Article by Syed Jahanzaib !
Recently I was contacted by a friend who was really passionate in starting a mini-ISP type network setup for about 3000 users in the interior area of city. (soon it may expand up to 5000+ users). He asked my help to setup a scratch card base fully automatic system where user purchase scratch card, & using User self care portal web site, user may create his new ID or refresh his previous ID or change the service package according to the card package offers. I had previously setup this kind of scenario in a cable.net environment using Mikrotik built-in radius server called ‘User Manager’, but it have very limited basic features and all it can offer was a pre-paid type option and it doesn’t have many accounting features. So I thought I should give a try to more rich feature radius server and after a lot of googling i decided to go with (FREERADIUS base ) DMASOFTLAB RADIUS MANAGER. A very famous radius server with all the option that a mini-ISP would required at unbelievably low price.
The hardware that I have used for this setup.
*Main Mikrotik = v4.17 x86 / Xeon 3.6Ghz Dual / 2 GB Ram / WD 500 GB Sata Hdd , This MT is serving as a PPPoE Server + NAT + bandwidth shaping. It also redirects HTTP traffic to Proxy server.
* Mikrotik RB750 = Just for HOTSPOT to redirect users to self care portal.
(This can be done on Main MT also, but I prefer it this way)
* Radius Server = DMASoftlab RM v3.9 installed on Fedora v10 / Xeon 3.6Ghz Dual / 4 GB Ram / WD 500 GB x2 Sata Hdd
* SQUID PROXY GW = SQUID v2.7 on UBUNTU Karmic Koala v9.10 / Xeon 3.6Ghz Dual / 8 GB Ram / WD 500 GB x3 SATA HDD (2 HDD reserved for Cache), This server acts as a proxy + Gateway machine for the Mikrotik, It also do URL Filtering blocking ads, it also have ZPH enabled so content available in squid cache should be downloaded at full speed (without package limitation) at user end. It also cache youtube videos using VIDEOCACHE.
* Linux Transparent BRIDGE firewall + DHCP + DNS + MRTG + WEB Server on FEDORA V10 / Xeon 3.6Ghz Dual / 4 GB Ram / WD 500 GB SATA HDD, This server sits between Mikrotik and Users , filtering unwanted traffic, ports and do some other stuff like lightweight DNSMASQ DNS Server, DHCP server providing ips to users , Web Site with MRTG , Psychostats ranking system for Counter Strike Game, Server Monitoring Scripts and Alerts, PHPBB Forums for Users, and some other cool stuff. DNS+DHCP is hosted on this server to minimize load on main mikrotik machine, alos this machine filters unwanted traffic from passing by to main mikrotik.
In this setup , I have configured HOTSPOT on extra RB750 only to redirect user to my advertisement page, where he is informed that he is not logged in via dialer, either create / refresh his ID from RM User Self Care Portal, or if he already have an id, connect it via dialer. I don’t prefer HotSpot authentication due to various security reasons, mainly due to I had a very bad experience having HOTSPOT hit by ARP-POISONING and many virus flooder that requires default gateway.
When user first login , his PC MAC address is binded with his ID to prevent accessing it from different pcs. Multiple session of same ID is NOT allowed , I provide user with scratch card (with refill code) , which he can use to refill his account according to card amount/package from RM User self care portal. RM demo can be viewed at http://www.dmasoftlab.com/cont/radman
When users with pppoe dialer tries to connect to main Mikrotik, MT verifies its credentials by asking Radius Server for the account validity, if the ID is valid, user connects okay and can use internet , otherwise he gets disconnected. When the User account is expired, he still can login via dialer, but then he is redirect to my local web server page where he is informed that his account is expired and he should visit billing.local page to renew his account using the card.
Please find along with attachment is my Network Diagram (This was initially designed, I made few changes afterward, I removed FTP from MT DMZ to user subnet lan to avoid load on MT , I moved ftp OS from windows to Linux and integrate it with radius authentication using APACHE.
Some other entertainment services that I setup here were:
2 FTP Media Sharing Servers ( 4 TB of data )
2 Live TV Channel streaming over LAN using VLC Media Player Broadcasting
1 Counter Strike 1.6 Dedicated Server with Psychostats Ranking System and adminmod/amxmod
1 Web Server (Ubunut) hosting site u-dear . com , an entertainment portal and hosting other features. It also features monitoring system with MRTG / SMS Alerts via attached Mobile.
About RM: Radius Manager uses a nice web interface for administering the users and the whole system (traffic accounting, tracking of online users, display statistics, maintenance ,account management etc.).
and to add that DMASoftlab customer support guys (specially Mr. Viktor.K) have excellent support and respond instantly even to the dumbest of questions. It is real value for money especially for those who do not have big wallet$.
Network Diagram Layout : (Complete setup guide can found at