wlan1 dst-port=443

On the pppoe client side I've noticed that there is a nat configured like this

 add action=masquerade chain=srcnat

NOTE:there is not route to the 172.0.0.1 in the routing table on both sides

sindy · Tue Mar 30, 2021 4:40 pm

the output of the /ip firewall connection print detail where dst-address~":1812" command:
...

This one with detail shows the connection when the RADIUS server does respond, so it is unusable for the analysis.

In this one, the S is an upper-case (capital) one, indicating seen-reply, whereas in the previous case, it was a lower-case one, indicating srcnat.

So you need to run the command with detail during the time when the RADIUS process does not respond.

A route to 127.0.0.0/8 is not shown in the configuration as this whole range are addresses representing the device itself and packets to them cannot be sent out.

I cannot see any rule on the PPPoE server/RADIUS client & RADIUS server that would explain why the connection from the RADIUS client to the RADIUS server gets src-nat'ed, unless the client sends the request from one of the addresses to which the srcnat rules refer, or unless some srcnat rule is created dynamically (I've got no idea so far why and how it should be) and causes this.

So wait until the problem appears again, and only then print again the current contents of the /ip firewall nat table and run the /ip firewall connection print detail ... as above.

The configuration of the PPPoE client is irrelevant here. It's the PPPoE server that uses the local RADIUS client to ask the local RADIUS server.

But the fact that the masquerade rule at the client matches on all interfaces may cause some issues to the client, unrelated to the authentication problem with RADIUS.

dhiaahmed · Wed Mar 31, 2021 2:06 pm

I think the problem has been solved sindy. the problem was with the NAT on both sides, after I removed the NAT on the pppoe client side

add action=masquerade chain=srcnat

and edit the NAT on the server side as following

chain=srcnat action=masquerade src-address=192.168.95.0/24 out-interface=pppoe-out1

now all the pppoe clients connect normally and won't disconnect

I don't know how to thank you siday. every time i have a problem you help me, thank you

pppoe problem [SOLVED]

pppoe problem

Re: pppoe problem

Re: pppoe problem

Re: pppoe problem

Re: pppoe problem

Re: pppoe problem

Re: pppoe problem [SOLVED]

Re: pppoe problem

Re: pppoe problem

Re: pppoe problem

Who is online