Mikrotik is a very popular supplier of small router devices.
Mikrotik products come with a modified Linux installed which is known by the name of RouterOS.
It is also possible to flash the Mikrotik hardware with the OpenWRT firmware, but this is beyond the scope of this discussion.
This section will set-up a Routerboard 433 to run the Hotspot service on one interface using YFi Hotspot Manager as an external RADIUS server.
The following table can be used as a quick reference on lingo related to Mikrotik and YFi Hotspot Manager.
Word
Description
Mikrotik
Supplier of router devices.
Routerboard 433
Specific model of a Mikrotik device.
Winbox
An utility program that can be used to configure a Mikrotik router device.
Hotspot
A Mikrotik service which is set-up to run on an interface on the Mikrotik router device that acts as a Captive portal.
Captive portal
A gatekeeper which redirects unauthorized web traffic to a log-in page forcing a user to supply credentials or agree to some disclaimer before using the Internet.
The following can be used as a check-list to have in place on the server running YFi Hotspot Manager before you can configure the Routerboard 433
The following schematic and table will list values used in our dummy setup.
Item
Value
Description
YFi / FreeRADIUS Server
196.7.37.105
The YFi server which are hosted with a fixed IP on the Internet
Routerboard 433 eth1
10.0.0.200
The Routerboard 433's interface connected to the Internet
Gateway for eth1
10.0.0.2
The NATed gateway on the DSL router
Routerboard 433 eth2
10.5.50.1
The Routerboard 433's interface running the Hotspot service
Special Server MAC
00:11:43:6f:92:15
This special server needs to be always connected to the Internet - we will use MAC authentication
pptp server
196.7.37.105
The YFi server also hosts a pptp service to avoid DSL connection's DHCP IP changes
pptp peer server side
10.20.30.1
The IP which will be defined as the remote RADIUS server on the Routerboard 433.
pptp peer client side
10.20.30.2
The IP which will be given by the ppptd to the Routerboard 443.
pptp username
yfi_nas_0001
The pptp username used on the Routerboard 433
pptp chap password
tNdpbJzj
The pptp password used on the Routerboard 433
DNS server
10.0.0.2
DNS server used by the Routerboard 433
Now we have all our data, we can set configure everything.
We will use Winbox to configure the Routerboard 433. Winbox runs fine on Ubuntu using Wine.
Note1: _When I tried to connect my laptop direct to the Routerboard 443 and use Winbox, it somehow refused to detect the Routerboard 433.
Straigh or X-over cables both gave the same results, however, plugging both into a switch did the trick. YMMW. _
Note2: It is always good to start with a factory defaulted Mikrotik
Ensure you can ping the other side of the VPN (IP 10.20.30.1) to confirm it is up.
The YFi Hotspot Manager should also indicate that the Routerboard 433 is up in the NAS Devices tab after about 5 minutes.
Address is the address of the pptp peer, server side (10.20.30.1)
Secret is the shared secret between the NAS device in YFi Hotspot Manager and the Routerboard 433.
To configure the Hotspot service on eth2 we will start off using the setup wizard.
There after we will tweak and change a few extra values in order to make use of the YFi Hotspot Manager's RADIUS server.
In Winbox, go to IP -> Hotspot -> Hotspot Setup.
Select eth2 as the Hotspot Interface (substitute this with the interface you want to run the Hotspot service on)
Local address of Metwork 10.5.50.1/24
Masquerade Network yes
Address Pool of Network 10.5.50.2-10.5.50.254
Select Certificate none
IP Address of SMTP server 0.0.0.0
DNS Servers 10.0.0.2 - These are the default ones defined for the Routerboard 433.
DNS Name (blank)(This can be any name of your liking or blank).
Each Hotspot server makes use of a profile, are tied to an interface, and owns a defined IP address pool.
You can now edit these items which are part of the defined Hotspot service.
This completes all the setup actions required on the Routerboard 433.
The rest of this section will deal with specific profiles on YFi Hotspot Manager, related to the Mikortik Hotspot service.
NOTE: The following section can be ignored if you use SVN version yxz or above.
The release Beta-3 and prior to that of YFi Hotspot Manager came with a sample sql database schema which does not include data based attributes for Mikrotik.
Just to add another spanner in the works -> The Mikrotik dictionary that comes standard with FreeRADIUS lacks some attributes which has to be added to the profile templates.
The attribute Mikrotik-Total-Limit has to be added if you want to create data based Vouchers for Mikrotik.
Add the following lines to the /usr/local/share/freeradius/dictionary.mikrotik
ATTRIBUTE Mikrotik-Total-Limit 17 integer ATTRIBUTE Mikrotik-Total-Limit-Gigawords 18 integer
Also define a sqlcounter which will return Mikrotik-Total-Limit values.
Edit /usr/local/etc/raddb/rlm_perl_modules/sqlcounter.conf and add the following counter to it.
sqlcounter mikrotik_max_bytes_noreset { counter-name = Mikrotik-Total-Limit check-name = Mikrotik-Total-Limit reply-name = Mikrotik-Total-Limit sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(acctinputoctets) + SUM(acctoutputoctets) FROM radacct WHERE username='%{%k}'" }
Activate the sqlcounter by adding the following text to /usr/local/etc/raddb/rlm_perl_modules/conf/settings.conf (add it as part of the sql_counters collection):
<counter>mikrotik_max_bytes_noreset</counter>
Now you can add the Mikrotik-Total-Limit as a check attribute to the Voucher - Data Based profile template.
After this you can create specific profiles from the Voucher - Data Based template which can be used by both Chillispot and Mikrotik NAS devices.
IMPORTANT Remember to restart FreeRADIUS for the above changes to take effect.
Permanent users in YFi Hotspot Manager does not make use of Chillispot of Mikrotik specific attributes.
It makes use of Yfi-Data and Yfi-Time attributes which are specific to YFi Hotspot Manager.
For this to work as intended, it is very important to ensure the user's connected to the NAS device can be kicked off (disconnect) through the YFi Hotspot Manager server.
The next section will discuss how to make sure that YFi Hotspot Manager can disconnect an active user on a Mikrotik Routerboard.
It seems there are some grey area concerning what attributes should be in the POD (Packet of Disconnect) packet.
To add to the confusion some of the Mikrotik documentation specifies that it does not even support the POD packet.
The tests I've done only required two attributes to allow a disconnection though.
User-Name - The username of the active user.
Framed-IP - The IP Address of the active user.
There is one problem though -> The Routerboard 433 complains about 'Radius disconnect request from unknown ip. Out of the forums it seems to be a general error, without a known cure.
The return code for this request will thus be 42 (Disconnect-NAK) instead of 41(Disconnect-ACK).
I will post a question regarding this on the forum and see if someone may enlighten us on this issue.
No matter how many extra attributes I would add to the POD packet, the error remained.
Ensure your deployment contains the following changes in order to have disconnection from YFi Hotspot Manager working correct.
In /usr/local/etc/raddb/rlm_perl_modules/User.pm the section for Mikrotik should look like this:
#___________Mikrotik____________________________ if($return_data->[0][0] =~ m/mikrotik/i){ print "-> Disconnecting User Form Mikrotik Type of Device\n"; system("echo \"User-Name = $username,Framed-IP-Address= $framedipaddress\" | $radclient -r 2 -t 2 $ip:$port disconnect $secret"); }
In /var/www/c2/yfi_cake/controllers/components/kicker.php the section for Mikrotik should look like this:
//____ Mikrotik _____ if($type == 'Mikrotik'){ $port = $q_r['Na']['ports']; $secret = $q_r['Na']['secret']; //Mikrotik requires that we need to know the IP the user comes in with $rc = $this->radclient; exec("echo \"Framed-IP-Address=$framedipaddress,User-Name=$username\" | $rc -r 2 -t 2 $nas_ip:$port disconnect $secret",$output); }
IMPORTANT Remember to restart FreeRADIUS for the above changes to take effect.
The standard log-in page which comes with the Mikrotik Hotspot is very simple.
If you wish to spice things up a little, there's a sample Mikrotik Hotspot login page, which features an Ajax slide show.
Just replace the images with some of yours to advertise the Hotspot.