Configure RADIUS Servers
Follow the instructions on this page to configure the RADIUS servers.
These instructions assume that you have a new Mikrotik with little to no existing configuration.
Configure IP Addresses
- Add the IP addresses on the customer-facing interface that will be used as the gateway IP for active subscribers (probably the bridge named ‘Customers`).
- Address: Ex: 100.64.1.1/24. This is the IP range for active subscribers.
- Optional: Add Subscriber Management IP addresses on the appropriate VLAN interface.
- Address: Ex: 10.2.1.1/24
- It is also best practice to document the subnet with meaningful comments.
DHCP server setup
- Using winbox, navigate to `IP > DHCP Server` on the router where you will control customer access
- In the DHCP Server window, click on the DHCP Setup button and choose the interface in which you want to set up the DHCP server from the DHCP Server Interface drop-down menu, and then click on the Next button.
- Put your LAN network block in the DHCP address space input box, then click the Next button.
- Choose the gateway address for the given network in the DHCP network gateway input box and then click the Next button.
- Provide the IP range for the address pool and click the Next button.
- Provide preferred DNS server IP and click the Next button.
- Now provide IP lease time and click the Next button. The suggested lease time is 10 minutes.
- Once the DHCP setup is complete, set the RADIUS option to “YES”.
- Lastly, rename the DHCP server, and add a “-VISPv4” (case sensitive) suffix to it. IE: “Lastmile-VISPv4”
Critical Note: When using UBNT devices, the radio acts as a DHCP relay when option-82 is enabled. Because of this, we have to set a DHCP relay (255.255.255.255) on the server to process all incoming requests from any radio.
Optional: ARP Payment Enforcement Protection
This will cause the router to work only with clients who have received their IP Addresses via the DHCP server, which are entered as static entries in the IP/ARP table. This ensures that customers can’t set static IPs to their devices to bypass the RADIUS suspension process.
- Set ARP to Reply-Only on a customer-facing interface (on the general tab of the bridge or physical interface)
- Check the “Add ARP for Leases” checkbox on the customer access DHCP Server.
Navigate to the Firewall/NAT tab and add the Masquerade rule for Active Subscribers
Assuming you are using private IP, you will need to configure NAT either at the tower or at your core. The example below is to configure NAT at the tower. On the “NAT” tab, add a new rule with the following settings (If using private IP’s):
- General / Chain: srcnat
- General / Src Address: 100.64.1.0/24 (adjust for customers Private IP pool)
- Action / Action: masquerade (or src-nat with specified to-address)
Note: It is more router resource efficient to use src-nat action in place of masquerade if you are able to configure it with a Public IP.
Configure Firewall and Redirection Page for Suspended Subscribers.
- Generate Firewall rules by clicking the button below.
- After downloading the file, upload it to the Mikrotik router by dragging it to the file directory.
- Open the terminal window and run the following command:
/import verbose=yes file-name=firewall.cfg.rsc
Configure Queues
- Select the Queue Types tab, and then double-click the default-small queue to open it.
- Change the default-small queue Kind value to ‘sfq’ and leave the default settings.
Important Reminder: When using Option82 authentication, the multi-mac option in VISP package should be enabled.