Community discussions

MikroTik App
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Hotspot and Radius / volume limit doesn't work ?

Tue Nov 23, 2021 5:43 pm

Hi,

Config for lab environment:
mAP as CAPSMAN, 7.1rc6
mAPLite as CAP, 7.1rc6

Ultimate target is to transfer the setup to a SXT LTE acting as CAPSMAN and 2 CAPs devices for Guest access in a vacation home in France which is for rent part of the year but has limited LTE volume (90Gb per month).

mAP is connected via eth1 to Hex and then to ISP. eth2 setup as DHCP with 192.168.92.0/24 subnet. No problem here.
mAP Lite is reset to factory conditions and then set in CAPS mode. Connection to mAP using eth2 and PoE. This part also works.
Separate interface for Guest network, VLAN=10, DHCP server in 192.168.100.0/24 range.
CAPSMAN with regular SSID and 1 slave Guest network on VLAN10. All traffic going back to CAPSMAN. Works as intended.
Hotspot has been set on mAP, using RADIUS.
Userman package loaded, 1 user defined, profile made, limitations made.
Caveat: loopback bridge interface created for Radius/Userman communication since I read somewhere simply providing the local IP of bridge or 127.0.0.1 sometimes causes issues ? True/false ?

The TX/RX limitations work (give or take) as long as you keep in mind the directions are switched (download = TX and upload = RX). I don't really see the logic here that but that's what it is.
However, I don't seem to be able to get the volume limit active (bytes, kb, mb, gb,... whatever).
Whatever I put in, I always seem to be able to get passed that volume. Or is another unit in play which provides the limit ?
I can go with a tablet connected to that Guest to hotspot.local (DNS name I used) and it shows me the status page for that device/user. Obviously with down/upload going way beyond what I intended.

What also bothers me, WHERE can you as admin easily see the limits of a user ?
I don't see anything in userman/session, I do see something in Hotspot/Active or Hotspot/Hosts.
Is that the place to be ?

Next things to test are disconnects, connects, multiple devices using same user, ... etc etc.
But I first want to get the fundamentals right. And if volume limitation does not properly work, it's not ok.

Since everything is basically done on mAP, I've provided it's config.
mAP Lite doesn't seem to be relevant given the fact it runs under capsman control here.

Comments more then welcome but please clarify WHY things need to be changed in a certain way. I'm still learning a lot myself.
Pointers to relevant documentation/setup guides also more then welcome.
Be gentle please :)
# nov/23/2021 16:13:25 by RouterOS 7.1rc6
# software id = 2H6H-TEI8
#
# model = RBmAP2nD
# serial number = DE4F0E7FE8F1
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz name=2.4
/interface bridge
add name=Loopback
add admin-mac=2C:C8:1B:C0:6C:52 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-C06C54 wireless-protocol=802.11
/interface vlan
add interface=bridge name=Guest vlan-id=10
/caps-man datapath
add bridge=bridge name=default
add bridge=bridge name=Guest vlan-id=10 vlan-mode=use-tag
/caps-man rates
add basic=1Mbps,2Mbps,5.5Mbps name=Guest supported=1Mbps,2Mbps,5.5Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=MikroTik
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=Guest
add name=NoSecurity
/caps-man configuration
add channel=2.4 country=france datapath.bridge=bridge distance=indoors \
    hide-ssid=no hw-retries=4 name=config2.4 security=MikroTik ssid=\
    MikroTik2.4
add channel=2.4 country=france datapath=Guest name=Guest rates=Guest \
    security=NoSecurity ssid=Guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=hotspot.local hotspot-address=192.168.100.1 html-directory=\
    flash/hotspot name=hsprof1 use-radius=yes
/ip pool
add name=default-dhcp ranges=192.168.92.10-192.168.92.20
add name=Guest ranges=192.168.100.100-192.168.100.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=Guest interface=Guest name=Guest
/ip hotspot
add address-pool=Guest disabled=no interface=Guest name=hotspot1 profile=\
    hsprof1
/queue simple
add disabled=yes limit-at=1M/2M max-limit=1M/2M name=Guest target=Guest
/user-manager limitation
add download-limit=5000000B name=10M_5Mbps rate-limit-burst-rx=3000000B \
    rate-limit-burst-time-rx=15s rate-limit-burst-time-tx=15s \
    rate-limit-burst-tx=6000000B rate-limit-rx=2000000B rate-limit-tx=\
    5000000B reset-counters-interval=daily transfer-limit=10000000B \
    upload-limit=9000000B uptime-limit=4d
/user-manager profile
add name=Profile1 name-for-users=Profile1 override-shared-users=unlimited
/user-manager user
add name=User2
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    config2.4 slave-configurations=Guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.92.1/24 comment=defconf interface=bridge network=\
    192.168.92.0
add address=192.168.100.1/24 interface=Guest network=192.168.100.0
add address=10.10.0.1 interface=Loopback network=10.10.0.1
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.92.0/24 comment=defconf dns-server=192.168.92.1 gateway=\
    192.168.92.1
add address=192.168.100.0/24 dns-server=208.67.222.222,208.67.220.220 \
    gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=192.168.100.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=reject chain=input dst-address=192.168.92.0/24 in-interface=Guest \
    reject-with=icmp-network-unreachable src-address=192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "accept from local network (Lab Environment)" src-address=192.168.2.0/24
add action=drop chain=input comment="drop all coming from WAN" \
    in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.100.0/24
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add name=dexter
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/radius
add address=10.10.0.1 service=hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Map2nD
/system ntp client
set enabled=yes
/system ntp client servers
add address=45.87.76.3
add address=185.111.204.220
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/user-manager
set enabled=yes use-profiles=yes
/user-manager profile-limitation
add limitation=10M_5Mbps profile=Profile1
/user-manager router
add address=10.10.0.1 name=LocalRouter
/user-manager user-profile
add profile=Profile1 user=User2
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Hotspot and Radius / volume limit doesn't work ?

Sun Nov 28, 2021 5:08 pm

191 views yet zero replies ...
Oh well.

Took one step back:
only config with CAPSMAN and HOTSPOT. Omitted Radius part to simplify and get the basics (and I understood there is a rather low limit on the number of active users when using built-in Radius although 20 might still be more then enough for my purposes).
Traffic bandwidth limit set on userprofile (actually various limits to test) and total volume limit set on user.
And then a script to clear counters every night (or whatever timeframe suits me during testing).
Default anonymous queue to limit unregistered users to a ridiculously low amount. So they can never say it does not work at all :lol:
All of this works.

It nearly works as I intend because something is bothering me.

When I specify IP pool in Hotspot same as Guest network, I get an active session with IP A and a Host session with IP B.
In Wifi settings of that device I do see IP B.
In Status page for hotspot on that same device I see IP A.
If I disable pool in hotspot, I'm still seeing this double IP registration.
Disable DHCP server on the Guest interface clearly does not work. Device does not get an IP (which makes sense).
The fact 2 IPs seem to be in play, prevents the consistent reporting of user/session limits. On the device screen it resets to zero when I disconnect/reconnect, but on the Tik it does count in the host part.
And the user DOES get cut off when surpassing traffic limits.
Functionally still ok from my point of view but not very user-friendly.

So I must be missing something in my setup.

The Powers That Be don't have a clue ?

Current config attached.
# nov/28/2021 16:06:22 by RouterOS 7.1rc6
# software id = 2H6H-TEI8
#
# model = RBmAP2nD
# serial number = DE4F0E7FE8F1
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz name=2.4
/interface bridge
add admin-mac=2C:C8:1B:C0:6C:52 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-C06C54 wireless-protocol=802.11
/interface vlan
add interface=bridge name=Guest vlan-id=10
/caps-man datapath
add bridge=bridge name=default
add bridge=bridge name=Guest vlan-id=10 vlan-mode=use-tag
/caps-man rates
add basic=1Mbps,2Mbps,5.5Mbps name=Guest supported=1Mbps,2Mbps,5.5Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=MikroTik
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=Guest
add name=NoSecurity
/caps-man configuration
add channel=2.4 country=france datapath.bridge=bridge distance=indoors \
    hide-ssid=no hw-retries=4 name=config2.4 security=MikroTik ssid=\
    MikroTik2.4
add channel=2.4 country=france datapath=Guest name=Guest rates=Guest \
    security=NoSecurity ssid=LaFolliaGuest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=hotspot.local hotspot-address=192.168.100.1 html-directory=\
    flash/hotspot name=hsprof1
/ip hotspot
add addresses-per-mac=unlimited disabled=no interface=Guest name=hotspot1 \
    profile=hsprof1
/ip pool
add name=default-dhcp ranges=192.168.92.10-192.168.92.20
add name=Guest ranges=192.168.100.100-192.168.100.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=Guest interface=Guest name=Guest
/ip hotspot user profile
add address-pool=Guest name=5M2M rate-limit=2M/5M shared-users=unlimited
add address-pool=Guest name=10M3M rate-limit=5M/10M shared-users=unlimited
add address-pool=Guest name=70M20M rate-limit=20M/70M shared-users=unlimited
/queue simple
add limit-at=256k/256k max-limit=256k/256k name=Guest target=Guest
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    config2.4 slave-configurations=Guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.92.1/24 comment=defconf interface=bridge network=\
    192.168.92.0
add address=192.168.100.1/24 interface=Guest network=192.168.100.0
add address=10.10.0.1 network=10.10.0.1
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.92.0/24 comment=defconf dns-server=192.168.92.1 gateway=\
    192.168.92.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=192.168.100.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=reject chain=input dst-address=192.168.92.0/24 in-interface=Guest \
    reject-with=icmp-network-unreachable src-address=192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "accept from local network (Lab Environment)" src-address=192.168.2.0/24
add action=drop chain=input comment="drop all coming from WAN" \
    in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.100.0/24
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add limit-bytes-total=600000000 name=User9 profile=10M3M
add limit-bytes-total=600000000 name=Usertab profile=5M2M
add limit-bytes-total=600000000 name=Usertab2 profile=70M20M
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no !dst-address !dst-address-list !dst-port \
    !protocol server=hotspot1 !src-address !src-address-list
/ip service
set www-ssl disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Map2nD
/system ntp client
set enabled=yes
/system ntp client servers
add address=45.87.76.3
add address=185.111.204.220
/system scheduler
add interval=1d name=RestCountersHotspot on-event=\
    "/system script run resetcounter" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/26/2021 start-time=23:23:59
/system script
add dont-require-permissions=yes name=resetcounter owner=holvoetn policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip hotspot user reset-counters "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Hotspot and Radius / volume limit doesn't work ?

Sun Nov 28, 2021 5:46 pm

Found it:
pool does not have to be set in Hotspot Servers.
But ALSO NOT in User profiles.

IP is the same now. So that's sorted out.
Strange effect of suddenly being cut after disconnect/connect and surpassing limits still present. Again, functionally still ok from my point of view (really don't want to see that volume being consumed by 1 party in 1 week time as has happened recently !!)

Back to the lab environment for further testing of other conditions :D
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Hotspot and Radius / volume limit doesn't work ?

Sat Jul 15, 2023 1:03 pm

Thx @holvoetn.

Still have to do something similar. But I don't use CAPsMAN nor Hotspot. Hotspot could be added if login is 100% transparent to Radius enterprise connect to wifi (WPA2 Enterprise)
We willl now use hAPax³ for "user Manager" with its level 6 license. And use the hAP ax³ as internet edge router, with NAT and filtering (not the AX wifi, as this is not 4-address WLAN),
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Hotspot and Radius / volume limit doesn't work ?

Sat Jul 15, 2023 1:59 pm

Blast from the past ? :lol:

Interesting about ax3 having level 6 whereas ax2 has level 4.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Hotspot and Radius / volume limit doesn't work ?

Tue Jul 25, 2023 10:47 pm

Starting my experiments on User Manager v5 (ROS 7) and setting some limits.
Intention is to limit the volume use, to some fair use limit, for the permanent members of the club, and their tenants.

Not using a Hotspot, but the wifi PEAP/Enterprise authentication as an authentication that does not require any user action, except for the first connection of a device.
Works great, the wifi setup in laptop,tablet, smartphone, smartwatch all store the credentials for the wifi network.
So far automatic volume limits were not possible, and there are some very heavy users (>800GB/month)

After seeing this: https://www.youtube.com/watch?v=TrPfGO9AzPk WPA EAP Authentication as a Hotspot Alternative - MIKROTIK TUTORIAL [ENG SUB]
( what corresponds to our current setup, however without limits and without UM on Ros 7, it seemed possible with UM to just add some limits, be it (monthly, weekly, dayly, hourly)

Good news: it works !
Other news: the user is just denied access until the limit is reset
Bad news: did not find any way to see what part of the volume limit had been consumed. Not by the ROS manager (eg in Winbox), nor by the end-user (The UM web interface for the user)

Only the logging says the counter has been reset.:
Klembord-2.jpg
User gets no info (probably user can change profile, or even buy profiles, but that is not the scope of the experiment)
.
Klembord-3.jpg
.
ROS version 7.10.2 ... profile limit information .... not implemented yet ... but it works ! With user and manager left in the dark. Unless someone can point me to the place where to look. CLI maybe?


Rate limit probably needs Hotspot, as even Mikrotik Indonesia says, but how to have Hotspot Login, based on the wifi login [ eg RSSO : RADIUS single signon, as mentioned before ]
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Hotspot and Radius / volume limit doesn't work ?

Wed Jul 26, 2023 6:06 am

Interesting video !

I only wonder why he fiddles with the cable instead of simply using ROMON ? :lol:
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Hotspot and Radius / volume limit doesn't work ?

Wed Jul 26, 2023 11:00 am

Hmmm... trying to setup a test environment at home using Hex and AX lite.
There is no EAP Passthrough for wifiwave2 ??

EDIT: ah, found it, completely elsewhere now...
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Hotspot and Radius / volume limit doesn't work ?

Wed Jul 26, 2023 12:07 pm

Auto-login to the Hotspot is a quite common request, and many have created some solutions: https://loginslink.com/mikrotik-hotspot-automatic-login
But I need a Hotspot login with the same RADIUS/PEAP username.

I have put the "username" in the UserManager attribute "Mikrotik-Wireless-Comment" for that user , so now the used username for the authentication is visible in the wifi registration table under "comment". AFAIK this is lost otherwise.
Now script-create a HOTSPOT MAC cookie ????? MAC and Username are in the registration table entry (registration table collected over all AP's by DUDE)
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Hotspot and Radius / volume limit doesn't work ?

Sat Sep 16, 2023 12:27 pm

Rate limit probably needs Hotspot, as even Mikrotik Indonesia says, but how to have Hotspot Login, based on the wifi login [ eg RSSO : RADIUS single signon, as mentioned before ]
Volume limit is handled at the wifi AP.
Rate limit with RADIUS (User Manager V5) ... found it ... rate limit (max, burst, etc) is used in the DHCP server with Radius, it will create the needed queues per device.

Again same problem, if everything is based on the user account (PEAP username/password), here again the rate limit is based on device MAC-as-username.
DHCP is OK to create the queue's without Hotspot.
But how to link the "MAC-username account" to the "Username account" ? So far found something as Auto-MAC-enrollment in "RADIUSDesk". (adding BYOD devices for device based authentication linked to the user based authentication)
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Hotspot and Radius / volume limit doesn't work ?

Sun Sep 17, 2023 4:19 pm

By lack of documentation on "User Manager" and the Mikrotik attributes ... a little experiment.

Created a "volume" limit in User Manager, but this time also added "rate" limits.
This limitation was linked to the username for wifi PEAP login, and was also linked to the MAC address, for DHCP with RADIUS

The TX/RX rate limit was initialy set at 30K , and that was a problem (30Kbps (bits) , old modem speed)
So bad, that WinBox only showed empty windows (Window appears but no data at all, the first minutes)
Klembord-2.jpg
What happened?

The DHCP linked limitation created the simpe queue as expected, on the MT with the DHCP server.
Klembord-3.jpg
DHCP server probably supposed to be on the edge router, so this is for the WAN traffic only.
The initial Max Limit was very low, to see and feel the effect, but the burst limit should make it workable. And LAN traffic should not be affected.

But WinBox was unworkable

Found another place where that Rate Limitation was used ... in the AP's registration table (attribute that comes with the "username" RADIUS entry)
Klembord-4.jpg
No burst here , and the 30K was a problem.
Where else are limitations and attributes used ??? Probably also in the Hotspot, and on VPN ? Documented somewhere?
As said before, didn't find the Volume counters for that limitation (expected in the RADIUS accounting somewhere), but they work.

Also expected the MIN Rate Limit to become the Limit-AT in the queue
But no ... this is not what I thought was logical, the (Max) Rate limit is also used as the Min Rate Limit
Klembord-5.jpg
.
 name="dhcp-ds<D8:xx:xx:xx:xx:DF>" target=192.168.212.201/32 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=30M/30M max-limit=30M/30M 
      burst-limit=300M/300M burst-threshold=20M/20M burst-time=1m/1m bucket-size=0.1/0.1 
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 17 guests