Page 1 of 1

mikrotik framed-ip-address and framed-ip-pool bug

Posted: Wed Apr 29, 2009 3:09 pm
by reeeq
Hello,

any other ever experienced that the mikrotik will be locked / hang when it received framed-ip-address or framed-ip-pool reply from radius.

i tried on mikrotik 3.23, 3.22, i guess all of 3.x have that bug,
because it is not happened on mikrotik 2.9.51.

any confirmation please,

thank you

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Wed Apr 29, 2009 4:27 pm
by magic
Hi,

It works fine for me both in 3.22 and 3.23.

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Wed Apr 29, 2009 5:34 pm
by reeeq
Hi,

what kind attribute did you use for 3.22 or 3.23,
since i even tried it with userman, but the result is the same, the mikrotik lock up.

i have make sure that the pool name already exist on mikrotik (when i used framed-ip-pool), and do make sure that the ip static that i want to assign are available too (when i used framed-ip-address).

anyway, the same configuration does work on 2.9.51.

or maybe there are some conflicting package on the mikrotik,
i installed all packages on the mikrotik except xen package.

thank you

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Wed Apr 29, 2009 8:39 pm
by reeeq
And what service did you used ?
ppp or hotspot ?

i'm currently have the problem on hotspot service,
the router will lock when a user that has ip assign or pool assign from radius trying to login.

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Wed Apr 29, 2009 10:56 pm
by SurferTim
I checked the "Framed-Pool" value on a RB433AH and FreeRADIUS. It works. See this post:
http://forum.mikrotik.com/viewtopic.php?f=2&t=31374

ADD: I just checked the "Framed-Pool" on the DHCP server also. It assigned the correct ip pool. No lockup. Tried the same setup with a hotspot on the interface. RADIUS issued the Framed-Pool, and the user/password for the login. Also no lockup.

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 7:48 am
by reeeq
I already read this post,
and i know that when the framed-ip-pool assign it will be on one-to-one nat.

on my 2.9.51 it works,
but not with 3.x,
trying on other hardware, trying on usermanager as radius,
nothing work when you assign frame-ip-pool or frame-ip-address, it will lock the mikrotik.

anyone else has this experience ?

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 10:51 am
by SurferTim
I know that is a typo, isn't it? It is not "framed-ip-pool", just "Framed-Pool", correct? I just checked it again on a RB433AH V3.13 with hotspot and dhcp. Works fine. No lock.

I know. I have heard it before. I guess I am just lucky... :D

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 10:56 am
by reeeq
yups,
typo :p i meant frame-pool,
btw SurferTim,
would you test your MT box by using radius from built in usermanager ?
is it working fine too ?

thk u

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 11:09 am
by SurferTim
Unfortunately, I do not use the UserManager. I use FreeRADIUS. I use a diagnostic program included with FreeRADIUS called radtest to insure the server is returning the correct values before attempting any tests. I do not know if the same feature exists for the UserManager.

I do know that most RADIUS releases will not return a value if that value is not listed in the RADIUS dictionary, so incorrect spelling or caps should not cause a problem, it just won't return that value. That causes a problem only if another value returned depends on that value getting through.

ADD: Is you UserManager installed on the same device that is failing?

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 11:18 am
by reeeq
Yes, the same like mine, i'm using freeradius too,
i tried freeradius and usermanager as radius server on MT 2.9.51, worked.
i tried freeradius and usermanager as radius server on MT 3.22, 3.21, the MT hang.

you could get the usermanager on you MT by installing usermanager package for your version,
logging in to usermanager using http://yourMTipaddress/userman (if you still using port 80 as your http port),
create some user with pool or ip static assigned,
create router(NAS) with ip 127.0.0.1 and somesecretNAS,
pointing your hotspot profile to 127.0.0.1 and same secretNAS,
and tried to logging in the user that created by usermanager via hotspot interface.

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 11:23 am
by SurferTim
Well, if you are using FreeRADIUS, how does radtest work with the request from it? From a shell
radtest user password 127.0.0.1 0 radiussecret
Is it returning what you expect?

ADD: If you do not return the Framed-Pool value, does the MT box still lock? And all the IP pools are in the localnet for the hotspot interface, correct? And none overlap?

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 12:20 pm
by reeeq
Yes,
of course, radtest to freeradius returning the attribute that i want to for frame-pool and frame-ip-pool,
the freeradius frame-pool and frame-ip-address working fine on 2.9.51.

When i didnt use frame-pool or frame-ip-address reply to MT 3.22, 3.23, all working fine (no lock up).


any suggestion or information from MT guy ?

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 12:25 pm
by SurferTim
If you want faster response, generate a supout.rif file and email it to support (at) mikrotik.com with a brief explanation of the problem. I would do it right now, before they go home for the weekend!!

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 12:34 pm
by reeeq
Thank You SurferTim,
anyway i tried to downgrade to 3.13, and it is working !!
thank you for your previous post that mention you are using 3.13,
i'm gonna try another version of MT 3.x,
making it sure.

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 12:42 pm
by SurferTim
I know what you mean... That is why I always try to include what hardware/software I am using this on. Sometimes that is the key. I would recommend generating a supout.rif file, and email it to support, and certainly if it works on V3.13, and not on the later versions.

The MikroTik crew tried to get me to update my boxes to V3.22 in the middle of my SnowBird season. I politely refused, citing the potential for a very angry mob storming my house in the middle of the night if the update fails.

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 1:17 pm
by reeeq
Here is my conclusion (not the absolute one :p),
previous version of 3.13 will work with hotspot frame-pool and frame-ip-address (i tried on 3.13,3.10, 2.9.51)
and will fail (MT box will hang) if I use version after 3.13 ( i tried on 3.15, 3.16, 3.22, until the newest one 3.23).

maybe the information can help any one who face the same problem :)

thks

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Thu Apr 30, 2009 2:38 pm
by omega-00
hehe surfertim I know your feeling exactly :-)

I should look at some way to drop both a copy of the current MT package (stored in a temp folder) and a newer one on a router, and force it to downgrade 5 minutes after reboot if the startup script is not disabled or removed.

This would mean we could test back in the office (to confirm the mikrotik package applied and didn't brick the router) then attempt on a remote device, if it we can't access it within 5 minutes of it starting it then will run the downgrade script to pull the old package file out of the folder and then downgrade/reboot to previous settings.

Works in theory I guess but theres still a level of risk as you're running a downgrade on a system that may now be broken.

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Mon May 04, 2009 4:09 pm
by Ozelo
Dear all,


We don't know really if it is all about irregular radius attributes, but last weekend we faced something new. After a abnormal behavior of our freeradius suddenly many of our devices stuck within the IP POOL facility. We would like to know if anyone are facing a similar problem shown in the screenshot below:

Image

We contacted support, both screenshot and supout files was sent. Hope we can solve this problem ASAP. We just think that MT ROS could be more robust against such a abnormal behavior.


Thanks
Ozelo

Re: mikrotik framed-ip-address and framed-ip-pool bug

Posted: Mon May 04, 2009 8:11 pm
by Ozelo
Ok folks, Ive found part of the problem. MT ROS IP Pool facility started a endless loop when there was an entry with EMPTY INFO, as shown above. It will eventually lock your board. In my case, MT goes crazy just because our radius was abnormally sending access-accept for empty user and password packets. IF you prevent blank entries on the ROS ip pool facility, this problem don't happen. My case!

Thanks
Ozelo