Page 1 of 1

radius server

Posted: Fri May 13, 2011 12:52 pm
by shadowskippie
I need a little help with a radius server

the base problem is that when a request comes in from another router on the network it comes through the interface that the radius hooks to. the problem comes that the radius thinks its the interface that is generating the request and so send the reply back to that interface instead of the router it should go to.

now the reason i have found is that there is masquerade on the router that this interface is apart of and it cannot be removed or the clients will not be able to get to the internet or the mail server.

the odd thing is that we used to have a working radius server until it died and ive had to create a new one and i set it up the same way our last network admin set it up. i just can't understand how to get this working.
can anyone help please

Re: radius server

Posted: Fri May 13, 2011 1:37 pm
by babbage
upload an understanding layout of your network + mikrotik configurations including your IP adress subnets

Re: radius server

Posted: Fri May 13, 2011 2:07 pm
by SurferTim
I have several hotspot routers using a remote RADIUS server behind a masquerade with no problems. Maybe it is the masquerade. Can you post "/ip firewall nat"?

Re: radius server

Posted: Fri May 13, 2011 2:37 pm
by shadowskippie
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade
not really much there, i'm too scared to play with that as that little piece there is needed to keep everything going :(

Re: radius server

Posted: Fri May 13, 2011 2:45 pm
by SurferTim
Try one simple change first. This should not affect the masquerade in a negative way.
/ip firewall nat
set 0 out-interface=ether1
If ether1 is not your WAN interface, change that to the one that is.

Re: radius server

Posted: Fri May 13, 2011 2:58 pm
by shadowskippie
sorry, could you explain what that will do.

your see ether 1 goes to the source of the net and ether 2 goes to the office where our mail server and radius server are sitting.

again, very scared of playing with this stuff as every time i mess with that i break the net :? :(

Re: radius server

Posted: Fri May 13, 2011 3:02 pm
by SurferTim
Don't be afraid! You shouldn't be too worried about it. It is already broken. :?

The out-interface parameter will masquerade ip addresses as the ip of ether1 only. What is happening now is you are masquerading out every interface, including ether2, where your RADIUS server is. With this new change, the packets going to ether2 will no longer be masqueraded as the ip of ether2 on that subnet.

Re: radius server

Posted: Fri May 13, 2011 3:13 pm
by shadowskippie
okay, i see now
i'll run some tests from my house late tonight, at least then all the people who can phone and blow my ear drums out will be asleep :lol:

thanks for the help :)

Re: radius server

Posted: Fri May 13, 2011 3:20 pm
by SurferTim
I hope you get no calls at all from this change. There is no reason it should affect the rest of your network. The only interface you should need a masquerade on is the WAN interface. All other destination subnets (ether2, ether3, wlan1, etc) should receive packets with no source ip changes.

Re: radius server

Posted: Fri May 13, 2011 3:28 pm
by shadowskippie
the only thing that worries me is the mail server, i've had some client have their systems hook to its internal address instead of its external, even through the DNS should be pointing them to the external.

sigh, well one step at a time i always says, other i would not be where i am no.......you should have seen the shark ifested waters i had to cross before getting to this point :P

Re: radius server

Posted: Fri May 13, 2011 3:32 pm
by SurferTim
Shark infested waters? Don't be afraid of the bloody water. What could possibly happen?
http://sharkattacksurvivors.com/shark_a ... .php?t=720
Take a chance! :D

Re: radius server

Posted: Fri May 13, 2011 3:39 pm
by normis
Shark infested waters? Don't be afraid of the bloody water. What could possibly happen?
http://sharkattacksurvivors.com/shark_a ... .php?t=720
Take a chance! :D
Must have been terrible to witness that, Tim

Re: radius server

Posted: Fri May 13, 2011 3:45 pm
by SurferTim
@normis: I don't remember a lot of it clearly. Some parts are a little hazy. I was rushing so bad on adrenaline, and trying to keep the shark from eating us both. It made a few passes at us on the way to the beach. Very bad. :(

For those that are interested, Discovery Channel's Shark Week should be on in Early July. My episode is "Shark Attack: Predators in the Panhandle". Don't venture too far from shore without a way to get completely out of the water!

ADD: If you have DNS challenges with the email server, you can set that localnet ip for the server.
/ip dns static
add name=mail.mydomain.com address=192.168.0.2
Change the name to the domain name and address to the localnet address of the email server.
This changes only localnet dns. External dns will still resolve to the public ip. This dns change is effective even if the client computer does not have the ip of the router set in its dns settings.

Insure the email server is set to relay outbound email for your localnet ips. All subnets. If your email server was set to relay email for just the subnet it was on, that would explain why it would work with a masquerade, but wouldn't without it.

Re: radius server

Posted: Tue May 17, 2011 9:28 am
by shadowskippie
right

I did the change last night for a test (took me a while to nail down some other issues) and found that despite all the towers, when pinging the domain, ping the external IP my machine still pings the internal :? very strange. but i'm gonna skip this issue for now.
All i know is that the net still work fine and no major surprises jump out at me.

the new issue now is that i can no longer ping into the office, although i did know this was going to happen.
the main network is 192.168.100.0 and strings itself together with ospf but the office is running on 192.168.252.0.
of course it works getting out but i still need to see in somehow, at least for the mail server and radius.

how would i get that right without using nat

Re: radius server

Posted: Tue May 17, 2011 1:13 pm
by SurferTim
That is a different subject. I recommend starting a new thread for that, and include a simple diagram of your network setup, especially the part that applies to your office.
.