Professional Documents
Culture Documents
July 5, 2011
Filed under: Linux Related, Mikrotik Related, Radius Manager — Tags: aacable, billing, card
system, dmaso坨lab, karachi, linux, mikrotik, mrtg, networking, pakistan, radius, story, success,
syed jahanzaib, zaib — Syed Jahanzaib / Pinochio~:) @ 11:00 AM
About these ads
i
6 Votes
Recently I was contacted by a friend who was really passionate in starting a mini-ISP type
network setup for about 3000 users in the interior area of city. (soon it may expand up to 5000+
users). He asked my help to setup a scratch card base fully automatic system where user
purchase scratch card, & using User self care portal web site, user may create his new ID or
refresh his previous ID or change the service package according to the card package offers. I
had previously setup this kind of scenario in a cable.net environment using Mikrotik built-in
radius server called ‘User Manager’, but it have very limited basic features and all it can offer
was a pre-paid type option and it doesn’t have many accounting features. So I thought I should
give a try to more rich feature radius server and a坨er a lot of googling i decided to go with
(FREERADIUS base ) DMASOFTLAB RADIUS MANAGER. A very famous radius server with
all the option that a mini-ISP would required at unbelievably low price.
*Main Mikrotik = v4.17 x86 / Xeon 3.6Ghz Dual / 2 GB Ram / WD 500 GB Sata Hdd , This MT is
serving as a PPPoE Server + NAT + bandwidth shaping. It also redirects HTTP traffic to Proxy
1 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
server.
* Mikrotik RB750 = Just for HOTSPOT to redirect users to self care portal.
(This can be done on Main MT also, but I prefer it this way)
* Radius Server = DMASo坨lab RM v3.9 installed on Fedora v10 / Xeon 3.6Ghz Dual / 4 GB Ram/
WD 500 GB x2 Sata Hdd
* SQUID PROXY GW = SQUID v2.7 on UBUNTU Karmic Koala v9.10 / Xeon 3.6Ghz Dual / 8
GB Ram / WD 500 GB x3 SATA HDD (2 HDD reserved for Cache), This server acts as a proxy +
Gateway machine for the Mikrotik, It also do URL Filtering blocking ads, it also have ZPH
enabled so content available in squid cache should be downloaded at full speed (without
package limitation) at user end. It also cache youtube videos using VIDEOCACHE.
* Linux Transparent BRIDGE firewall + DHCP + DNS + MRTG + WEB Server on FEDORA V10 /
Xeon 3.6Ghz Dual / 4 GB Ram / WD 500 GB SATA HDD, This server sits between Mikrotik and
Users , filtering unwanted traffic, ports and do some other stuff like lightweight DNSMASQ
DNS Server, DHCP server providing ips to users , Web Site with MRTG , Psychostats ranking
system for Counter Strike Game, Server Monitoring Scripts and Alerts, PHPBB Forums for
Users, and some other cool stuff. DNS+DHCP is hosted on this server to minimize load on main
mikrotik machine, alos this machine filters unwanted traffic from passing by to main mikrotik.
In this setup , I have configured HOTSPOT on extra RB750 only to redirect user to my
advertisement page, where he is informed that he is not logged in via dialer, either create /
refresh his ID from RM User Self Care Portal, or if he already have an id, connect it via dialer. I
don’t prefer HotSpot authentication due to various security reasons, mainly due to I had a very
bad experience having HOTSPOT hit by ARP-POISONING and many virus flooder that
requires default gateway.
When user first login , his PC MAC address is binded with his ID to prevent accessing it from
different pcs. Multiple session of same ID is NOT allowed , I provide user with scratch card
(with refill code) , which he can use to refill his account according to card amount/package from
RM User self care portal. RM demo can be viewed at h⬰p://www.dmaso坨lab.com/cont/radman
When users with pppoe dialer tries to connect to main Mikrotik, MT verifies its credentials by
asking Radius Server for the account validity, if the ID is valid, user connects okay and can use
internet , otherwise he gets disconnected. When the User account is expired, he still can login
via dialer, but then he is redirect to my local web server page where he is informed that his
account is expired and he should visit billing.local page to renew his account using the card.
Please find along with a⬰achment is my Network Diagram (This was initially designed, I made
few changes a坨erward, I removed FTP from MT DMZ to user subnet lan to avoid load on MT , I
moved 坨p OS from windows to Linux and integrate it with radius authentication using
APACHE.
2 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
features. It also features monitoring system with MRTG / SMS Alerts via a⬰ached Mobile.
About RM: Radius Manager uses a nice web interface for administering the users and the whole
system (traffic accounting, tracking of online users, display statistics, maintenance ,account
management etc.).
and to add that DMASo坨lab customer support guys (specially Mr. Viktor.K) have excellent
support and respond instantly even to the dumbest of questions. It is real value for money
especially for those who do not have big wallet$.
Comments (71)
3 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
71 Comments »
1. This is very nice. Can I host “DMASOFTLAB RADIUS MANAGER” on a server on the
internet and have like 10 Mikrotik RB450G hotspots in different locations in my country link
to this Radius? I have limited knowledge of these things but would like to set up hotspots in
different locations in my country. I would like to be able to roam between the different
hotspots with a single prepaid scratch card. Can you help me get this project off the ground?
Reply
Yes you can have central RADIUS and multiple NAS (mikrotik) all over the country and
let them authenticate it with central RADIUS.
If your NASes (Network Access Servers like Mikrotik HOTSPOT) are on remote
locations , (which are not reachable directly by the RADIUS server or not the same
LAN), realize the following setup to get them working with Radius Manager:
1. Install a central PPtP server (Mikrotik RB750 will be enough for this) in NOC, beside
the RADIUS server.
2. Connect all your NASes (Mikrotik) to the central PPtP server with PPtP connections.
The central PPtP server must have public, static IP (it must be visible for the remote
NASes).
3. PPtP server will assign static local IPs to NASes via PPtP tunnels.
4. All NASes will reach the RADIUS server via PPtP tunnels and vice versa (RADIUS
UDP protocol).
Using this method NASes can use any IP (public, local, static, dynamic) and RADIUS
server will see them on local, static IP addresses, via the PPtP tunnels. Tunnels are used
for RADIUS packets only (low traffic), while the heavy Internet traffic is going through
the main connection of NAS (ADSL etc.).
Reply
Thank you for your extremely quick reply. Now I will start implementing this project
soon. Keep up the good work brother! I will keep you updated on my progress.
is the above method will work for DMA so坨 radius manager along with mikrotik
server.
4 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
2. Nice post….i am working at something very similar to this…just that my expected user base
is 15000+, so i plan for 5000+ on each main mikrotik X3 and just a radius manager server…do
you think this can scale? also can you share the setup config you used for the
caching/transparent bridge firewall……
Reply
Radius Manager Pro and CTS versions have no limitation in a maximal number of users.
The performance of the entire Radius Manager system mainly depends on the speed of
the hard disks and the MySQL subsystem. Adding more RAM will drastically speed up
the MySQL system. Indexes must be fit in the RAM for optimal performance.
Add more RAM to the system. Adding 4-8 OR 8-16 GB of RAM doesn’t mean any
problem nowadays.
In real situations the capacity of NAS (Mikrotik) can have the problem. Use Multiple
Quad core CPU and you will be fine with that much load.
For Transparent Bridge which is also acting as Firewall +DNS + web + MAC to IP binding
DHCP server , I will write its guide as soon as I get free time.
Reply
3. Hi
I am trying to setup a Hotspot site to intergrate with the Radius Server. I have assigned
public ip addresses to the Radius Server and the Mikrotik Nas and from the Hotspot
Mikrotik I can ping both the nas and radius server. However, when I try to browse I am
being taken to the Mikrotik Hotspot logon, I am not sure howto link up the hotspot to the
the nas and finally the Radius server.
Can you please provide me with some guidelines.
Reply
You are redirecting to Mikrotik HOTSPOT login page because it is designed to do so. to
redirect every UN Authenticated session to Login page, so you can authenticate using
your valid id password, and then you can browse the internet. You have to integrate your
NAS (Mikrotik) with the RADIUS server.
5 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
h⬰p://aacable.wordpress.com/2011/08/09/mikrotik-pppoe-server-with-user-manager-
pre-paid-billing-system/
h⬰p://wiki.mikrotik.com/wiki/User_Manager/Hotspot_Example
Reply
4. Hi
On my Hotspot Mikrotik I have refined the Radius ip address as 196.15.xy.x but when I try
logging in to the Hotspot logon page with Radius users I get an error “Radius server not
responding” even I can ping the Radius Sever. The Hotspot Mikrotik logs gives this error
“hotspot info debug : user loging failed:RADIUS server is not responding”
Reply
5. HI,
I’ve just about given up on the Radius Manager, though I’ve had it in trial mode with my
MTik Hotspot/router for @ 3 weeks. And had it working fine. Now some Apache issues.
I just am not good with Linux but I have good network skills. It’s unfortunate because of all
the time I’ve spent ge⬰ing it up and running.
I cannot get consistent responses from DMASo坨labs.
I guess my question is where to find support.
Reply
The best support that you can get regarding RM is support@dmaso坨lab.com
There response time is very good. They usually answers to RM related issues only.
Usually, Once you have configured RM properly, it works fine without any hurdle. I have
configured many RM in my area and they are running from many months without any
issues. My personnel advise: Try not to mess up with the configuration files. What Linux
disto you are using?
RM works great with FEDORA 10 with all default configuration. I suggest you to install
Fedora 10, then follow on the guide I have published on my Blog. Its a step by step guide
with some my own added experiences.
h⬰p://aacable.wordpress.com/2011/07/19/mikrotik-dmaso坨lab-rm-squid-zph-linux-
bridgecomplete-guide/
Reply
6. Hello, plz i need help on detailed configuration of squid proxy server (Transparent proxy)
6 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
using redhat linux, so that it can help me improve my browsing speed for my lan users. My
email is obinna4god@yahoo.com.
I heard that there are ways to stop or block adbanners in redhat or linux, i equally need the
steps to achieve it.
Thanks
Reply
7. To configure SQUID in transparent mode. Please use the following guide.
h⬰p://aacable.wordpress.com/2011/08/08/linux-transparent-squid-proxy-server-guide/
h⬰p://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/
To block internet advertisement via SQUID, Please use the following guide.
h⬰p://aacable.wordpress.com/2011/06/01/squid-howto-block-ads/
Reply
8. salaam i am aman sir maire passs mikrotik 5.7 ki key pardi hoi hai plz aap mujhe bata sake
hai os ko kese install karo only import key hai plz help me
Reply
First copy key at your desktop.
Then Open Winbox / Goto Files, Paste the KEY file here,
OR
h⬰p://wiki.mikrotik.com/wiki/Manual:Entering_a_RouterOS_License_key
Reply
salaam alikuam
sir aap maire baat amjh nahi main khara hoo ke maire pas mikrotik 5.7 hai main is ko
careke ke se karo maire pass asal ki hai wo yeh hai W5EY-LHT9 HAI AUR
MIKROTIK 5.7 KI KEY YEH ARAHI HAI BMD5-E77L MAIN YEH ASAL KEY
KESE YEH LIYE KAAR AOA SOFTWARE ID W5EY-LHT9
7 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
Reply
Sorry I can’t help you in cracking Mikrotik. Its ILLEGAL.
I post an article on howto crack mikrotik 3.3 , but that was just for Educational and
learning purpose only.
Reply
10. great post!
Will come back later for some questioning session.
Reply
11. ok thank you ir
but aik aur soawal ka jowab ded ke mikrotik pcc load balacing se dual peed hoti hai yaa
naram main ne sona hai ke do dsl hoo 4mb aur 4mb pcc se 8 mb ate hai kia yeh sachha hai
Reply
Yes. its true in some extent that you get data from both lines, PCC do more then that if
you use it correctly
Reply
12. thank you sir
aik aur baat sir maire mikrotik 3.22 hai kia is main bhi pcc load balacing ho sakti hai
Reply
You need at least mikrotik 3.0+ for pcc support.
Reply
13. thank you sir
aur aik baat kia haam mikroik se clinet ke pc dekh ssakte hai i mean on ki web site
Reply
14. plz tell me
Reply
8 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
Reply
15. dolaso坨 is free or commerical so坨ware…?
pls provide the download link
Reply
It’s Free.
h⬰p://daloradius.com/
However its complete Documentation and various additional modules are available for
some charges.
Reply
16. Im a local wisp for 100+ customers with for internet connection with shared and commerical
clients,
what kind of setup i need.?
Reply
Depends on your requirements.
For 100 clients, Following can help you for beginning (Network portion only)
Reply
17. i thing this is the best isp website that i’ve ever seen ur amazing
i’ve a small isp company with 250users at the moment . what do u thing is the best solutions
for me to work .
Max customers in one mikrotik are 60users connected with Rb435G routerboard 680mhz rb .
into the others are mostly 20-50users on 433 RB .
I’ve 7 routers and one RadiusMANAGER with a DELL COMPUTER 3.0GHZ 250GB HDD
and 2GB RAM
can i do the squid server just for webs like .php .html and not for musics and videos on the
radiusmanager server with this amount of users 200-250simulations users
what do u thing do i need to add on my base station now … ( whats the best solutions to
9 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
Reply
SQUID is an highly customizable proxy server, You can configure it according to you
requirements and its possible to cache only certain content in cache.
If you add proxy, your users browsing experience will increase.
It’s not ma⬰er what flavor you use for building SQUID, I personally use UBUNTU 10.4,
which is quite lighter and ge⬰ing higher a⬰ention of administrators all over the globe.
Reply
18. yeah but is there a complete guide how to build a squid server
from the beginning cuz im newbie on linux and want to do a squid server
or do i need just to install ubuntu and then add the squid configuration file ?
and my quesiton was “Can i build squid server ( just for php/html pages/images) in the same
computer as radiusmanager or not (radius manager is working at the moment with CentOS 6
).
And can i connect the squid server with a public ip address like the radiusmanager and
mikrotiks and if i have a problem with squid server will it affect to the users or does it work
like this
thanks for ur reply , ur amazing good and sorry for my bad english
Reply
I am not much familiarized with the CENTOS commands, but squid configurations are
same for all flavors.
Try to start basic with following links.
h⬰p://aacable.wordpress.com/2011/08/08/linux-transparent-squid-proxy-server-guide/
h⬰p://aacable.wordpress.com/2011/06/01/working-squid-conf-example-fil/
Never Mix SQUID with Your BILLING RADIUS SERVER, It will gonna messup if any
thing goes wrong.
Billing is the most important service/server of your network, Don’t play with it.
Reply
19. thanks for ur reply’s .
i’m going to try to build a new server , and my another question was :
10 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
Reply
Well you can do Fail-over via using the following trick.
Assuming the following scenario.
So in ip route you will set up routes with check-gateway that if your default gateway
(Squid) is down, then sends requests via WAN1 > DSL,
You need to Read a lot first in order to understand how fail over works in Mikrotik. Read
n Read.
Regarding SQUID Hardware, Get some good speed hardware, the more speedy
hardware you put in it, the be⬰er cache performance you will get. For example, following
hardware would be enough.
Reply
20. Hello !,
11 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
One more thing , there are Access Points & some switches which is also configured with
private IPs.
Problem :
- APs and Switches are configured with (192.168.22.0/24 ) and this ip is added in ether 2 as
secondary IP.
- When tried to access APs and switches , Mikrotik Login page displays.
and is only accessible when i manually enter username/password.
I want to access those APs and Switches without any authentication.
Thanx in advance.
- Shiva
Reply
21. Sir i have configured Radius Manager and i have four mikrotik routers with have 100 user’s
in them in one LAN could you please guide me through how to connect them with central
radius manager.
Reply
Wy FOUR mikrotik router for 100 users :s even single mikrotik rb450 is enough for you.
On all your NAS, point to your RM in RADIUS section. its very simple, Read the manual
of RM on howto connect to RM in Mikrotik.
Reply
22. Sir i have configured dmaso坨lab Radius manager and i have two mikrotik router that
userman is enabled with having 100 user’s each so i need to connect them with centralized
Radius manager i have searched alot about it but i didnot got the concept of any one of it
please provide me a configuration for it.
Thnx in Advance
Reply
12 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
On all your NAS, point to your RM in RADIUS section. its very simple, Read the manual
of RM on howto connect to RM in Mikrotik.
Reply
23. Sir for connecting mikrotik with RM i have read the manual of RM but that didnot worked
for me and if you can give the guide i would really appreciate it.
Thanks in Advance,
Reply
24. learn video plaes
Reply
25. I have A and B location and we are using cyberrom for authentication at A location , now i
have one question to u we are using mikrotik at B location if i have to authenticate B location
user to A location than what i have to configure at B and mikrotik
Reply
26. I dont know y you guys are messing around ……
your configuration is simple and already briefly explained by Mr. Syed
Reply
27. if do want to mess with your netowrk for experimenting which i suggest as your customers
will be in trouble i suggest u to get a good machine and run aware work station for
experiments and when u r done in that then just implement that on your real time network.
i have configured about 19 hotspot in different areas, with simple RBs as NASes and single
RM server. recently i was informed that we have reached 1000+ users.
Reply
28. Assalam-O-Alaikum jahanzaib bhai please h⬰p://freeradius.org/ ki koi guide dain k isko kese
install keren aur mikrotik k sath config kese kren
Reply
Such guide is already available at mikrotik wiki and its well wri⬰en
Reply
29. Dear Syed Jahanzaib
13 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
Thanks a lot for you support for new biggners …. No word to explain.. ThanQ ..
Reply
30. We need support system as well SMS module and payment module agent module with
dmaso坨lab… can any one help me??
Reply
Yes. Send your complete requirements with your current scenario to aacable [at]
hotmail.com
Reply
31. does reset traffic counters work ? on add credit in additional mode ? I dont think so it works
on Radius manager
Reply
32. sir ma cable net ka kam karta ho aor ma na ek Data server share kaya ha jis ka path \\server
ha lakin jin users ko ma router lagha kar dataho aun ka pass server open nahi hota app pls is
ka liya bi kuch kare
Reply
IT would be much be⬰er if you use HTTP or FTP base sharing server, this way you will
have more control and features over your media server.
Reply
33. sir plz help me few command of radius make problem for
Reply
What exact error you are ge⬰ing ???
Don’t copy paste SQL code from blog to SQL console. Manually type all the commands
related to SQL. Pay specially a⬰ention to commas like ‘
when you copy paste the comma, it becomes another character which SQL doesn’t
understand?
14 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
Reply
34. Hello Syed Jahanzaib, How could I directly contact to you? I’ve few questions. Thanks.
Reply
Send me email at aacable [at] hotmail.com
Reply
35. hi syed
i get error when i user radtest user 1111 localhost
get no response frome server id socket 3
Reply
Make sure radius service is started in debug mode
Reply
i use raqdius -X and get
Ready to process requests.
36. HI,
have a big problem while restricting bandwidth in radius manager. Local/outside traffic both
gets restricted by doing this,As an alternative , just for authentication , it goes to RM , For
rest , bandwidth restriction , i have created a queue rule and applied bandwidth.
Also I have assigned static ip in RM , queue rule has been maintained for the same IP.
What went wrong is it gets different ip address than one assigned in radius manager.
Regards,
Shiva
Reply
Are you using HOTSPoT ?
Reply
yes
15 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
37. buenas tardes tengo un problema instale barias beses RM 4 y cuando entro al ACP la
primera vez va todo bien luego cierro el panel y reinicio la maquina y quiero ingresar
nuevamente al ACP me habre una pagina en blanco y en otra oportunidad me descargo un
archivo admin.php. ayuda desde ya muchas gracias
Reply
English Please
This problem o坨en happens due to incorrect version of ZEND installed in PHP. Usual
causes are php and .so conflict.
Try using Ubuntu 10.4 , it works very well and have been tested and deployed
successfully at many networks.
Reply
38. Sir,
What a wonderful post, nice, i configured it and working very fine, thanks again.
but here is small query with my hotspot login page.
my (Mikrotik) hotspot does not redirect login page if i someone tries the secure (h⬰ps://) site
like h⬰ps://www.google.com
eg if someone types h⬰p://www.google.com, he will redirected to login page, but if he tries
secure site like h⬰ps://youtube.com, than he will not get redirected to login page and
browser gives error loading page.
Can you please help me!!! i have tried to make tick mark in mikrotik ip/hotspot/server
profile/ login h⬰ps=yes
but nothing improved!!!
Reply
The hotspot only redirects port 80 requests. It won’t redirect SSL, email, FTP, or ssh
clients. It just blocks them until you are logged in on port 80.
There MIGHT be a solution for this but If you intercepted the HTTPS response, the users
browser would throw up SSL error messages which really scare the users off
Reply
wow, what a solution, shukriya.
Thank You
16 of 17 15-05-2013 12:27
A Success story with Mikrotik and DMASoftlab RADIUS MANA... http://aacable.wordpress.com/2011/07/05/a-network-design-glass-...
RSS (Really Simple Syndication) feed for comments on this post. TrackBack URI (Uniform
Resource Identifier)
17 of 17 15-05-2013 12:27