- Mikrotik Radius, PPPOE Server and PPPOE Client Setup Guide
- Short Circuit…
- Part 1: Mikrotik Radius Attributes
- What are radius attributes?
- Part 1: Mikrotik Radius Attributes
- Common Mikrotik Radius Attributes
- Client Connection Speed Management
- MikroTik Radius Configuration with FreeRADIUS
- IP Management
- Firewall and Security
- Navigation menu
- Data Transfer Limits
- Part 2: Mikrotik Setup
- Mikrotik Radius Settings
- Mikrotik Radius Incoming
- Configuring the Mikrotik PPPOE Server
- Mikrotik IP Pools
- Mikrotik PPPOE Server Configuration
- Your Answer
- Part 3: Adding A Client Connection
- Looking for a Mikrotik Radius Server?
Mikrotik Radius, PPPOE Server and PPPOE Client Setup Guide
In this article we will cover the basics of Mikrotik Radius and the attributes it supports.
We will also setup Mikrotik as a PPPOE server and configure a Mikrotik PPPOE client.
PPPOE or Point-to-Point Protocol Over Ethernet is a common connection used to authenticate users and account for their traffic.
PPPOE is used extensively in all types of networks as it allows the remote device to bring up a connection over layer 2 without much prior configuration.
Part 1: Mikrotik Radius Attributes
What are radius attributes?
Before we dive in to our Mikrotik configuration, let’s get a general understanding of what a radius attribute is.
These are important because when we connect clients over PPP using radius we can control certain aspects of the connection using radius attributes.
Radius attributes are special Attribute-Value pairs that are sent inside radius packets.
At the radius packet level they contain an Attribute ID, a length and a Value. When the radius server receives these attributes it uses a dictionary to lookup the attribute definition and convert the data into something the server can understand.
A radius packet generally contains several of these attributes holding connection specific information.
Part 1: Mikrotik Radius Attributes
The radius server will then read these in and decide what to do with the packet. Common attributes include:
- User-Name = The username specified when connecting to a NAS (Network Access Server).
- Calling-Station-Id = The phone number or network mac address of the user.
- NAS-IP-Address = The IP address of the network access server which generated the request.
- Framed-IP-Address = The IP address of the user, typically seen in radius accounting packets.
Many devices include their own radius dictionaries which allow extra device specific information to be sent inside their radius requests.
The Mikrotik radius dictionary can be found here: http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary and defines some Mikrotik specific attributes to provide more control over client connections.
Common Mikrotik Radius Attributes
Client Connection Speed Management
This attributes allows you specify the speed of the client connection, it can specify a fixed speed rate, or a burstable speed profile for the user.
The attribute accepts the following as it’s value.
All values inside braces are optional and the only value which is required is the rx-rate.
MikroTik Radius Configuration with FreeRADIUS
If only the rx-rate is specified then the tx-rate will be the same as the rx-rate.
When working with rate limits it is important to remember that the rate limit is defined from the perspective of the Mikrotik and not the client device.
This means that the rx-rate (Receive rate) determines how fast the Mikrotik will receive traffic from the user (The users upload speed) and the tx-rate will control how fast the Mikrotik will send data to the user (The users download rate).
Let’s look at some definitions to get a clearer understanding of the values.
Mikrotik-Rate-Limit = 1M
This specifies that the user can upload and download at 1Mbit per second (1Mbit is equivalent to 128Kilobytes per second, which is 1MB of data over 8 seconds).
Mikrotik-Rate-Limit = 1M/2M
Here we specify an upload rate of 1Mbit per second and a download rate of 2Mbits per second.
We can also write the limit in Bits or Kbits, so using the same 1M/2M example we could specify:
Mikrotik-Rate-Limit = 1024k/2048k
Mikrotik-Rate-Limit = 1048576/2097152
For more information on rate limits and burst profiles you can view the Mikrotik Documentation here: http://www.mikrotik.com/testdocs/ros/2.9/root/queue.php.
The standard radius dictionary defines some useful attributes for controlling a client’s IP addresses and routing.
Two useful attributes in this case are:
When used in an Access Accept packet Framed-IP-Address specifies the IP that should be assigned to a user when they connect.
Framed-IP-Address = 192.168.233.1
When a user dials up and receives this attribute their end of the connection will come up with the following IP.
Another useful attribute is the Framed-Route attribute.
If you wish to route a network address block to an end user you can specify it here.
Framed-Route = 172.16.10.0/24
When the user dials up the Mikrotik will add a route to it’s local routing table to route 172.16.10.0/24 to the client’s device.
Firewall and Security
Radius can also be used to send some useful information for the purposes of firewalling or creating advanced queues.
This attribute will place a user’s traffic into a specific firewall chain.
Filter-Id = <custom chain name>
This attribute allows you to redirect a user’s traffic to a custom firewall chain on the Mikrotik.
The value it takes may simply be the name of a chain or additionally you can append “.in” or “.out” to the name of the chain. When appending “.in” or “.out” the Mikrotik will only redirect traffic on input (received from the client – client upload) or output (send to the client – client download).
The second attribute is:
Mikrotik-Address-List = <address list name>
This attribute will place a user into a Mikrotik address list on the NAS.
Once the user is an address list you can use the address list in your firewall and routing rules to control the client traffic.
Data Transfer Limits
Finally there are a couple attributes useful for controlling the total amount of data a user can transmit on a connection before the NAS will disconnect the session.
Mikrotik-Total-Limit = <value> (Value in bytes)
Mikrotik-Total-Limit-Gigawords = (Value in gigawords)
*A gigaword is 4294967296 bytes (4GB) and the radius protocol contains the gigawords field since the regular byte fields are designed to only hold a 32-bit number.
If you wanted to specify a limit of 5GB you would need to send 1 Gigaword (4GB) and 1073741824 bytes (1GB) in the regular limit field.
Once the user has reached the limit sent in the radius attributes the session will be automatically disconnected.
The following attributes are also supported:
Mikrotik-Recv-Limit = <value>
Mikrotik-Recv-Limit-Gigawords = <value>
Mikrotik-Xmit-Limit = <value>
Mikrotik-Xmit-Limit-Gigawords = <value>
The Recv and Xmit attributes control the upload and download data limits of the connection and the connection will be terminated when either of these is reached.
It functions exactly the same as the Mikrotik-Total-Limit attribute, but allows you some control over the direction.
Part 2: Mikrotik Setup
Mikrotik Radius Settings
For our Mikrotik radius setup we will start with one of the most popular scenarios for providing connections, PPPOE.
We begin our Mikrotik configuration by specifying our radius servers.
To do this, head to the radius section and click the ‘+’ button to add a new radius server.
The radius server settings page allows you to specify which services will be available over radius.
- PPP – PPPOE connections and PPTP tunnels (VPNs).
- Hotspot – Authentication over the hotspot landing page.
- DHCP – The MAC address of the client is sent as a username when connecting to the DHCP server.
- Login – We can use radius to login to the Mikrotik itself, this is useful if you have many Mikrotik devices and want to centrally manage your logins.
- Wireless – Wireless authentication by MAC address.
Under server address we enter our primary server IP address or hostname and our predefined radius secret.
This radius secret must match what is held on the radius server. iBill.io users can find these details under ‘Setup’ > ‘General Settings’ > ‘Radius Configuration’.
Our radius ports also need to be defined, these are two separate ports, one for authentication traffic and one for accounting.
Additionally, we set the Radius Timeout up to 3000ms to ensure network congestion does not cause a false timeout.
Once all of your settings are entered correctly click ‘OK’ to add the radius server.
Next we will do the same for the secondary Radius server.
If the primary fails Mikrotik will start sending traffic to the secondary to keep services running.
Our secondary configuration looks almost identical, except here we have the secondary hostname or IP address specified.
After adding both servers you should have the following in your Radius pane.
By double clicking an of the radius servers we can view the configuration and the status pane.
The status pane will indicate the requests, responses and any problems with the configuration.
Mikrotik Radius Incoming
Next up we can configure incoming radius requests.
Incoming radius requests allow the radius server to send a ‘Disconnect Message’ to the Mikrotik to disconnect a specific connection.
To do this, click the ‘Incoming’ button at the top of the Radius window and the following window will appear.
To enable incoming requests simply check the ‘Accept’ option and click ‘OK’. The port number may be changed if needed and configured under the NAS on the radius server.
Configuring the Mikrotik PPPOE Server
Mikrotik IP Pools
The first thing we will need to do is create an IP pool which will be used to assign IP addresses to incoming client connections.
In this example we will give out IP’s in the 192.168.30.1-192.168.30.254 range.
We do this by going to ‘IP’ > ‘Pool’ in winbox and clicking the add button ‘+’.
Here is what it looks like when the pool has been created.
After adding our IP pool we can configure the PPPOE server.
Mikrotik PPPOE Server Configuration
To configure the PPPOE server, head to ‘PPP’ > ‘PPPOE Servers’ and click the add button ‘+’.
Our server configuration looks like this:
First we give the service a friendly name and we specify the interface the PPPOE server will listen on, this can be a wireless interface or a regular Ethernet interface, dependent on how the clients will be connecting to the network.
We also set the ‘Default Profile’ which determines which PPP profile will be used for client connections.
In our case we chose the included ‘default-encryption’ profile.
After saving the new service your ‘PPPOE Servers’ list should look like this.
Next, we need to specify which IP addresses will be used for client connections.
This is controlled under ‘Profiles’. In our case we selected the ‘default-encryption’ profile.
So, let’s edit that profile and add the IP address information in.
To configure the IP address information we simply specify a ‘Local Address’, this will be the Mikrotik’s IP Address on the PPPOE connection and the ‘Remote Address’ can be set to the IP pool we created earlier.
Finally, we need to configure PPP to use radius authentication and accounting.
To do this, head to the ‘Secrets’ tab and click the ‘PPP Authentication & Accounting’ button.
To enable radius authentication, we need to check the ‘Use Radius’ option. Accounting should be enabled by default, however it will only send start and stop packets unless we specify an ‘Interim Update’ period.
Set this value to value to 5 minutes to have the Mikrotik send usage information for each session every 5 minutes.
Our PPPOE server is now configured and ready to accept client connections.
Part 3: Adding A Client Connection
Now that everything is set up we can configure a client to connect to our new PPPOE Service.
In our test scenario we have another Mikrotik (To be called “Client CPE” from here on out) connected to the Mikrotik over Ethernet.
Firstly, inside our iBill.io instance we have created a 1Mbit Uncapped product.
We did this by using the Mikrotik-Rate-Limit attribute and specifying a rate of 512k/1024k
We then created a service for the user as seen below.
The ‘Radius Username’ and ‘Radius Password’ is what our client will be using to connect to the PPPOE server.
Let’s get started and configure the Client’s CPE PPPOE interface.
Start by going to the ‘PPPOE’ menu in winbox and selecting the add button ‘+’ under the ‘Interfaces’ tab.
The ‘New Interface’ window will pop up.
Under the first tab we can give the connection a friendly name and select interface to run over.
The ‘PPPoE Scan’ option will scan the selected interface and look for PPPoE servers which can be useful for debugging connection issues.
Here we have added a friendly connection name and set the connection to run on ether1.
Next we will need to configure the ‘Dial Out’ settings for the service.
This is where we enter the Radius Username and Password we created earlier.
We can also specify other options, such as DNS and whether to create a default route by default.
After entering the username and password, click the ‘Apply’ button and the PPPOE client should immediately begin to dial out.
Once you have applied the settings you can view the connection status in the ‘Status’ pane.
As we can see the connection came up and the server allocated the IP addresses we specified earlier.
If we look at the ‘PPP’ > ‘Interface’ tab on the PPPOE Server we can see the client is listed there.
Since we specified a speed limit for the client, the PPPOE Server will create a queue under ‘Queues’ > ‘Simple Queues’.
We can also visit the service page on our iBill.io server and see the connection there.
Looking for a Mikrotik Radius Server?
Try our easy to use ISP Radius and Billing solution and have one available in the cloud in 30 seconds.
Our starter version is free and a great way to learn more about mikrotik radius and PPPOE by practicing and testing your knowledge.
We hope you gained some insights from our Mikrotik Radius and PPPOE guide.
If you have any questions please feel free to leave a comment or contact our helpdesk.