Daloapi setting
-
install freeradius (with mysql) and daloradius
daloradius need php-pear and php-db
sudo apt-get install php-common php-gd php-curl php-mail php-mail-mime php-pear php-db
sudo pear install db
-
deploy daloapi from git, setting database as same with freeradius setting, make sure daloapi database migration is set.
-
after git deployment
.env.example to .env
configure db credential to .env
composer install
chown $USER:www-data storage
php artisan key:generate
-
enable mod rewrite to apache2 config
sudo nano /etc/apache2/apache2.conf
search something like :
Directory /var/www/html> # Configuration for enabling .htaccess AllowOverride None Require all granted /Directory>
change AllowOverride to All
-
make symlink from daloapi installation folder to www/html
sudo ln -s /var/www/webapps/daloapi.javalatte.xyz/ /var/www/html/daloapi/
-
change daloapi_url on iBilling config to http://localhost/daloapi/api/
-
register/login to daloapi to get api token
https://daloapi.javalatte.xyz/api/login?email=[email/username]&password=[password]
register url to be added, see source code route
-
Mikrotik Setting
Radius setting
- Set the Radius to use your radius server
- Set Radius Incoming to accept command from radius server
- Radius > click "Incoming" button > tick "accept" checkmark field
Hotspot
Mikrotik-Group
IF daloradius is using `Mikrotik-Group` profile. Make sure mikrotik has `hotspot user profile` with same name as dalo `Mikrotik-Group` value
Example :
```
/ip hotspot user profile
add incoming-packet-mark=hotspot-UP-GeneralUsers name=GeneralUsers outgoing-packet-mark=hotspot-DOWN-GeneralUsers shared-users=2
add incoming-packet-mark=hotspot-UP-AdminProfile name=AdminProfile outgoing-packet-mark=hotspot-DOWN-AdminProfile shared-users=20
add incoming-packet-mark=hotspot-UP-High1Users name=High1Users outgoing-packet-mark=hotspot-DOWN-High1Users shared-users=2
add incoming-packet-mark=hotspot-UP-High2Users name=High2Users outgoing-packet-mark=hotspot-DOWN-High2Users shared-users=2
add incoming-packet-mark=hotspot-UP-High3Users name=High3MultiUsers outgoing-packet-mark=hotspot-DOWN-High3Users shared-users=10
add incoming-packet-mark=hotspot-UP-High3Users name=High3Users outgoing-packet-mark=hotspot-DOWN-High3Users shared-users=2
```
Route
- If Radius server is behind docker openvpn and the Radius IP is not on the same subnet as the VPN, you need to make a route to the radius server IP.
Optional
Bandwidth Management
In this example, we will use a Queue Tree with Packet-Mark markings created automatically by the Hotspot-User Profile.
The packet tagging performed by the User-Profile is not located in the built-in chain in Mangle, but in the auto-generated chain=hotspot. Therefore for this method to work it is necessary to create a Mangle with action=jump from Built-In to chain=hotspot.
Hotspot USer Profile
WE use script from `Mikrotik-Group` section above
Mangle Hotspot Jump
make sure to position this mangle above dynamic mangle created from hotspot user profile
/ip firewall mangle
add action=jump chain=forward jump-target=hotspot
Queue tree
/queue tree
add name="DOWNLOAD GLOBAL" parent=global
add name="UPLOAD GLOBAL" parent=global
add name="Admin Up" packet-mark=hotspot-UP-AdminProfile parent="UPLOAD GLOBAL"
add name="Admin Down" packet-mark=hotspot-UP-AdminProfile parent="DOWNLOAD GLOBAL"
add name="General Down" packet-mark=hotspot-DOWN-GeneralUsers parent="DOWNLOAD GLOBAL"
add name="General Up" packet-mark=hotspot-UP-GeneralUsers parent="UPLOAD GLOBAL"
add name="H1 Up" packet-mark=hotspot-UP-High1Users parent="UPLOAD GLOBAL"
add name="H2 Up" packet-mark=hotspot-UP-High2Users parent="UPLOAD GLOBAL"
add name="H3 Up" packet-mark=hotspot-UP-High3Users parent="UPLOAD GLOBAL"
add name="H1 Down" packet-mark=hotspot-DOWN-High1Users parent="DOWNLOAD GLOBAL"
add name="H2 Down" packet-mark=hotspot-DOWN-High2Users parent="DOWNLOAD GLOBAL"
add name="H3 Down" packet-mark=hotspot-DOWN-High3Users parent="DOWNLOAD GLOBAL"
Login by Mac
Set hotspot to login with mac if you want
Scheduler remove unauth client
Scheduler remove unauth client from hotpot hosts (to make newly added mac can be logged in)
```
/ip hotspot host remove [find authorized=no ]
```
VPS & Freeradius config
alter table radpostauth add mac
https://aacable.wordpress.com/2017/08/15/playing-with-the-radpostauth-table-in-freeradius/
"post-auth" file to edit
`/etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf`
#######################################################################
# Authentication Logging Queries
#######################################################################
# postauth_query - Insert some info after authentication
#######################################################################
post-auth {
original query
INSERT INTO ${..postauth_table} \
(username, pass, reply, authdate, mac) \
VALUES ( \
'%{SQL-User-Name}', \
'%{%{User-Password}:-%{Chap-Password}}', \
'%{reply:Packet-Type}', \
'%S', \
'%{Calling-Station-Id}')"
updated query to save only first 3 occation per day if reject
INSERT INTO ${..postauth_table} \
(username, pass, reply, reply_message, authdate, mac, nasipaddress) \
SELECT \
'%{SQL-User-Name}', \
'%{%{User-Password}:-%{Chap-Password}}', \
'%{reply:Packet-Type}', \
'%{Module-Failure-Message}', \
'%S', \
'%{Calling-Station-Id}', \
'%{NAS-IP-Address}' \
FROM ${..postauth_table} \
HAVING (SELECT COUNT(username) FROM ${..postauth_table} \
WHERE username = '%{SQL-User-Name}' \
AND DATE(authdate)=CURDATE()) < 3 \
OR '%{reply:Packet-Type}' <> 'Access-Reject' \
LIMIT 1
full file gist https://gist.github.com/akzn/4174d256bb49a0ab20600582fca92f3c
Docker VPN Setting
This part is if we use docker tunneling either using OpenVPN or Wireguard
- Iptables port forwading
Port forward port 1812 and 1813 from container to host, I dont know why but other than port 1812 and 1813, we need to port forward port 80 to make it works.
route
- read https://notes.javalatte.xyz/docker-wireguard-mikrotik/#Host_route_to_container to add route from host to vpn client behind docker container