MikroTik

Posted: **Mon Feb 23, 2009 7:08 am**

Hello people,

I need a little help to understand this attribute returned by RADIUS server.

What I want to achieve: I want to redirect the traffic from my "suspended" customers to my server that will have a message for them.

What is done: My RADIUS server is sending the Mikrotik-Mark-Id attribute with value suspended. So I can create some dst-nat rules on my suspended chain to redirect the traffic I want. After logging in, I see a dynamic firewall mangle rule with chain hotspot with action=mark packet packet-mark=suspended

My problem: The customer is logged in (via MAC) and I see the traffic from this customer going through the router but no packet is marked (At least the rule counter is not incremented). Reading the docs, it says that upon receiving this attribuite MK will create a dynamic rule with chain=hotspot action=jump jump-target=Attribute value.

Can somebody help me understand what is going on, or if I am missing something ?

Thanks,

Posted: **Mon Feb 23, 2009 3:45 pm**

do you use bridge?

/interface bridge settings set use-ip-firewall=yes

?

Posted: **Tue Feb 24, 2009 1:41 am**

No ... no bridge ...

Posted: **Sat Mar 14, 2009 5:15 pm**

Have somebody used this feature already ? Does that work, or am I missing something ?

I have tested both Mikrotik-Mark-Id, and Filter-Id and both show the dynamic rules respectevely on Mangle, Filter sections. For the Mikrotik-Mark-Id, make two dynamic rules matching the IP address of the just authenticated user on the hotspot chain with action mark-packet with the string I put it on the RADIUS attribute (if that was working would be beautiful), but it does not match anything, and for the Filter-Id, it creates similar dynamic rules, but on the Filter Section from chain hotspot with action jump to a chain with the name I put on the RADIUS attribute.

Am I missing something ?

Posted: **Mon Mar 16, 2009 4:18 pm**

Those attributes works perfectly. You may missing to put your traffic to flow through the target you specified, no?

Ozelo

Posted: **Tue Mar 17, 2009 4:26 am**

Those attributes works perfectly. You may missing to put your traffic to flow through the target you specified, no?

Ozelo

Thanks Ozelo, for your response

I don't know ... actually I'm doing nothing else, but I thought it should work this way ... but please give me some directions ...

Assuming I'm using the Mikrotik-Mark-Id, it creates two dynamic rules on the hotspot chain with target and source address the IP of the just authenticated client on the hotspot, with action mark-packet MY-MARK-STRING ...

What else should I do ? Isn't the traffic already on the hotspot chain ?

Thanks in advance,

Posted: **Tue Mar 17, 2009 12:54 pm**

Let see... If you add a rule like this, does it show anything? Can you see the IP address that your dynamic mark id rule match here? Does it count packets at least?

/ip firewall mangle add action=log chain=hotspot comment="" disabled=no

If so, then its being marked.
Cant you post your setup?

Ozelo

Posted: **Wed Mar 18, 2009 3:24 am**

Hi Ozelo,

Here is my mangle table, I have even disabled my two first rules, but it doesn't match, it does not count packets.

The third rule is the one you recommended me on your last post, and the 3rd and 4th rules are the dynamic rules that were created by the radius client

 0 X chain=forward action=mark-connection new-connection-mark=p2p-Con passthrough=yes p2p=all-p2p

 1 X chain=forward action=mark-packet new-packet-mark=p2p-Traffic passthrough=no connection-mark=p2p-Con

 2   chain=hotspot action=log log-prefix=""

 3 D chain=hotspot action=mark-packet new-packet-mark=suspended passthrough=yes src-address=10.0.5.101

 4 D chain=hotspot action=mark-packet new-packet-mark=suspended passthrough=yes dst-address=10.0.5.101

Here is my filter table ...
The last rules is the one I added when trying to use Filter-Id attribute, when doing so, it creates the dynamic rules matching by IP with jump-target the chain I created, but it doesn't match

 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth

 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth

 2 D chain=input action=jump jump-target=hs-input hotspot=from-client

 3 I chain=hs-input action=jump jump-target=pre-hs-input

 4 D chain=hs-input action=accept protocol=udp dst-port=64872

 5 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875

 6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth

 7 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp

 8 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited

 9 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited

10 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

11   chain=SUSPENDED action=add-src-to-address-list address-list=suspensos address-list-timeout=0s

and finally my nat table

 0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client

 1 I chain=hotspot action=jump jump-target=pre-hotspot

 2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53

 3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53

 4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80

 5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443

 6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth

 7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth

 8 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80

 9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128

10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080

11 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443

12 I chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

13 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http

14 I chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

15 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

I have revised everything but I cannot see what it going wrong ...
Thanks for your time in helping me ....

Posted: **Thu Mar 19, 2009 8:04 pm**

If the rule number "2" on mangle table does not count any packet, then theres no traffic passing through hotspot chain. You may need to add a jump rule in your mangle table just like the following:

chain=forward action=jump jump-target=hotspot

The same goes to the filter table, but the nat table has nothing with.

Posted: **Tue Mar 24, 2009 7:12 am**

If the rule number "2" on mangle table does not count any packet, then theres no traffic passing through hotspot chain. You may need to add a jump rule in your mangle table just like the following:

chain=forward action=jump jump-target=hotspot
The same goes to the filter table, but the nat table has nothing with.

Hi Ozelo,

Thanks for the hint ... I think I got confused about the chains in the different tables, I assumed the packets were already on the hotspot chain of the mangle table and they were not as you said ... I also found a good "packet flow" example that made it easier for me to understand it ...

Now the rules are marking the packets nicely ...

Thanks again for your time in answering my post ... I was stuck for some days in that ...

Posted: **Fri Oct 09, 2009 9:49 am**

I have a requirement where I want to dynamically policy route different categories of hotspot users via different routes, i.e. I have "complementary users" that will be routed via a proxy that injects in inline frame which then displays advertising to the complementory users. However, in the case of "commercial users" they will not be routed via the "advertising proxy".

I think the best way to achieve this is to use the Mikrotik-Mark-Id in radius to mark the packets for the complementary users.

I have succesfully marked the packets by doing the following:

1. Created a user a in radius for which the Mikrotik-Mark-Id attribute is set to "Advert"
2. added the following mangle rule to the forward chain:

/ip firewall mangle add action=jump chain=forward comment="" disabled=no jump-target=hotspot src-address=10.20.65.0/24 src-address-list=""

Step 2 above adds the dynamic mangle rules as per below and the packets are marked with the packet mark ""Advert":

 4 D chain=hotspot action=mark-packet new-packet-mark=Advert passthrough=yes src-address=10.20.65.25 

 5 D chain=hotspot action=mark-packet new-packet-mark=Advert passthrough=yes dst-address=10.20.65.25

I, however, struggle with the last step which is to now policy route the packets marked "Advert". My undertstanding is that the packets will automatically go from the "hotspot chain" to the "output chain" where I should now be able add a route mark the packets based on the dynamic packet mark "Advert".

To achieve this I added the following mangle rule:

/ip firewall mangle
add action=mark-routing chain=output comment="" disabled=no new-routing-mark=advert_route packet-mark=Advert passthrough=yes

Unfortunately, this does not work, i.e. I'm unable to route mark the packets. I clearly have something wrong, but I don't know what I'm missing.

Do you have any advice on what I'm missing?

Posted: **Fri Oct 09, 2009 5:21 pm**

I solved my problem I needed to use the pre-routing chain as opposed to the forward chain for my purpose.

MikroTik

RADIUS attribute Mikrotik-Mark-Id ?????

RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????

Re: RADIUS attribute Mikrotik-Mark-Id ?????