MikroTik DHCP Server Configuration with Radius Server

The Dynamic Host Configuration Protocol (DHCP) is a client-server protocol that is used to assign an IP address and other network configuration parameters dynamically to each device on a network so that they can communicate with other IP networks. DHCP Server is popularly used in an Enterprise Office Network because in an office network various types of IP devices such as Laptop, Desktop, Tablet, Smartphone, IP Phone and so on are maintained and almost all IP devices support DHCP. An ISP Network can also be maintained with DHCP Server.

MikroTik Router has a built-in DHCP Service that can easily be used to manage DHCP enabled devices. Along with MikroTik DHCP Server, MikroTik User Manager Radius Server can also be used to manage DHCP clients and their bandwidth so efficiently. So, if you design your network with MikroTik DHCP Server and User Manager Radius Server, your network will be an easily manageable and smart network. In this article, I will discuss how to configure a static DHCP Server in MikroTik Router with User Manager Radius Server and manage DHCP clients/users so easily and efficiently.

Article Purpose

The purpose of this article is to design a smart and easily manageable network with

• MikroTik DHCP Service and
• MikroTik User Manager Radius Server.

Network Diagram

For the configuration of this article I am going to establish a network like below network diagram.

This is a simple and basic network diagram. In real situation, your network might be larger than this network but the basic diagram will remain same. In this network, the WAN Distribution Switch is connected to internet gateway. MikroTik Router’s (NAS) WAN interface and MikroTik User Manager Radius Server are also connected to this WAN Distribution Switch. DHCP users will be connected to NAS Router through LAN Switch and will get internet access and MikroTik Router will communicate to Radius Server through WAN interface.

Core Devices and IP Information

To setup a Hotspot network according to above network diagram, I have installed and completed initial configuration of MikroTik User Manager Radius Server Package in a dedicated physical server where MikroTik RouterOS is running. I have also a physical MikroTik RouterOS (MikroTik RouterBOARD 1100AHX2) which is the NAS (Network Access Server) RouterOS of this network. IP information that I am using for this network configuration are given below.

• Radius Server IP: 192.168.110.10/28
• MikroTik RouterOS (NAS) WAN IP: 192.168.110.2/28
• LAN IP Block: 192.168.10.0/24
• LAN Gateway: 192.168.10.1/24

This IP information is just for my RND purpose. So, change this information according to your network requirements.

MikroTik static DHCP Server Configuration with User Manager Radius Server

We are now going to start our DHCP network configuration with User Manager Radius Server according to the above network diagram. The complete configuration can be divided into two parts.

• Part 1: MikroTik RouterOS Configuration (NAS Router)
• Part 2: MikroTik User Manager Radius Server Configuration

Part 1: MikroTik RouterOS Configuration (NAS Router)

In the first part, we will configure our MikroTik RouterOS (NAS) so that it can turn into a static DHCP Server and can communicate with Radius Server to authenticate DHCP clients. Complete RouterOS configuration can be divided into below topics.

• Basic MikroTik RouterOS Configuration
• DHCP Configuration in MikroTik RouterOS
• Creating Firewall Rule to Block or Allow DHCP Clients
• Radius Client Configuration in MikroTik RouterOS

Basic MikroTik RouterOS Configuration

MikroTik Router basic configuration includes WAN IP, LAN IP and DNS IP assigning and NAT and Default Gateway Configuration. The following steps will show how to perform these topics in your MikroTik RouterOS.

• Login to your MikroTik Router using Winbox with full permission user such as admin user.
• Go to IP > Addresses menu item. Address List window will appear. Click on PLUS SIGN (+). New Address window will appear.
• Put RouterOS WAN IP (RouterOS WAN IP: 192.168.110.2/28) in Address input field and choose WAN interface from Interface dropdown menu and then click Apply and OK button.
• Again click on PLUS SIGN and put LAN Gateway IP (LAN Gateway IP: 192.168.10.1/24 for this article) in Address input field and choose LAN interface (ether2 for this article) from Interface dropdown menu and click Apply and OK button.
• Now go to IP > DNS. DNS Settings window will appear. Put your DNS server IP (Public DNS IP: 8.8.8.8 or 8.8.4.4) in Servers input field and then click Apply and OK button.
• Go to IP > Routes. Route List window will appear. Click on PLUS SIGN (+). New Route window will appear. Click on Gateway input box and put your internet gateway IP (in this network: 192.168.110.1) in this input field. Click on Apply and OK button.
• Go to IP > Firewall menu item and click on NAT tab and then click on PLUS SIGN. New NAT Rule window will appear.
• In General tab, choose srcnat from Chain dropdown menu and click Action tab and then choose masquerade from Action dropdown menu. 
• Click on Apply and OK button.

MikroTik Router basic configuration has been completed. Now we will configure DHCP Server in our NAS RouterOS.

DHCP Configuration in MikroTik RouterOS

Now we will configure DHCP Server in our NAS RouterOS. The following steps will show you how to configure a DHCP Server in your MikroTik RouterOS.

• Go to IP > DHCP Server menu item from your winbox. DHCP Server window will appear.
• In DHCP Server window, click on DHCP Setup button and choose the interface (in this article: ether2) on which you want to setup DHCP server from DHCP Server Interface dropdown menu and then click on Next button.
• Now put your LAN IP block (192.168.10.0/24 for this article) in DHCP Address Space input box and click Next button.
• Put LAN gateway address (192.168.10.1 for this article) in Gateway for DHCP Network input box and then click Next button.
• Provide IP range from which your DHCP client/LAN user will get IP in Address to Give Out input box and click Next button.
• Provide preferred DNS server IP and click Next button.
• Now provide IP lease time and click Next button. Default lease time is 3 days.
• DHCP setup has been completed and a successful message will be shown. Your DHCP Server will be shown in DHCP Server List.
• Click on your DHCP Server twice and you will find DHCP Server window. From Address Pool dropdown menu, choose static-only so that your DHCP Server turns into a static DHCP Server. In a static DHCP Server, IP address will not be provided until client MAC address is supplied and obviously an enterprise network will want it.
• Go to IP > Pool and remove the automatic created pool from Pools list because in static DHCP server no need to have a pool. IP will be provided manually when any user will supply his device MAC address.

DHCP Server configuration has been completed. Now we will create two firewall rules so that only our permitted users can access internet via our MikroTik Router.

Creating Firewall Rule to Block or Allow DHCP Clients

We will now create two firewall rules so that only our permitted user can get internet access via our MikroTik Router. If any expert user wants to do any unfair connection, he will be rejected by these following rules.

• Go to IP > Firewall and click on Filter Rules tab and then click on PLUS SIGN (+). New Firewall Rule window will appear.
• In General tab, choose forward from Chain dropdown menu and choose your LAN interface from Interface dropdown menu.
• Click on Action tab and choose drop from Action dropdown menu.
• Click Apply and OK button.
• Similarly, click on PLUS SIGN (+) and choose forward from Chain dropdown menu and choose LAN interface from Interface dropdown menu.
• Click on Advanced tab and write permitted_users in Address List input box.
• Click on Action tab and choose accept from Action dropdown menu.
• Now click on Apply and OK button.

What we have done is that we have blocked all the users coming from LAN interface with the first firewall rule and then we have allowed all the users who have in permitted_users address list or group with the second firewall rule. Obviously, the second rule must place before the first rule otherwise permitted_users will not get internet access because they will go under first blocked rule. The permitted_users group will be supplied from Radius Server.

Radius Client Configuration in MikroTik RouterOS

The following steps will show you how to configure Radius client in MikroTik RouterOS.

• Click on Radius menu item from left menu bar. Radius window will appear now.
• Click on PLUS SIGN (+). New Radius Server window will appear now.
• Click on dhcp checkbox from Service panel.
• Put Radius Server IP address (in this article: 192.168.110.10) in Address input field.
• Provide a password in Shared Secret input field. This password is important and has to provide when NAS router will be configured in User Manager Radius Server.
• Click on Apply and OK button.
• Now click on Incoming button and Radius Incoming window will appear.
• Click on Accept checkbox and put 1700 in Port input box and then click on Apply and OK button.

Radius client configuration has been completed. Now MikroTik RouterOS is able to communicate with Radius Server to authenticate DHCP users.

Part 2: MikroTik User Manager Radius Server Configuration

MikroTik User Manager Radius Server installation and initial configuration has been discussed in my previous article. If you don’t have enough introduction with User Manager Radius Server installation and initial configuration, first spend some time to study that article and complete your Radius Server installation and initial configuration and then continue my below section. In this section, I will cover below topics in our Radius Server for DHCP user authentication, authorization and accounting.

• Adding Client Router (NAS) in Radius Server
• Profile Configuration for User Bandwidth Limitation and Permission
• Adding User in Radius Server

Adding Client Router (NAS) in Radius Server

The following steps will show you how to add client router in User Manager Radius Server.

• Login to User Manager Radius Server web interface with customer or subscriber credentials using https://radius-server-ip-address/userman (for this configuration: https://192.168.110.10/userman) URL.
• Click on Routers button from left button panel and then click on Add > New menu item from top menu bar. Router Details window will appear now.
• In Main panel, put a meaningful name for your client router in Name input field. Also choose owner from Owner dropdown menu.
• Put your client router IP address (RouterOS IP: 192.168.110.2) in IP address input field.
• Now put shared secret password that you have provided at Radius client configuration in MikroTik RouterOS Shared secret input field.
• In Radius incoming panel, click on CoA support check box and put 1700 in CoA port input box.
• Click on Add button to add this router in Radius Server Router list.

MikroTik RouterOS has been added in User Manager Radius Server as a client router. Now User Manager will reply any query that will be asked by our MikroTik RouterOS.

Profile Configuration for User Bandwidth Limitation and Permission

Now we will create user profile so that we can manage our DHCP user’s bandwidth and permission. The following will show how to create user bandwidth limitation and maintain user permission with User Manager Radius Server.

• Click on Profiles button and then click on Limitations
• Now click on Add > New menu item. Limitation details window will appear.
• Put your limitation package name in Name input box. I am providing Executive Package in Name field because I want to create a limitation package for Executives. Also choose owner from Owner dropdown menu.
• In Rate limits panel, put your bandwidth limitation parameter. For a 512kbps bandwidth limitation, I am providing below information.
  

  Parameter name	Rx	Tx
  Rate limit	512k	512k
  Burst rate	1M	1M
  Burst threshold	512k	512k
  Burst time	60	60
  Min rate	32k	32k

  Also choose priority from Priority dropdown menu. For my configuration I am choosing 8 that mean lowest priority.

• In Constraints panel, put your permitted users address list name (in this article: permitted_users) in Address list input box.
• Click Save button to save this limitation package.
• Similarly, you can create as many limitation packages as you want.
• Now click on Profiles tab and then click on PLUS SIGN (+). Create profile window will appear.
• Put profile name what you want in Name input field. For my executive package, I am providing Executive as name. Click on Create Your created profile will be available in Profiles dropdown menu.
• From Profiles dropdown menu, select your profile created profile. At the bottom of this profile, you will find Unlimited profile that mean there is no limitation for this profile. So, click on Add new limitation Profile part window will appear now.
• You will find your limitation packages that you have created before in Limits Click on your desired Package’s checkbox and then click on Add button to add this limitation for this profile.
• Similarly, you can create as many profiles as you want and can assign limitation for those profiles.

Profile configuration in User Manager Radius Server has been completed. Now we will create users who will be permitted to get internet access.

Adding User in Radius Server

Now we will add our DHCP clients in User Manager Radius Server. The following steps will show you how to add users/DHCP clients in your Radius Server.

• Click on Users button and then click on Add > One menu item. User details window will appear.
• In Main panel, put MAC address of your user’s device in Username input field.
• In Constraints panel, put IP address that you want to assign for this user in IP address input field.
• Now choose your desired profile for this user from Assign profile dropdown menu and then click on Add

First DHCP user has been created. Similarly, you can create as many users as you want following the above steps properly.

Our static DHCP server is ready. Now it is time to test our DHCP server. Connect the device that you added here in your network. If everything is OK, the device will be able to get internet access via your NAS Router.

Assigning IP Dynamically via Static DHCP Server

Normally, there is no option in MikroTik static DHCP Server to authenticate DHCP users by providing MAC address and then assign IP address dynamically. For example, a guest user comes to your office and provides his smartphone MAC address. Now you will add this MAC address and assign available IP address manually and then he will be connected to your network. But in this process, finding an available IP address may be a boring task. Using Radius Server, you can avoid this boring task if you want. The following steps will show how to provide IP dynamically via static DHCP Server using MikroTik User Manager Radius Server.

• Login to MikroTik Router and go to IP > Addresses and then click on PLUS SIGN. Put a new IP block’s gateway IP (such as: 192.168.11.1/24) in Address input field and choose the interface where DHCP Server is enabled from Interface dropdown menu. Click on Apply and OK button.
• Go to IP > Pool and click on PLUS SIGN. Put pool name (such as: guest_users_ip) in Name input field. In addresses input filed, put IP ranges from where IP will be assigned dynamically (such as: 192.168.11.2-192.168.11.254).
• Go to IP > DHCP Server and click on Networks tab and then click on PLUS SIGN. Put your IP block (such as: 192.168.11.0/24) in Address input field and gateway IP (such as: 192.168.11.1) Gateway input field. You can also assign DNS server for this IP block from DNS Servers input field. Click Apply and OK button.
• Now login to User Manager Web interface with customer credentials and click on Profiles button and then click on Limitation tab. Go to Add > New menu item and put name of this limitation package (such as: Guest Package) in Name input field and choose owner from Owner dropdown menu.
• If you want to apply rate limit for this package, you can do that from Rate limit panel according to your requirements.
• In Constraints panel, put IP Pool name (in this article: guest_users_ip) in IP pool input filed. Also put permitted user’s address list (in this article: permitted_users) in Address list window. Click Add button to add this new limitation package.
• Click on Profiles tab and click on PLUS SIGN. Put profile name in Name input field and click on Create button. Your newly created profile will be available in Profiles dropdown menu. Select your newly created profile and from bottom click on Add new limitation You will find your newly created limitation package in Limits panel. Click on newly created package checkbox and then click on Add button.
• Click on Users button from left button panel and click on Add > One menu item. Put MAC address of your user’s device in Username input field and then just select your newly created profile from Assign profile dropdown menu. Click add button to add this user. Similarly, you can create as many users for this profile as you want.

Now our static DHCP with Radius Server is ready to provide IP address dynamically to our desired users.  Connect your desired device to your network. If everything is OK, your user will get IP address dynamically from your defined IP ranges.

I hope, it will be so easy to configure a static DHCP network with MikroTik User Manager Radius Server if follow the above steps properly. However, if you face any confusion to follow the above steps, feel free to watch my video tutorial about MikroTik static DHCP Server Configuration with User Manager Radius Server. I hope, it will reduce your any confusion.

MikroTik Static DHCP Server Configuration with User Manager Radius Server has been discussed in this article. I hope you will be able to configure your network with MikroTik DHCP Server and User Manager Radius Server so easily. However, if you face any confusion to design your DHCP network with User Manager Radius Server, feel free to contact with me from Contact page. I will try my best to stay with you.