Radius Access-Accept has the option Filter-Id which appears to allow a dynamic firewall rule.
Is is possible to have Radius respond to create a dynamic SRC-NAT and DST-NAT for that user?
Where can I get more information on how to use the radius Filter-Id option?
Well, this is from the documentation:
Filter-Id - firewall filter chain name. It is used to make a dynamic firewall rule. Firewall chain name can have suffix .in or .out, that will install rule only for incoming or outgoing traffic. Multiple Filter-id can be provided, but only last ones for incoming and outgoing is used. For PPPs - filter rules in ppp chain that will jump to the specified chain, if a packet has come to/from the client (that means that you should first create a ppp chain and make jump rules that would put actual traffic to this chain). The same applies for HotSpot, but the rules will be created in hotspot chain
It comes from here: http://www.mikrotik.com/docs/ros/2.9/guide/aaa_radius
I am still a little unclear about how to interpret what it actually means. Perhaps Normis or Uldis will be able to clear it up?
Filter-Id - firewall filter chain name. It is used to make a dynamic firewall rule. Firewall chain name can have suffix .in or .out, that will install rule only for incoming or outgoing traffic. Multiple Filter-id can be provided, but only last ones for incoming and outgoing is used. For PPPs - filter rules in ppp chain that will jump to the specified chain, if a packet has come to/from the client (that means that you should first create a ppp chain and make jump rules that would put actual traffic to this chain). The same applies for HotSpot, but the rules will be created in hotspot chain
It comes from here: http://www.mikrotik.com/docs/ros/2.9/guide/aaa_radius
I am still a little unclear about how to interpret what it actually means. Perhaps Normis or Uldis will be able to clear it up?
-
-
sublimespot
newbie
- Posts: 46
- Joined:
Apparently not.
I had a quick look at it and all it does is dynamically create jump rules in the ppp (if available) and hotspot chains.
For example if Filter-ID == Restricted then there will be two rules placed in the ppp/hotspot chain that jump traffic for that user to the Restricted chain.
There is no way to link/create a dst/src-nat rule afaik.
I had a quick look at it and all it does is dynamically create jump rules in the ppp (if available) and hotspot chains.
For example if Filter-ID == Restricted then there will be two rules placed in the ppp/hotspot chain that jump traffic for that user to the Restricted chain.
There is no way to link/create a dst/src-nat rule afaik.
-
-
sublimespot
newbie
- Posts: 46
- Joined: