Community discussions

MikroTik App
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

radius server

Fri May 13, 2011 12:52 pm

I need a little help with a radius server

the base problem is that when a request comes in from another router on the network it comes through the interface that the radius hooks to. the problem comes that the radius thinks its the interface that is generating the request and so send the reply back to that interface instead of the router it should go to.

now the reason i have found is that there is masquerade on the router that this interface is apart of and it cannot be removed or the clients will not be able to get to the internet or the mail server.

the odd thing is that we used to have a working radius server until it died and ive had to create a new one and i set it up the same way our last network admin set it up. i just can't understand how to get this working.
can anyone help please
 
babbage
Trainer
Trainer
Posts: 37
Joined: Mon Jul 12, 2010 5:55 pm

Re: radius server

Fri May 13, 2011 1:37 pm

upload an understanding layout of your network + mikrotik configurations including your IP adress subnets
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: radius server

Fri May 13, 2011 2:07 pm

I have several hotspot routers using a remote RADIUS server behind a masquerade with no problems. Maybe it is the masquerade. Can you post "/ip firewall nat"?
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: radius server

Fri May 13, 2011 2:37 pm

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade
not really much there, i'm too scared to play with that as that little piece there is needed to keep everything going :(
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: radius server

Fri May 13, 2011 2:45 pm

Try one simple change first. This should not affect the masquerade in a negative way.
/ip firewall nat
set 0 out-interface=ether1
If ether1 is not your WAN interface, change that to the one that is.
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: radius server

Fri May 13, 2011 2:58 pm

sorry, could you explain what that will do.

your see ether 1 goes to the source of the net and ether 2 goes to the office where our mail server and radius server are sitting.

again, very scared of playing with this stuff as every time i mess with that i break the net :? :(
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: radius server

Fri May 13, 2011 3:02 pm

Don't be afraid! You shouldn't be too worried about it. It is already broken. :?

The out-interface parameter will masquerade ip addresses as the ip of ether1 only. What is happening now is you are masquerading out every interface, including ether2, where your RADIUS server is. With this new change, the packets going to ether2 will no longer be masqueraded as the ip of ether2 on that subnet.
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: radius server

Fri May 13, 2011 3:13 pm

okay, i see now
i'll run some tests from my house late tonight, at least then all the people who can phone and blow my ear drums out will be asleep :lol:

thanks for the help :)
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: radius server

Fri May 13, 2011 3:20 pm

I hope you get no calls at all from this change. There is no reason it should affect the rest of your network. The only interface you should need a masquerade on is the WAN interface. All other destination subnets (ether2, ether3, wlan1, etc) should receive packets with no source ip changes.
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: radius server

Fri May 13, 2011 3:28 pm

the only thing that worries me is the mail server, i've had some client have their systems hook to its internal address instead of its external, even through the DNS should be pointing them to the external.

sigh, well one step at a time i always says, other i would not be where i am no.......you should have seen the shark ifested waters i had to cross before getting to this point :P
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: radius server

Fri May 13, 2011 3:32 pm

Shark infested waters? Don't be afraid of the bloody water. What could possibly happen?
http://sharkattacksurvivors.com/shark_a ... .php?t=720
Take a chance! :D
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24493
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: radius server

Fri May 13, 2011 3:39 pm

Shark infested waters? Don't be afraid of the bloody water. What could possibly happen?
http://sharkattacksurvivors.com/shark_a ... .php?t=720
Take a chance! :D
Must have been terrible to witness that, Tim
No answer to your question? How to write posts
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: radius server

Fri May 13, 2011 3:45 pm

@normis: I don't remember a lot of it clearly. Some parts are a little hazy. I was rushing so bad on adrenaline, and trying to keep the shark from eating us both. It made a few passes at us on the way to the beach. Very bad. :(

For those that are interested, Discovery Channel's Shark Week should be on in Early July. My episode is "Shark Attack: Predators in the Panhandle". Don't venture too far from shore without a way to get completely out of the water!

ADD: If you have DNS challenges with the email server, you can set that localnet ip for the server.
/ip dns static
add name=mail.mydomain.com address=192.168.0.2
Change the name to the domain name and address to the localnet address of the email server.
This changes only localnet dns. External dns will still resolve to the public ip. This dns change is effective even if the client computer does not have the ip of the router set in its dns settings.

Insure the email server is set to relay outbound email for your localnet ips. All subnets. If your email server was set to relay email for just the subnet it was on, that would explain why it would work with a masquerade, but wouldn't without it.
 
User avatar
shadowskippie
Member Candidate
Member Candidate
Topic Author
Posts: 211
Joined: Tue Dec 21, 2010 6:20 pm

Re: radius server

Tue May 17, 2011 9:28 am

right

I did the change last night for a test (took me a while to nail down some other issues) and found that despite all the towers, when pinging the domain, ping the external IP my machine still pings the internal :? very strange. but i'm gonna skip this issue for now.
All i know is that the net still work fine and no major surprises jump out at me.

the new issue now is that i can no longer ping into the office, although i did know this was going to happen.
the main network is 192.168.100.0 and strings itself together with ospf but the office is running on 192.168.252.0.
of course it works getting out but i still need to see in somehow, at least for the mail server and radius.

how would i get that right without using nat
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: radius server

Tue May 17, 2011 1:13 pm

That is a different subject. I recommend starting a new thread for that, and include a simple diagram of your network setup, especially the part that applies to your office.
.

Who is online

Users browsing this forum: MSN [Bot] and 172 guests