AKZN Notes

Archives for My Lazy and Forgetful Mind

Freeradius + Daloapi + mikrotik

Last Modified on

Daloapi setting

  1. install freeradius (with mysql) and daloradius

    daloradius need php-pear and php-db

    sudo apt-get install php-common php-gd php-curl php-mail php-mail-mime php-pear php-db
    sudo pear install db
  2. deploy daloapi from git, setting database as same with freeradius setting, make sure daloapi database migration is set.

    • after git deployment

      .env.example to .env

      configure db credential to .env

      composer install
      chown $USER:www-data storage
      php artisan key:generate
    • enable mod rewrite to apache2 config

      sudo nano /etc/apache2/apache2.conf

      search something like :

      Directory /var/www/html>
      # Configuration for enabling .htaccess
      AllowOverride None
      Require all granted
      /Directory>

      change AllowOverride to All

    • make symlink from daloapi installation folder to www/html

      sudo ln -s /var/www/webapps/daloapi.javalatte.xyz/ /var/www/html/daloapi/
    • change daloapi_url on iBilling config to http://localhost/daloapi/api/

    • register/login to daloapi to get api token
      https://daloapi.javalatte.xyz/api/login?email=[email/username]&password=[password]
      register url to be added, see source code route

Mikrotik Setting

Radius setting

  • Set the Radius to use your radius server
  • Set Radius Incoming to accept command from radius server
    • Radius > click "Incoming" button > tick "accept" checkmark field

Hotspot

Mikrotik-Group

IF daloradius is using `Mikrotik-Group` profile. Make sure mikrotik has `hotspot user profile` with same name as dalo `Mikrotik-Group` value
Example :
```
/ip hotspot user profile
add incoming-packet-mark=hotspot-UP-GeneralUsers name=GeneralUsers outgoing-packet-mark=hotspot-DOWN-GeneralUsers shared-users=2
add incoming-packet-mark=hotspot-UP-AdminProfile name=AdminProfile outgoing-packet-mark=hotspot-DOWN-AdminProfile shared-users=20
add incoming-packet-mark=hotspot-UP-High1Users name=High1Users outgoing-packet-mark=hotspot-DOWN-High1Users shared-users=2
add incoming-packet-mark=hotspot-UP-High2Users name=High2Users outgoing-packet-mark=hotspot-DOWN-High2Users shared-users=2
add incoming-packet-mark=hotspot-UP-High3Users name=High3MultiUsers outgoing-packet-mark=hotspot-DOWN-High3Users shared-users=10
add incoming-packet-mark=hotspot-UP-High3Users name=High3Users outgoing-packet-mark=hotspot-DOWN-High3Users shared-users=2
```

Route

  • If Radius server is behind docker openvpn and the Radius IP is not on the same subnet as the VPN, you need to make a route to the radius server IP.

Optional

Bandwidth Management

In this example, we will use a Queue Tree with Packet-Mark markings created automatically by the Hotspot-User Profile.

The packet tagging performed by the User-Profile is not located in the built-in chain in Mangle, but in the auto-generated chain=hotspot. Therefore for this method to work it is necessary to create a Mangle with action=jump from Built-In to chain=hotspot.

Hotspot USer Profile

WE use script from `Mikrotik-Group` section above

Mangle Hotspot Jump

make sure to position this mangle above dynamic mangle created from hotspot user profile

/ip firewall mangle
add action=jump chain=forward jump-target=hotspot

Queue tree

/queue tree
add name="DOWNLOAD GLOBAL" parent=global
add name="UPLOAD GLOBAL" parent=global
add name="Admin Up" packet-mark=hotspot-UP-AdminProfile parent="UPLOAD GLOBAL"
add name="Admin Down" packet-mark=hotspot-UP-AdminProfile parent="DOWNLOAD GLOBAL"
add name="General Down" packet-mark=hotspot-DOWN-GeneralUsers parent="DOWNLOAD GLOBAL"
add name="General Up" packet-mark=hotspot-UP-GeneralUsers parent="UPLOAD GLOBAL"
add name="H1 Up" packet-mark=hotspot-UP-High1Users parent="UPLOAD GLOBAL"
add name="H2 Up" packet-mark=hotspot-UP-High2Users parent="UPLOAD GLOBAL"
add name="H3 Up" packet-mark=hotspot-UP-High3Users parent="UPLOAD GLOBAL"
add name="H1 Down" packet-mark=hotspot-DOWN-High1Users parent="DOWNLOAD GLOBAL"
add name="H2 Down" packet-mark=hotspot-DOWN-High2Users parent="DOWNLOAD GLOBAL"
add name="H3 Down" packet-mark=hotspot-DOWN-High3Users parent="DOWNLOAD GLOBAL"

Login by Mac

Set hotspot to login with mac if you want

Scheduler remove unauth client

Scheduler remove unauth client from hotpot hosts (to make newly added mac can be logged in)
```
/ip hotspot host remove [find authorized=no ]
```

VPS & Freeradius config

alter table radpostauth add mac

https://aacable.wordpress.com/2017/08/15/playing-with-the-radpostauth-table-in-freeradius/

"post-auth" file to edit
`/etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf`

#######################################################################
# Authentication Logging Queries
#######################################################################
# postauth_query        - Insert some info after authentication
#######################################################################

post-auth {

original query

INSERT INTO ${..postauth_table} \
                        (username, pass, reply, authdate, mac) \
                VALUES ( \
                        '%{SQL-User-Name}', \
                        '%{%{User-Password}:-%{Chap-Password}}', \
                        '%{reply:Packet-Type}', \
                        '%S', \
                         '%{Calling-Station-Id}')"

updated query to save only first 3 occation per day if reject

                 INSERT INTO ${..postauth_table} \
                        (username, pass, reply, reply_message, authdate, mac, nasipaddress) \
                SELECT  \
                        '%{SQL-User-Name}', \
                        '%{%{User-Password}:-%{Chap-Password}}', \
                        '%{reply:Packet-Type}', \
                        '%{Module-Failure-Message}', \
                        '%S', \
                         '%{Calling-Station-Id}', \
                         '%{NAS-IP-Address}' \
                        FROM ${..postauth_table} \
                        HAVING (SELECT COUNT(username) FROM ${..postauth_table} \
                                WHERE username = '%{SQL-User-Name}' \
                                AND DATE(authdate)=CURDATE()) < 3 \
                        OR '%{reply:Packet-Type}' <> 'Access-Reject' \
                        LIMIT 1

full file gist https://gist.github.com/akzn/4174d256bb49a0ab20600582fca92f3c

Docker VPN Setting

This part is if we use docker tunneling either using OpenVPN or Wireguard

  • Iptables port forwading
    Port forward port 1812 and 1813 from container to host, I dont know why but other than port 1812 and 1813, we need to port forward port 80 to make it works.

route

Leave a Reply

Your email address will not be published.