Community discussions

MikroTik App
 
moham96
newbie
Topic Author
Posts: 33
Joined: Thu Dec 21, 2017 3:08 pm

Radius server not responding in recent RouterOS

Tue Mar 19, 2019 2:42 pm

Hi,
after setting up hotspot and usermanager in RouterOS I get "Radius server not responding" when trying to login in the hotspot page
The issue persist in recent RouterOS versions, 6.39.3 version works fine, 6.44 and 6.44.1 not working.

After digging it turns out the issue is in one of the firewall rules that gets added by the default configuration(if you use the defaults), disabling this allowed the hotspot to connect to radius server
;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
older version default script didn't have this and instead they had
;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether5 log=no log-prefix=""
which I think works fine since it doesn't block the loopback connection(127.0.0.1) between user manager and hotspot
Don't know if this was added by mikrotik intentionally or just a bug, maybe the script should be corrected to use the older rule, or just add a rule to allow loopback.

This was tested on RB952Ui-5ac2nD and RB951Ui-2HnD

Regards
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Radius server not responding in recent RouterOS

Tue Mar 19, 2019 3:50 pm

Can be either oversight, or perhaps user manager is considered advanced config, which default firewall is not made for and you have to tweak it.

The new rule is safer, because it will block access from everywhere except LAN, while the old one blocked only access from WAN. But there can be more (e.g. VPN) and safe default is to not allow access from there too.

The problem is that RouterOS doesn't expose loopback interface, even though we all know it's there. Usually you don't need to do anything with it, but sometimes it would be helpful (for this, or to prevent proxy access to localhost, and someone could probably come up with more). But you can also use rules with IP address, so at least there's a way. But sometimes I'd still prefer to have visible and usable loopback interface.
 
moham96
newbie
Topic Author
Posts: 33
Joined: Thu Dec 21, 2017 3:08 pm

Re: Radius server not responding in recent RouterOS

Fri Mar 22, 2019 7:57 am

Can be either oversight, or perhaps user manager is considered advanced config, which default firewall is not made for and you have to tweak it.

The new rule is safer, because it will block access from everywhere except LAN, while the old one blocked only access from WAN. But there can be more (e.g. VPN) and safe default is to not allow access from there too.

The problem is that RouterOS doesn't expose loopback interface, even though we all know it's there. Usually you don't need to do anything with it, but sometimes it would be helpful (for this, or to prevent proxy access to localhost, and someone could probably come up with more). But you can also use rules with IP address, so at least there's a way. But sometimes I'd still prefer to have visible and usable loopback interface.
I don't use VPN so it doesn't make a difference to me, can you think of any other case in which the new rule is more useful than the old one ?
also for VPN or any other interface we can change the old rule to
;;; defconf: drop all from WAN
chain=input action=drop in-interface=WAN log=no log-prefix=""
And add the wan interfaces (ethernet wan and vpn ...etc) to the WAN interface list, that way we block traffic from those interfaces but we don't block loopback

Regards
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Radius server not responding in recent RouterOS

Fri Mar 22, 2019 1:57 pm

You can take it as a philosophical difference:

a) Interface X is safe => block access from anywhere else
b) Interface X in unsafe => block access from there

If another unsafe interface appears in system, you're still safe with a), but unsafe with b), so I'd say that a) is the right choice for default firewall.

The fact that it blocks user managet is of course unfortunate. But we're talking about default firewall, which is mainly for users who don't know what they are doing. People who need user manager are only tiny fraction of all users and they should also be much more skilled than average beginner, so they can handle something like this. But if you disagree, feel free to convince MikroTik to change it.

Who is online

Users browsing this forum: No registered users and 14 guests