Syed Jahanzaib Personal Blog to Share Knowledge !

August 24, 2016

Radius Manager Connection Tracking System for Mikrotik

Filed under: Mikrotik Related, Radius Manager — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:35 AM


As requested by few OP, following is a short technical reference guide on how you can enable TCP/UDP connections in Mikrotik to be stored in Radius manager connection tracking database so that you can view user base connection tracking report. In my personal view, it’s not much useful and at low end hardware it creates bottleneck, but if you have good resources with some fast storage (like SSD or RAID-10) it is better to set it up.

CTS is best described in the manual by dmasoftlab manual as mentioned below

Radius Manager has a special feature: the Connection Tracking System. It is available only in Radius Manager CTS version or higher. With the help of it the system can track and log all the TCP and UDP connections for all registered (online) users.

By default when You install the CTS enabled version of Radius Manager, it will use the default CTS database (CONNTRACK). It is strongly recommended to use a separate database host for the CONNTRACK database, due to the enormous amount of data stored daily. It can be even a 100-500 MegaBytes (and in my personal experience it can grow as much as 3-5 GB on busy network, ZAIB) per day. Fast disks (like SSD in RAID 10 mode,  zaib) are also recommended to be able to seek and store the data in real time. Radius Manager periodically stores the traffic data to CONNTRACK database (typically in
every 5–60 seconds).

Mikrotik (6.x) Configuration to enable Firewall Logging to remote server (RM)

If you have already configured the radius manager, then the conntrack database also get configured via the installation script. Next step is to enable the firewall logging in the mikrotik router so that mikrotik can send the categorized TCP/UDP data to radius manager conntrack database.

In mikrotik, open terminal and issue following commands …

In below example, we have following IP scheme.

PPPoE users ip pool =
Radius Manager IP  =

/ip firewall filter add chain=forward src-address= protocol=tcp connection-state=new action=log

/ip firewall filter add chain=forward src-address= protocol=udp connection-state=new action=log

/system logging action add name=rmctszaib remote= target=remote remote-port=4950

/system logging add topics=firewall action=rmctszaib

If you don’t see any errors , you are good to Go.


1. Radius Manager should be licensed with CTS level. Basic license wont gonna work ..

2. Make sure that  RMCONNTRACK service is UP and running.To make sure it’s running , get its process by

ps aux |grep rmconntrack

and you should get result something like following

root@radius:/# ps aux |grep rmconntrack
root xxxx 0.0 0.0 xxxxxx xxx ? Ssl 13:22 0:00 /usr/local/bin/rmconntrack

if you see its running, proceed further , otherwise you may start it manually by

rmconntrack –x

Now login to RM ACP  >  Reports  >  Connection Report

Here you can get report for all or individual user.

As showed in the image below …





Syed Jahanzaib





  1. Asalam O Alaikum Bhai, i am big fan of your posts, i always read it even i dont need it, recently got a project of Radius Manager after a long time CTS was the main requirement as govt do not allow open internet in public. wasted 2 days but above configuration was not working for me, its all my mistake that i tried to send logs without even a little research, i didnt start rmconntrack service on the RM side, didnt know that rmconntrack service needs to be started manually ..
    Please add below recommendations for careless guys like me ..

    1. Radius Manager should be licensed with CTS .. basic license wont work ..
    2. rmconntrack –x on server to start the service
    4. ps –aux | grep 4950 to check if its listening on port or not.

    Comment by Malik — August 24, 2016 @ 12:41 PM

    • RM CONNTRACK service do get starts automatically , there is no need to start it manually as you mentioned.
      However yes its a good point that one must ensure that rmconntrack service is UP and running.
      I have Updated the article accordingly.

      Comment by Syed Jahanzaib / Pinochio~:) — August 24, 2016 @ 1:18 PM

      • Thank you sir, i thought the same but mine was not started automatically maybe during the setup i did select soemething else, after trying for 2 days i went back to RM user manual and check CTS and got it started manually.
        shukria sir for your guidance you are our inspiration…. please check if we can achieve the same task with linux syslog-ng or rsyslog..

        Comment by Malik — August 25, 2016 @ 12:05 AM

  2. Sir one question, what if somewhere we dont have Radius Manager, can we do the same setup with a linux machine installed with syslog-ng and mikrotik sends all connection logs to it ? and syslog server give us all the usage logs the same way RM. ?

    Comment by Malik — August 24, 2016 @ 12:51 PM

  3. Hi Syed,

    Great article. But still one thing is missing which one I need most. On my Radius manager I configured CTS and its working well. The issue is On my server the space is very less and as per the radius manager setup we need to configure separate database server if the there is more client.

    So can you please do some research and help us to make separate database server for CTS.

    Comment by Anupam Pradhan — August 24, 2016 @ 2:24 PM

    • when you install radius manager, it asks for conntrack database host, you can configure it there.
      or if radius is already installed, then change the conntrack database name password and host in the radius manager CFG file, adn then on remote host, create the conntrack DB and table and assign proper rights. You need to read the manual in depth.

      Comment by Syed Jahanzaib / Pinochio~:) — August 24, 2016 @ 3:24 PM

  4. how does it work on cable docsis users. Do we see this logs correctly and is there a way that we can set it up without radius manager, something with linux.

    Comment by Blead Demt — August 24, 2016 @ 10:39 PM

  5. sir it’s working on Mikrotik 5.20v also

    Comment by ramanji neyuluk — August 29, 2016 @ 9:02 PM

  6. Dear Sir,

    Please share configuration for Authentication Log in radius manager in tools menu.


    On Wed, Aug 24, 2016 at 11:05 AM, Syed Jahanzaib Personal Blog to Share Knowledge ! wrote:

    > Syed Jahanzaib / Pinochio~:) posted: ” As requested by few OP, following > is a short technical reference guide on how you can enable logging of > TCP/UDP connection tracking in Mikrotik to be sent to Radius manager > tracking database to acquire user base connection tracking report. In my > perso” >

    Comment by Dilip Saini — September 1, 2016 @ 8:20 AM

  7. Sir, a simple question, do you know if there a way to run a hotspot without internet?
    Best regards.

    Comment by int21 — September 8, 2016 @ 3:19 AM

    • hotspot requires DNS resolving in order to display the login page to user.
      so you should have at lease dns resolving access on mikrotik.

      Comment by Syed Jahanzaib / Pinochio~:) — September 18, 2016 @ 4:11 PM

  8. Good day Sir. Can Mikrotik Local Auth be done with Radius Manager as it can be done with Free Radius? If so how do I go about? I dont particularly want to run a seperate Free Radius for this. Your help will be much appreciated…

    Comment by Riaan Griesel — September 26, 2016 @ 10:55 PM

  9. Hello Sir.. According to your steps i am successfully installed Radius manager and Connection Tracking…. when user logged in connection tracking store data in Database Properly but i am not able retrieve in Admin Panel… its gives me System error… When i check my DB entries are there… Please help me

    Comment by Dev — October 14, 2016 @ 3:39 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: