![]() ![]() If you are using DHCP, then you will need to have a ip-helper-address for the dhcp server on the MT in your diagram. We use Mac addresses for SMs but usernames for managed routers on the customers network. And yes, a 100.6x.x.x range should be given to customers router wan interfaces.Įvery device that authenticates will receive an address as per the radius config for that device. This will keep you from having troubles with RFC 1918 addresses. Use it to number your network devices too. The cg-nat range is not actually restricted to cpe use. OSPF should handle the rest automatically. ![]() When the sm contacts the AP, it will authenticate the SM and let it join the wireless network, if you are using pppoe on top, then it will search for a pppoe server, first one to respond will handle the connection. ![]() If sending VSA make sure you use the +: operator for every vas sent but the last one! Setup a SM with the public radius certificate, proper login credentials and copy these to Daloradius when making a new user. Setup in Daloradius a new NAS with the ip of the router, use the same shared secret you set in the router. Make the router authenticate radius and local (this will save you from getting locked out should you not reach the radius server) The router must have an IP that can ping the radius server. point the router to the radius server IP. Setup your router to be a pppoe server with radius auth. Your customers use these and you will have problems determining if you have a rouge dhcp server (by default all soho routers give rfc1918 addresses).ĬH-NAT is something you move away from as you get IP space, If you are renting enough IP addresses then use 1:1 CG-NAT so you dont have to renumber your network (read renumbering is costly in time and money). Do not use rfc1918 addresses on your network if at all possible. Use of the 100.64.x.x addresses now will save you from a renumber to them later. But also do what makes sense for your application. Management IPs should come from a management DHCP server or from your tower router. SM can be providing DHCP to your clients if your using NAT mode. Just remember to add an ACL to your gateways and block it in BGP (if your using BPG) so you dont advertise these shared addresses.īest practice is to have the radios doing as little as possible.ĪP should just be an AP, no additional services enabled. The difference is that CGN range is routable without doing anything and it does not have problems with NAT and client networks. Last thing, I know your just bench testing (labing) the configs and getting it ready, but you should use the CGN IP range instead of RFC1918 addresses. StubArea51 (google it) has a lot of information regarding this and they are Mikrotik guys! The concepts are the same but how they get implemented is different. ![]() I am not a Mikrotik or Juniper guy, I am a Cisco and Linux guy (I also dont do the OSPF thing, Is-Is is our flavor but that is a choice we made). If you assign a local DHCP server to each tower, then have each tower provide a separate address range per tower so you can figure out where things are quickly and for internal management DNS, this allows you to append tower ID to each SM name via an automatic CNAME. It is a good practice to have your PTP radios and AP radios with static addressing and the SMs with dynamic addresses. To get DHCP to work across a routed network, use the DHCP helper option to point to the DHCP server for your SM management devices. This is the whole point of using a routing protocol. The reason you do not want a L2 vlan across your network is Spanning Tree will shut down ports on you and you definitely do not want to disable spanning tree!īy routing to the towers instead of passing a vlan, you gain reliability and automatic fail-over. I plan to work on the radius authentication next, will publish the whole thing end-to-end once I get this working, since I feel sorry for a new guy trying to figure all this out without examples. Sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms Metric-other-ospf=auto in-filter=ospf-in /routing ospf> ping 192.168.30.1 Metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=auto Redistribute-static=no redistribute-rip=no redistribute-bgp=no redistribute-other-ospf=no Got it working, had to add an interface on the same subnet as the Juniper, then OSPF would see it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |