kosteek

Наверно я неправильно выразился. НАС локальный. Нужно чтобы работал с несколькими подсетями. Радиус ругается: Tue Apr 18 19:18:28 2017 : Error: /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql" Tue Apr 18 19:18:28 2017 : Error: /usr/local/etc/raddb/sites-enabled/default[177]: Failed to find "sql" in the "modules" section. Tue Apr 18 19:18:28 2017 : Error: /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. Tue Apr 18 19:18:28 2017 : Error: Failed to load virtual server <default>

Тогда вопрос по Радиус+ПППоЕ+НАС. Есть сеть серая для абонентов за НАТом. Подключение ПППоЕ. Добавляю подсеть с белыми айпи и привязую к радиусу. Нужно ли создавать второй НАС для подсети с белыми адресами?

Дошло как нужно, но в моем случае так не получится. Нет возможности до клиента пробросить влан. Оставлю я этих клиентов на пппое.

Я понимаю, пока сделал по разным вланам свои подсети и дополнительно подсети для UHW - работает. Но затык в организации раздачи белых айпишников по вланам, если у меня их только одна подсеть. Сейчас такой у меня конфиг option domain-name "ourisp"; option domain-name-servers 8.8.8.8; default-lease-time 3600; max-lease-time 43200; authoritative; ddns-update-style none; log-facility local7; one-lease-per-client true; deny duplicates; shared-network ourisp { subnet 172.16.54.0 netmask 255.255.255.0 { default-lease-time 3600; option domain-name "ourisp"; option subnet-mask 255.255.255.0; option routers 172.16.54.1; include "/usr/local/etc/multinet/user54.conf"; } subnet 172.32.54.0 netmask 255.255.255.0 { default-lease-time 30; option domain-name "ourisp"; option subnet-mask 255.255.255.0; option routers 172.32.54.1; option domain-name-servers 172.32.54.1; range 172.32.54.2 172.32.54.254; } } shared-network ourisp { subnet 172.16.50.0 netmask 255.255.255.0 { default-lease-time 3600; option domain-name "ourisp"; option subnet-mask 255.255.255.0; option routers 172.16.50.1; include "/usr/local/etc/multinet/user50.conf"; } subnet 172.32.50.0 netmask 255.255.255.0 { default-lease-time 30; option domain-name "ourisp"; option subnet-mask 255.255.255.0; option routers 172.32.50.1; option domain-name-servers 172.32.50.1; range 172.32.50.2 172.32.50.254; } }

l1ght, можешь показать настройки dhcp сервера? Как раздаются белые ip на вланах?

Про существование rb751 Gr3 не знал. Если есть ссылка на описание, прошу скинуть - почитаю. Если тупой свитч справлялся с нагрузкой, то edgecore можно заменить на RB260G.

Странная у вас топология. Почему edge-core стоит там? Тупой свитч - выкинуть. Это слабое место. Можно было соединить напрямую два моста через убнт блоки питания. И зачем тогда ставить два дополнительных наса, если за эту цену можно купить RB2011.

Там где знак вопроса, что за железка стоит?

Cеть разделена на сегменты по vlan`ам и управляющем vlan`ом? Прикрепленное изображение мелковатое, плохо видно.

Разобрался. Сам натупил, радиус и мпд тут не причем. Радиус атрибуты нужны только первые три.

Нужна помощь. FreeBSD NAS + Freeradius + mpd. PPPoE подключается, но шейперы не работают. Радиус атрибуты: Дебаг радиуса: rad_recv: Access-Request packet from host 127.0.0.1 port 10669, id=44, length=268 NAS-Identifier = "beta.skystar.com.ua" NAS-IP-Address = 127.0.0.1 Message-Authenticator = 0x56d629105099fa7e741a1d59864b2ed9 Acct-Session-Id = "595972-vlan50-3" NAS-Port = 3 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "6466b3e81b0d" NAS-Port-Id = "vlan50" mpd-link = "vlan50-3" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Client-Endpoint:0 = "64:66:b3:e8:1b:0d" User-Name = "00002" MS-CHAP-Challenge = 0xbb1e68dd1189bf802a669b7609ee0c72 MS-CHAP2-Response = 0x0100df097885d16cb8733c681dacfd15e9590000000000000000ab30640ad5bd267e099b540b81b1b2d9d01514148a9bb643 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok ++[digest] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [sql] expand: %{User-Name} -> 00002 [sql] sql_set_user escaped user --> '00002' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_check` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_check` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '00002' ORDER BY `id` [sql] User found in radcheck table [sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_reply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_reply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '00002' ORDER BY `id` [sql] expand: SELECT `GroupName` FROM `radius_usergroup` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `priority` -> SELECT `GroupName` FROM `radius_usergroup` WHERE `UserName` = '00002' ORDER BY `priority` [sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupcheck` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupcheck` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '3:2130706433' ORDER BY `id` [sql] User found in group 3:2130706433 [sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupreply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupreply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '3:2130706433' ORDER BY `id` rlm_sql (sql): Released sql socket id: 3 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group MS-CHAP { [mschap] Creating challenge hash with username: 00002 [mschap] Client is using MS-CHAPv2 for 00002, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok Login OK: [00002] (from client NAS 2 port 3 cli 6466b3e81b0d) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 44 to 127.0.0.1 port 10669 Framed-IP-Address = 172.16.50.2 Framed-IP-Netmask = 255.255.255.255 mpd-pipe += "1=bw 32240Kbyte/s" mpd-pipe += "5=bw 32240Kbyte/s" mpd-table-static += "3=172.16.50.2" mpd-table-static += "4=172.16.50.2" MS-CHAP2-Success = 0x01533d45424330313138393943374334363243354534303938314635373537464333414433434335464535 MS-MPPE-Recv-Key = 0x074632e9fe738cb34b6a1482b5e0c062 MS-MPPE-Send-Key = 0x357e3f8c2f1f0e3b2fb7950d05db3955 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 127.0.0.1 port 10670, id=38, length=270 NAS-Identifier = "beta.skystar.com.ua" NAS-IP-Address = 127.0.0.1 Acct-Session-Id = "595972-vlan50-3" NAS-Port = 3 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "6466b3e81b0d" NAS-Port-Id = "vlan50" mpd-link = "vlan50-3" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Client-Endpoint:0 = "64:66:b3:e8:1b:0d" Acct-Status-Type = Start Framed-IP-Address = 172.16.50.2 Framed-IP-Netmask = 255.255.255.255 Framed-IPv6-Address = :: User-Name = "00002" Acct-Multi-Session-Id = "595972-B-1" mpd-bundle = "B-1" mpd-iface = "ng0" mpd-iface-index = 7 Acct-Link-Count = 1 Acct-Authentic = RADIUS # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] Hashing 'NAS-Port = 3,NAS-Identifier = "beta.skystar.com.ua",NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "595972-vlan50-3",User-Name = "00002"' [acct_unique] Acct-Unique-Session-ID = "050d416d1eec652d". ++[acct_unique] = ok +} # group preacct = ok # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +group accounting { ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> 00002 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 38 to 127.0.0.1 port 10670 Finished request 1. Cleaning up request 1 ID 38 with timestamp +14 Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 44 with timestamp +14 Ready to process requests. rad_recv: Accounting-Request packet from host 127.0.0.1 port 10671, id=95, length=318 NAS-Identifier = "beta.skystar.com.ua" NAS-IP-Address = 127.0.0.1 Acct-Session-Id = "595895-vlan50-4" NAS-Port = 4 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "6466b3e81b0d" NAS-Port-Id = "vlan50" mpd-link = "vlan50-4" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Client-Endpoint:0 = "64:66:b3:e8:1b:0d" Framed-IP-Address = 172.16.50.2 Framed-IP-Netmask = 255.255.255.255 Framed-IPv6-Address = :: User-Name = "00002" Acct-Multi-Session-Id = "595895-B-2" mpd-bundle = "B-2" mpd-iface = "ng1" mpd-iface-index = 8 Acct-Link-Count = 1 Acct-Authentic = RADIUS Acct-Status-Type = Stop Acct-Terminate-Cause = Lost-Service Acct-Session-Time = 130 Acct-Input-Octets = 78 Acct-Input-Packets = 6 Acct-Input-Gigawords = 0 Acct-Output-Octets = 2845 Acct-Output-Packets = 37 Acct-Output-Gigawords = 0 # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] Hashing 'NAS-Port = 4,NAS-Identifier = "beta.skystar.com.ua",NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "595895-vlan50-4",User-Name = "00002"' [acct_unique] Acct-Unique-Session-ID = "9aef731b53a7fa26". ++[acct_unique] = ok +} # group preacct = ok # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +group accounting { ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> 00002 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 95 to 127.0.0.1 port 10671 Finished request 2. Cleaning up request 2 ID 95 with timestamp +67 IPFW: ipfw pipe show 08101: 5.240 Mbit/s 0 ms burst 0 q139173 32 KB 0 flows (1 buckets) sched 73637 weight 0 lmax 0 pri 0 droptail sched 73637 type FIFO flags 0x0 0 buckets 0 active 10000: 257.920 Mbit/s 0 ms burst 0 q141072 50 sl. 0 flows (1 buckets) sched 75536 weight 0 lmax 0 pri 0 droptail sched 75536 type FIFO flags 0x0 0 buckets 0 active 10001: 257.920 Mbit/s 0 ms burst 0 q141073 50 sl. 0 flows (1 buckets) sched 75537 weight 0 lmax 0 pri 0 droptail sched 75537 type FIFO flags 0x0 0 buckets 0 active 00101: 5.240 Mbit/s 0 ms burst 0 q131173 32 KB 0 flows (1 buckets) sched 65637 weight 0 lmax 0 pri 0 droptail sched 65637 type FIFO flags 0x0 0 buckets 0 active ipfw list 00004 allow ip from table(2) to 8.8.8.8 dst-port 53 via vlan50 00004 allow ip from 8.8.8.8 to table(2) src-port 53 via vlan50 00004 allow ip from table(2) to me dst-port 80 via vlan50 00004 allow ip from me to table(2) src-port 80 via vlan50 00004 allow ip from table(2) to 8.8.8.8 dst-port 53 via vlan54 00004 allow ip from 8.8.8.8 to table(2) src-port 53 via vlan54 00004 allow ip from table(2) to me dst-port 80 via vlan54 00004 allow ip from me to table(2) src-port 80 via vlan54 00005 fwd 127.0.0.1,80 ip from 172.32.0.0/16 to not me dst-port 80 00005 fwd 127.0.0.1,443 ip from 172.32.0.0/16 to not me dst-port 443 00006 fwd 127.0.0.1,80 ip from table(47) to not me dst-port 80 06000 nat 1 ip from table(2) to not table(9) out xmit em0 06001 nat 1 ip from any to me in recv em0 12000 pipe tablearg ip from table(3) to any via vlan50 in 12000 pipe tablearg ip from table(3) to any via vlan54 in 12001 pipe tablearg ip from any to table(4) via vlan50 out 12001 pipe tablearg ip from any to table(4) via vlan54 out 65533 deny ip from table(2) to any via vlan54 65533 deny ip from table(2) to any via vlan50 65535 allow ip from any to any ipfw table all list --- table(2), set(0) --- 172.16.0.0/16 0 --- table(3), set(0) --- 172.16.50.2/32 0 172.16.54.3/32 101 --- table(4), set(0) --- 172.16.50.2/32 0 172.16.54.3/32 8101 --- table(9), set(0) --- --- table(32), set(0) --- --- table(47), set(0) ---

Тогда лучше раскрывающийся список

Прикрутил авторизацию с этого проекта https://github.com/ZekMan/simple_auth_v2 и отредактировал index.php <?php include_once 'conf.php'; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /> <title></title> </head> <body> <?php $r=''; $auth = new auth(); //~ Создаем новый объект класса //~ Авторизация if (isset($_POST['send'])) { if (!$auth->authorization()) { $error = $_SESSION['error']; unset ($_SESSION['error']); } } //~ выход if (isset($_GET['exit'])) $auth->exit_user(); //~ Проверка авторизации if ($auth->check()) { $r.='Добро пожаловать '.$_SESSION['login_user'].'<br/><a href="?exit">Выйти</a>'; $page = $_GET["page"]; print $r; if ($page == "onu" or $page == "onu2") { include 'main2.php'; } else if ($page == "location") { include 'main.php'; } else include 'main.php'; } else { //~ если есть ошибки выводим и предлагаем восстановить пароль if (isset($error)) $r.=$error.'<a href="recovery.php">Восстановить пароль</a><br/>'; $r.=' <a href="join.php">Зарегистрироваться</a> <form action="" method="post"> login <input type="text" name="login" value="'.@$_POST['login'].'" /><br /> passwd <input type="password" name="passwd" id="" /><br /> <input type="submit" value="send" name="send" /> </form> '; } print $r; ?> </body> </html>

Есть микротик с такими настройками: /interface bridge add name=bridge68 protocol-mode=none add name=bridge165 protocol-mode=none /interface bridge port add bridge=bridge165 interface=vlan165-ether2 add bridge=bridge165 interface=vlan165-ether3 add bridge=bridge68 interface=vlan68-ether2 add bridge=bridge68 interface=vlan68-ether3 add bridge=bridge68 interface=ether9 /interface vlan add interface=ether2 name=vlan68-ether2 vlan-id=68 add interface=ether3 name=vlan68-ether3 vlan-id=68 add interface=ether2 name=vlan165-ether2 vlan-id=165 add interface=ether3 name=vlan165-ether3 vlan-id=165 /ip address add address=192.168.165.1/24 interface=bridge165 network=192.168.165.0 add address=192.168.68.1/24 interface=bridge68 network=192.168.68.0 И OLT BDCOM P3310C: BDCOM(tm) P3310C Software, Version 10.1.0E Build 36039 Copyright by Shanghai Baud Data Communication CO. LTD. Compiled: 2016-6-22 15:11:12 by SYS, Image text-base: 0x80008000 ROM: System Bootstrap, Version 0.4.1, Serial num:00316002292 System image file is "Switch.bin" dware version:V1.0 (RISC) processor with 131072K bytes of memory, 16384K bytes of flash Проблема с VLAN, пекеты не ходят между микротиком и bdcom на этой прошивке. Если между ними поставить умный свитч с тегированными портами, то все замечательно работает. Если в микротике поменять настройки на такие: /interface ethernet set [ find default-name=ether3 ] master-port=ether2 set [ find default-name=ether4 ] master-port=ether2 set [ find default-name=ether5 ] master-port=ether2 /interface vlan add interface=ether2 name=vlan68-ether2 vlan-id=68 add interface=ether2 name=vlan165-ether2 vlan-id=165 /ip address add address=192.168.165.1/24 interface=vlan165-ether2 network=192.168.165.0 add address=192.168.68.1/24 interface=vlan68-ether2 network=192.168.68.0 , то трафик по ВЛАНам бегает. А на пршивке BDCOM P3310C Software, Version 10.1.0D Build 33463, таких проблемы нет. Кто нибудь сталкивался с такой проблемой? И к кому можно обратиться?