This is the user-manager setup for static DHCP addresses, which will use the automatically created configuration.
I want static IP addresses in my home network so I know which device is where and why. This could be easily done with configuring each device manually and assign the address, DNS and default gateway by hand. Since this is very clumsy, I prefer to have a centrally managed DHCP server which assigns all necessary data to the clients but stick the IP addresses attached to the devices MAC address.
To get this working on RouterOS I use the built in user-manager with one user per MAC/IP address and the Radius server to authenticate those users.
Step by Step
This is the whole guide for this setup to work:
- Generate Configuration for Syslog, User-Manager and DNS Servers
- Replace MAC Addresses With Labels Using Syslog-NG
- User-Manager Setup For Static DHCP (this part)
- DNS Names For Static DHCP Leases
Radius ConfigurationThe Radius setup is quite easy. The command line looks like this, where the address is the IP address of your router on your home network, where the DHCP server will listen as well. The password will be used later on to authenticate the user-manager against the Radius server.
/radius add address=xx.xx.xx.xx secret="<<RADIUS PASSWORD>>" service=wireless,dhcp
Basic User-Manager Configuration
Unfortunately, the User-Manager is a little tricky to administrate. It needs to be setup via the command line and the user-manager frontend and can not be managed from within Winbox. Here is the first part with the command line:
/tool user-manager customer add backup-allowed=yes disabled=no login="<<LOGINNAME>>" password=\ "<<RADIUS GUI USER PASSWORD>>" paypal-accept-pending=no paypal-allowed=no \ paypal-secure-response=no permissions=owner signup-allowed=no time-zone=\ +00:00 /tool user-manager profile add name="dhcp default" name-for-users="DHCP Profile" override-shared-users=\ off owner="<<LOGINNAME>>" price=0 starts-at=logon validity=0s /tool user-manager router add coa-port=1700 customer="<<LOGINNAME>>" disabled=no ip-address=xx.xx.xx.xx \ log=auth-fail name="dhcp router" shared-secret="<<RADIUS PASSWORD>>" use-coa=no /tool user-manager user add comment=client-1 customer="<<LOGINNAME>>" disabled=no ip-address=192.168.100.100 \ name=00:11:22:AA:BB:CC password="" shared-users=1 wireless-enc-algo=none \ wireless-enc-key="" wireless-psk="" add comment=client-2 customer="<<LOGINNAME>>" disabled=no ip-address=192.168.100.101 \ name=33:44:55:AA:BB:CC password="" shared-users=1 wireless-enc-algo=none \ wireless-enc-key="" wireless-psk=""
Note: The lines used in the “/tool user-manager user” section are automatically generated by my Shellscript to generate MAC/IP/DNS configuration.
User-Manager ConfigurationAfter you have setup the basic stuff, you have to login to the user-manager frontend, which is available on your RouterOS device on port 80 at /userman where you have to login using <<LOGINNAME>> and <<RADIUS GUI USER PASSWORD>> which you just configured.
In the frontend you will have to verify the user profile; at one time I hade to edit and save it there before I could actually assign it to any user. After that is done you have to assign this profile to every single user you created.
Unfortunately, this must be done in the GUI and can not be handled on the command line (as of RouterOS version 6.7). It seems that the API of the user-manager is missing some parts here.
DHCP SetupSo finally that we have Radius and the User-Manager ready, we only need the DHCP server to complete everything.
/ip dhcp-server add add-arp=yes authoritative=yes disabled=no interface=home lease-time=1d \ name="homenetwork" src-address=xx.xx.xx.xx use-radius=yes /ip dhcp-server config set store-leases-disk=never /ip dhcp-server network add address=xx.xx.xx.0/24 comment=homenetwork dns-server=xx.xx.xx.1 domain=mydomain \ gateway=xx.xx.xx.1 netmask=24 ntp-server=xx.xx.xx.1
Now your DHCP server should be up and running, accepting only pre-defined MAC addresses in your network.
There is only one part missing – now that we have static IP addresses, we want to be able to resolve addresses by DNS which will be the last part of this series. Stay tuned!