...
The MikroTik RouterOS provides scalable Authentication, Authorization, and Accounting (AAA) functionality.
Local authentication is performed using the User Database and the Profile Database. The actual configuration for the given user is composed using the respective user record from the User Database, the associated item from the Profile Database, and the item in the Profile database which is set as default for a given service the user is authenticating to. Default profile settings from the Profile database have the lowest priority while the user access record settings from the User Database have the highest priority with the only exception being particular IP addresses take precedence over IP pools in the local-address and remote-address settings, which are described later on.
Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which that can authenticate for PPP, PPPoE, PPTP, L2TP, OPVN, and ISDN connections. The attributes received from the RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.
...
PPP profiles are used to define default values for user access records stored under /ppp secret submenu. Settings in /ppp secret User Database override overrides corresponding /ppp profile settings except that single IP addresses always take precedence over IP pools when specified as local-address or remote-address parameters.
Properties
| Property | Description |
|---|
| address-list (string; Default: ) | Address list name to which ppp assigned (on server) or received (on client) address will be added. |
| bridge (string; Default: ) | Name of the bridge |
interface | interface to which ppp interface will be added as a slave port. Both tunnel endpoints (server and client) must be in the bridge |
in order | to make this work, see more details |
on | in the BCP bridging manual. |
| bridge-horizon (integer 0..429496729; Default: ) | Used split-horizon value for the dynamically created bridge port. Can be used to prevent bridging loops and isolate traffic. Set the same value for a group of ports, to prevent them from sending data to ports with the same horizon value. |
| bridge-learning (default | no | yes; Default: default) | Changes MAC learning behavior on the dynamically created bridge port:- yes - enables MAC learning
- no - disables MAC learning
- default - derive this value from the interface default profile; same as yes if this is the interface default profile
|
| bridge-path-cost (integer |
0429496729| 200000000; Default: ) | Used path cost for the dynamically created bridge port, used by STP/RSTP to determine the best path, used by MSTP to determine the best path between regions. This property has no effect when a bridge protocol-mode is set to none. |
| bridge-port-priority (integer 0..240; Default: ) | Used priority for the dynamically created bridge port, used by STP/RSTP to determine the root port, used by MSTP to determine the root port between regions. This property has no effect when a bridge protocol-mode is set to none. |
| change-tcp-mss (yes | no | default; Default: default) | Modifies connection MSS settings (applies only for IPv4):- yes - adjust connection MSS value
- no - do not adjust connection MSS value
- default - derive this value from the interface default profile; same as no if this is the interface default profile
|
| comment (string; Default: ) | Profile comment |
| dhcpv6-pd-pool (string; Default: ) | Name of the IPv6 pool which will be used by dynamically created DHCPv6 |
-PD server when client connects. Read more >> |
| dns-server (IP; Default: ) | IP address of the DNS server that is supplied to |
ppp | PPP clients |
| idle-timeout (time; Default: ) | Specifies the amount of time after which the link will be terminated if there |
are | is no activity present. Timeout is not set by default |
| incoming-filter (string; Default: ) | Firewall chain name for incoming packets. |
Specified | The specified chain gets control |
for | of each packet coming from the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains |
in order | for this feature to work. For more information look at the examples section |
localaddressIP address | pool| bottom | first | queue name ; Default: ) | Inserts new queue as the last, first, or before a specified queue |
| interface-list (interface list name; Default: ) | Specifies interface list to which profile interfaces will be added |
| local-address (IP address | pool; Default: ) | Tunnel address or name of the pool from which the address is assigned to ppp interface locally |
. |
| name (string; Default: ) | PPP profile name |
onlyone (yes | no | default defaultDefines whether a user is allowed to have more than one ppp session at a timeyes - a user is not allowed to have more than one ppp session at a timeno - the Execute script on user login-event. These are available variables that are accessible for the event script:- user
- local-address
- remote-address
- caller-id
- called-id
- interface
|
| on-down (script; Default: ) | Execute script on the user logging off. See on-up for more details |
| only-one (yes | no | default; Default: default) | Defines whether a user is allowed to have more than one ppp session at a time |
default - - yes - a user is not allowed to have more than one ppp session at a time
- no - the user is allowed to have more than one ppp session at a time
- default - derive this value from the interface default profile; same as no if this is the interface default profile
|
| outgoing-filter (string; Default: ) | Firewall chain name for outgoing packets. The specified chain gets control for each packet going to the client. The PPP chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains |
in order | for this feature to work. For more information look at the Examples section. |
ratelimit (string| queue (none | queue name; Default: ) |
Rate limitation in form of | Specifies parent queue |
queue-type (default | ethernet-default | wireless-default | synchronous-default | hotspot-default | pcq-upload-default | pcq-download-default | only-hardware-queue | multi-queue-ethernet-default | default-small | custom queue type name ; Default: ) | Specifies queue type |
| rate-limit (string; Default: ) | Rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx- |
rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-| rate-min]]]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates are measured in bits per second, unless followed by an optional 'k' suffix (kilobits per second) or 'M' suffix (megabits per second). If tx-rate is not specified, rx-rate serves as tx-rate too. The same applies |
for | to tx-burst-rate, tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values. |
| remote-address (IP; Default: ) | Tunnel address or name of the pool from which address is assigned to remote ppp interface. |
| remote-ipv6-prefix-pool (string | none; Default: none) | Assign a prefix from the IPv6 pool to the client and install the corresponding IPv6 route. |
| session-timeout (time; Default: ) | Maximum time the connection can stay up. By default, no time limit is set. |
| use-compression (yes | no | default; Default: default) | Specifies whether to use data compression or not.- yes - enable data compression
- no - disable data compression
- default - derive this value from the interface default profile; same as no if this is the interface default profile
This setting does not affect OVPN tunnels. |
| use-encryption (yes | no | default | require; Default: default) | Specifies whether to use data encryption or not.- yes - enable data encryption
- no - disable data encryption
- default - derive this value from the interface default profile; same as no if this is the interface default profile
- require - explicitly requires encryption
This setting does not work on OVPN and SSTP tunnels. |
| use-ipv6 (yes | no | default | require; Default: default) | Specifies whether to allow IPv6. By default is enabled if IPv6 package is installed.- yes - enable IPv6 support
- no - disable IPv6 support
- default - derive this value from the interface default profile; same as no if this is the interface default profile
- require - explicitly requires IPv6 support
|
| use-mpls (yes | no | default | require; Default: default) | Specifies whether to allow MPLS over PPP.- yes - enable MPLS support
- no - disable MPLS support
- default - derive this value from the interface default profile; same as no if this is the interface default profile
- require - explicitly requires MPLS support
|
onup (script| upnp (yes | no | default ; Default: |
)Execute script on user login-event. These are available variables that are accessible for the event script:- user
- local-address
- remote-address
- caller-id
- called-id
- interface
| | default) | Specifies whether to allow UPnP - yes - enable UPnP
- no - disable UPnP
- default - derive this value from the interface default profile; same as no if this is the interface default profile
|
| wins-server (IP |
| on-down (script; Default: ) | Execute script on user logging off. See on-up for more details |
wins-server (IP | address; Default: ) | IP address of the WINS server to supply to Windows clients |
Notes
There are The two default profiles that cannot be removed:
| Code Block |
|---|
|
[admin@rb13] ppp profile> print
Flags: * - default
0 * name="default" use-compression=no use-encryption=no only-one=no
change-tcp-mss=yes
1 * name="default-encryption" use-compression=default use-encryption=yes
only-one=default change-tcp-mss=default
[admin@rb13] ppp profile> |
...
PPP User Database stores PPP user access records with PPP user profile assigned to each user.
Properties
| Property | Description |
|---|
| caller-id (string; Default: ) | For PPTP and L2TP it is the IP address a client must connect from. For PPPoE it is the MAC address (written in CAPITAL letters) a client must connect from. For ISDN it is the caller's number (that may or may not be provided by the operator) the client may dial-in from |
| comment (string; Default: ) | Short description of the user. |
| disabled (yes | no; Default: no) | Whether secret will be used. |
| limit-bytes-in (integer; Default: 0) |
Maximal | The maximum amount of bytes for a session that the client can upload. |
| limit-bytes-out (integer; Default: 0) |
Maximal | The maximum amount of bytes for a session that the client can download. |
| local-address (IP address; Default: ) | IP address that will be set locally on ppp interface. |
| name (string; Default: ) | Name used for authentication |
| password (string; Default: ) | Password used for authentication |
| profile (string; Default: default) | Which user profile to use |
. |
| remote-address (IP; Default: ) | IP address that will be assigned to the remote ppp interface. |
| remote-ipv6-prefix (IPv6 prefix; Default: ) | IPv6 prefix assigned to ppp client. Prefix is added to ND prefix list enabling stateless address auto-configuration on ppp interface |
.Available starting from v5.0| . |
| routes (string; Default: ) | Routes that appear on the server when the client is connected. The route format is: dst-address gateway metric (for example, 10.1.0.0/ 24 10.0.0.1 1). Other syntax is not acceptable since it can be represented |
in incorrect way| incorrectly. Several routes may be specified and separated with commas. This parameter will be ignored for OpenVPN. |
| service (any | async | isdn | l2tp | pppoe | pptp | ovpn | sstp; Default: any) | Specifies the services that a particular user will be able to use. |
Active Users
Sub-menu: /ppp active
This submenu allows to monitor monitoring active (connected) users.
...
/ppp active print stats command will show received/sent bytes and packets
Properties
| Property | Description |
|---|
| address (IP address) | The IP address the client got from the server |
| bytes (integer) | Amount of bytes |
transfered tis First | The first figure represents the amount of transmitted traffic from the router's point of view, while the second one shows the amount of received traffic. |
| caller-id (string) | For PPTP and L2TP it is the IP address the client connected from. For PPPoE, it is the MAC address the client connected from. |
| encoding (string) | Shows encryption and encoding (separated with '/' if asymmetric) being used in this connection |
| limit-bytes-in (integer) |
Maximal | The maximum amount of bytes the user is allowed to send to the router. |
| limit-bytes-out (integer) |
Maximal | The maximum amount of bytes the user is allowed to send to the client. |
| name (string) | User name supplied at authentication stage |
| packets (integer/integer) | Amount of packets |
transfered tis First | The first figure represents the amount of transmitted traffic from the router's point of view, while the second one shows the amount of received traffic |
| service (async | isdn | l2tp | pppoe | pptp | ovpn | sstp) | Type of service the user is using. |
| session-id (string) | Shows unique client identifier. |
| uptime (time) | User's uptime |
Remote AAA
Sub-menu: /ppp aaa
Settings in this submenu allows to set RADIUS accounting and authentication. Note that the RADIUS user database is consulted only if the required username is not found in the local user database.
Properties
| Property | Description |
|---|
| accounting (yes | no; Default: yes) | Enable RADIUS accounting |
| interim-update (time; Default: 0s) | Interim-Update time interval |
| use-radius (yes | no; Default: no) | Enable user authentication via RADIUS. If an entry in the local secret database is not found, then the client will be authenticated via RADIUS. |
| enable-ipv6-accounting (yes | no; Default: no) | Enable IPv6 separate accounting. PPP service counts Layer2, IPv4 and IPv6 data all together when reporting network usage statistics to the RADIUS server by default. If it is required to differ IPv4 and IPv6 traffic, then this option can be enabled. Prerequisites for it to work are that the prefix must be assigned to the client through PPP service and also rate-limit must be provided. Dynamically created queue statistics will be used as counters for IPv6 data, which then will be included in accounting packets as separate IPv6 statistics attributes. This will not work for prefixes assigned by dynamically created DHCPv6 server due to provided prefix pool or PPP/Profile configuration. Then prefix assignment is handled by DHCP service, not PPP, thus accounting can not be managed by PPP service. |
Examples
Add new profile
To add the profile ex that assigns the router itself the 10.0.0.1 address, and the addresses from the ex pool to the clients, filtering traffic coming from clients through mypppclients chain:
...