Hi,
I'm new to RoterOS and MikroTik equipment in general, so please excuse if I make some silly mistakes.
I am trying to work up a specific config for a RouterBoard 500 (three ethernet interfaces and one wireless interface) that involves an arbitrary type of connection for the internet facing interface (ethe1)... sometimes this will be a pppoe client, sometimes it will have a static IP address and sometimes it will on the back end of some other device doing NAT.
The RouterBoard will NAT between whatever address it gets on ether1 and the subnets configured for wlan1 and wlan2 (virtual).
On the wireless side, the private address networks behind wlan1 and wlan2 (virtual) will do the following:
wlan1: no encryption, SSID boradcasts enabled, DHCP will provide a private IP address and all port 80 (non-SSL) web traffic will terminate single web page regardless of the intended destination.
wlan2 (virtual): PPPoE server will reference an external RADIUS server using a particular realm to authenticate users and provide them with a dynamic private IP address and unfettered internet connectivity. (I'm still mulling over the concept of using PPPoE's MSSE for the wireless session security... the mikrotik "require-security" option... would be interested in knowing other people's opinion on this subject)
I have the preliminary "hard parts" working, with ether1 preforming address translation for the wlan1 side, but I can't seem to get wlan2 running the way it should. I have the radius server configured correctly (I believe):
===== begin config dump
interface> print (doing an export here will dump entire config)
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R ether3 ether 0 0 1500
3 wlan1 wlan 0 0 1500
4 wlan2 wlan 0 0 1500
ip address> export
#
/ ip address
add address=192.168.0.10/24 network=192.168.0.0 \
broadcast=192.168.0.255 interface=ether1 comment="" disabled=no
add address=172.16.16.1/24 network=172.16.16.0 \
broadcast=172.16.16.255 interface=wlan1 comment="" disabled=no
add address=172.16.17.1/24 network=172.16.17.0 \
broadcast=172.16.17.255 interface=wlan2 comment="" disabled=no
ip firewall nat> export
#
/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment="" \
disabled=no
radius> export
add service=ppp called-id="" domain=""
address=an.external.radius.server
secret="sekritsquril" authentication-port=1645 \
accounting-port=1646 timeout=300ms accounting-backup=no
realm="wireless.ether.com" comment="" disabled=no
ppp aaa> print (btw, if you do an export here, it dumps everything)
use-radius: yes
accounting: yes
interim-update: 0s
interface pppoe-server> server
<server> export
#
/ interface pppoe-server server
add service-name="GenericWISP" interface=wlan2 max-mtu=1454 \
max-mru=1454 \ authentication=pap,chap,mschap1,mschap2 \
keepalive-timeout=disabled one-session-per-host=yes \
max-sessions=0 default-profile=wlan-pppoe-profile \
disabled=no
ppp profile> export
#
/ ppp profile
set default name="default" local-address=0.0.0.0 \
remote-address=0.0.0.0 use-compression=yes \
use-vj-compression=yes use-encryption=yes \
only-one=default change-tcp-mss=yes comment=""
add name="wlan-pppoe-profile" local-address=172.16.17.1 \
remote-address=wlan2-pppoe-pool use-compression=yes
use-vj-compression=yes use-encryption=no only-one=default \
change-tcp-mss=default dns-server=a.dns.server.somewhere \
comment=""
set default-encryption name="default-encryption"
use-compression=default use-vj-compression=default \
use-encryption=yes only-one=default change-tcp-mss=yes \
comment=""
===== end config dump
What I'm seeing is failed RADIUS authentications (probably due to the fact that I have no locally defined radius user accounts conbined with the reality that radius authentications are not making it to the external radius server... I was watching that as well):
/radius monitor
numbers: 0
pending: 0
requests: 39
accepts: 0
rejects: 39
resends: 0
timeouts: 0
bad-replies: 0
last-request-rtt: 80ms
Any suggestions or example configurations would be greatly appreciated.