yfi_setup_nas_Mikrotik

Mikrotik

Introduction

Mikrotik is a very popular supplier of small router devices.
Mikrotik products come with a modified Linux installed which is known by the name of RouterOS.
It is also possible to flash the Mikrotik hardware with the OpenWRT firmware, but this is beyond the scope of this discussion.
This section will set-up a Routerboard 433 to run the Hotspot service on one interface using YFi Hotspot Manager as an external RADIUS server.

The following table can be used as a quick reference on lingo related to Mikrotik and YFi Hotspot Manager.

Word
Description

Mikrotik
Supplier of router devices.

Routerboard 433
Specific model of a Mikrotik device.

Winbox
An utility program that can be used to configure a Mikrotik router device.

Hotspot
A Mikrotik service which is set-up to run on an interface on the Mikrotik router device that acts as a Captive portal.

Captive portal
A gatekeeper which redirects unauthorized web traffic to a log-in page forcing a user to supply credentials or agree to some disclaimer before using the Internet.

---

Perpare YFi Hotspot Manager

The following can be used as a check-list to have in place on the server running YFi Hotspot Manager before you can configure the Routerboard 433

• Define a NAS device - take note of the device's IP Address and shared Secret.
• Ensure the NAS device is of type Mikrotik - This is important if you want to kick active users from the NAS device.
• Ensure the NAS device port is specified as 3799 - This is important if you want to kick active users from the device.
• See which profile attributes potential users (Permanent Users and Voucers) will be returned to the Mikrotik NAS device.

---

Our Dummy Set-up

The following schematic and table will list values used in our dummy setup.

Item
Value
Description

YFi / FreeRADIUS Server
196.7.37.105
The YFi server which are hosted with a fixed IP on the Internet

Routerboard 433 eth1
10.0.0.200
The Routerboard 433's interface connected to the Internet

Gateway for eth1
10.0.0.2
The NATed gateway on the DSL router

Routerboard 433 eth2
10.5.50.1
The Routerboard 433's interface running the Hotspot service

Special Server MAC
00:11:43:6f:92:15
This special server needs to be always connected to the Internet - we will use MAC authentication

pptp server
196.7.37.105
The YFi server also hosts a pptp service to avoid DSL connection's DHCP IP changes

pptp peer server side
10.20.30.1
The IP which will be defined as the remote RADIUS server on the Routerboard 433.

pptp peer client side
10.20.30.2
The IP which will be given by the ppptd to the Routerboard 443.

pptp username
yfi_nas_0001
The pptp username used on the Routerboard 433

pptp chap password
tNdpbJzj
The pptp password used on the Routerboard 433

DNS server
10.0.0.2
DNS server used by the Routerboard 433

---

Steps invloved

Now we have all our data, we can set configure everything.

We will use Winbox to configure the Routerboard 433. Winbox runs fine on Ubuntu using Wine.

Note1: _When I tried to connect my laptop direct to the Routerboard 443 and use Winbox, it somehow refused to detect the Routerboard 433.
Straigh or X-over cables both gave the same results, however, plugging both into a switch did the trick. YMMW. _

Note2: It is always good to start with a factory defaulted Mikrotik

• Eth1 on Routerboard 433
• pptp tunnel
• RADIUS on Routerboard 433
• Eth2 on Routerboard 433 (Hotspot)
• Prepaid Vouchers
• Permanent Users
• Disconnecting Users
• Custom Login Page

---

Eth1 on Routerboard 433

• This section assumes that you already have a valid Winbox connection to the Routerboard 433.
• Go to IP -> Addresses and add the IP of 10.0.0.200 to eth1.
  
• Go to IP -> Routes and add a static route to the gateway (10.0.0.2 in the dummy setup)
  
• Go to IP -> DNS -> Settings and specify the DNS server(s) which Routerboard 433 will use.(10.0.0.2 in the dummy setup)
  
• Ensure you can ping to the outside world from the Routerboard 433.

---

pptp tunnel

• Add a new VPN Connected NAS device in YFi Hotspot Manager. Edit the device and take note of the detail in the Optional Info tab. This will be used on the Routerboard 433.
  
• In Winbox, go to PPP -> Add (plus sign)-> PPTP Client. You only need to specify detail in the Dial Out tab. The rest can stay as default.
  

• Ensure you can ping the other side of the VPN (IP 10.20.30.1) to confirm it is up.

• The YFi Hotspot Manager should also indicate that the Routerboard 433 is up in the NAS Devices tab after about 5 minutes.

---

RADIUS on Routerboard 433

• In Winbox, go to Radius -> Add (plus sign). Take note of the following:

Address is the address of the pptp peer, server side (10.20.30.1)
Secret is the shared secret between the NAS device in YFi Hotspot Manager and the Routerboard 433.

• Also ensure you adjust the value of Timeout. The default is 300ms which is way to small. Here I've changed it to 3000ms. Failing to do so will result in intermittent errors.

• In order for the Routerboard 433 to accept disconnect requests from the YFi Hotspot Manager's RADIUS server, we need to select Radius -> Incomming .
  Tick the Accept tick box. The port number should remain 3799 - the same port number specified when the NAS device was created in YFi Hotspot Manager.

---

Eth2 on Routerboard 433 (Hotspot)

To configure the Hotspot service on eth2 we will start off using the setup wizard.
There after we will tweak and change a few extra values in order to make use of the YFi Hotspot Manager's RADIUS server.

• In Winbox, go to IP -> Hotspot -> Hotspot Setup.

• Select eth2 as the Hotspot Interface (substitute this with the interface you want to run the Hotspot service on)
  

• For the rest you can simply select the default values

Local address of Metwork 10.5.50.1/24
Masquerade Network yes
Address Pool of Network 10.5.50.2-10.5.50.254
Select Certificate none
IP Address of SMTP server 0.0.0.0
DNS Servers 10.0.0.2 - These are the default ones defined for the Routerboard 433.
DNS Name (blank)(This can be any name of your liking or blank).

• When this is complete, this completed Hotspot will be listed in the Hotspots->Servers tab.

Each Hotspot server makes use of a profile, are tied to an interface, and owns a defined IP address pool.
You can now edit these items which are part of the defined Hotspot service.

• To make the Routerboard 433 use YFi Hotspot Manager as a RADIUS server, we edit hsprof1.
  Under Login tab, ensure HTTP PAP is checked, and HTTP CHAP is unchecked. We can also select MAC since the Special Server in our setup will use MAC authentication.
  Under RADIUS tab select Use RADIUS

This completes all the setup actions required on the Routerboard 433.
The rest of this section will deal with specific profiles on YFi Hotspot Manager, related to the Mikortik Hotspot service.

---

Vouchers

NOTE: The following section can be ignored if you use SVN version yxz or above.

• The release Beta-3 and prior to that of YFi Hotspot Manager came with a sample sql database schema which does not include data based attributes for Mikrotik.

• Just to add another spanner in the works -> The Mikrotik dictionary that comes standard with FreeRADIUS lacks some attributes which has to be added to the profile templates.

• The attribute Mikrotik-Total-Limit has to be added if you want to create data based Vouchers for Mikrotik.

• Add the following lines to the /usr/local/share/freeradius/dictionary.mikrotik

           ATTRIBUTE       Mikrotik-Total-Limit                    17      integer
           ATTRIBUTE       Mikrotik-Total-Limit-Gigawords          18      integer
  

• Also define a sqlcounter which will return Mikrotik-Total-Limit values.
  Edit /usr/local/etc/raddb/rlm_perl_modules/sqlcounter.conf and add the following counter to it.

       sqlcounter mikrotik_max_bytes_noreset {
              counter-name = Mikrotik-Total-Limit
              check-name = Mikrotik-Total-Limit
              reply-name = Mikrotik-Total-Limit
              sqlmod-inst = sql
              key = User-Name
              reset = never
              query = "SELECT SUM(acctinputoctets) + SUM(acctoutputoctets) FROM radacct WHERE username='%{%k}'"
        }
  

• Activate the sqlcounter by adding the following text to /usr/local/etc/raddb/rlm_perl_modules/conf/settings.conf (add it as part of the sql_counters collection):

       <counter>mikrotik_max_bytes_noreset</counter>
  

• Now you can add the Mikrotik-Total-Limit as a check attribute to the Voucher - Data Based profile template.

• After this you can create specific profiles from the Voucher - Data Based template which can be used by both Chillispot and Mikrotik NAS devices.

• IMPORTANT Remember to restart FreeRADIUS for the above changes to take effect.

---

Permanent Users

• Permanent users in YFi Hotspot Manager does not make use of Chillispot of Mikrotik specific attributes.

• It makes use of Yfi-Data and Yfi-Time attributes which are specific to YFi Hotspot Manager.

• For this to work as intended, it is very important to ensure the user's connected to the NAS device can be kicked off (disconnect) through the YFi Hotspot Manager server.

• The next section will discuss how to make sure that YFi Hotspot Manager can disconnect an active user on a Mikrotik Routerboard.

---

Disconnecting Users

• It seems there are some grey area concerning what attributes should be in the POD (Packet of Disconnect) packet.

• To add to the confusion some of the Mikrotik documentation specifies that it does not even support the POD packet.

• The tests I've done only required two attributes to allow a disconnection though.
  User-Name - The username of the active user.
  Framed-IP - The IP Address of the active user.

• There is one problem though -> The Routerboard 433 complains about 'Radius disconnect request from unknown ip. Out of the forums it seems to be a general error, without a known cure.

• The return code for this request will thus be 42 (Disconnect-NAK) instead of 41(Disconnect-ACK).

• I will post a question regarding this on the forum and see if someone may enlighten us on this issue.

• No matter how many extra attributes I would add to the POD packet, the error remained.

Changes to Beta-3 and prior setups

Ensure your deployment contains the following changes in order to have disconnection from YFi Hotspot Manager working correct.

• In /usr/local/etc/raddb/rlm_perl_modules/User.pm the section for Mikrotik should look like this:

      #___________Mikrotik____________________________
       if($return_data->[0][0] =~ m/mikrotik/i){
  
          print "-> Disconnecting User Form Mikrotik Type of Device\n";
          system("echo \"User-Name = $username,Framed-IP-Address= $framedipaddress\" | $radclient -r 2 -t 2 $ip:$port disconnect $secret");
      }
  

• In /var/www/c2/yfi_cake/controllers/components/kicker.php the section for Mikrotik should look like this:

      //____ Mikrotik _____ 
      if($type == 'Mikrotik'){
          $port   = $q_r['Na']['ports'];
          $secret = $q_r['Na']['secret'];
          //Mikrotik requires that we need to know the IP the user comes in with
          $rc = $this->radclient;
          exec("echo \"Framed-IP-Address=$framedipaddress,User-Name=$username\" | $rc -r 2 -t 2 $nas_ip:$port disconnect $secret",$output);
      }
  

• IMPORTANT Remember to restart FreeRADIUS for the above changes to take effect.

---

Custom Login Page

• The standard log-in page which comes with the Mikrotik Hotspot is very simple.

• If you wish to spice things up a little, there's a sample Mikrotik Hotspot login page, which features an Ajax slide show.

• Just replace the images with some of yours to advertise the Hotspot.