IPv4 *and* IPv6 addresses for home_servers and failover

Bob Franklin rcf34 at cam.ac.uk
Thu Jun 14 15:54:01 CEST 2012 

On Wed, 13 Jun 2012, alan buxey wrote:

>>   server_pool ja-net_pool {
>>     type = client-balance
>>     home_server = ja-net-roaming0_server
>>     home_server = ja-net-roaming0_server6
>>     home_server = ja-net-roaming1_server
>>     home_server = ja-net-roaming1_server6
>>     ...
>>   }
>
> yes - but I wouldnt advise to do it that way - as all you are doing 
> there is using one client balance - with the alternates being the same 
> server.... ie roaming0 or roaming-ipv6
>
> - if roaming0 was down/dead then the ipv6 one is too.
>
> so, better with eg
>
> ja-net-roaming0_server6
> ja-net-roaming1_server6
> ja-net-roaming2_server6
> ja-net-roaming0_server
> ja-net-roaming2_server
> ja-net-roaming3_server

Reading the proxy.conf information, it says that if a particular home 
server is unavailable, the next one up in the list is used.

Working that through with what happens in each case, your way does a 
better job of coping with a server going down; I think my way is better at 
coping with one of an IPv4 or IPv6 failure.  The network connectivity 
should be more reliable than the servers themselves (not that I'm 
slighting the people running the NRPS, here ;-]) - as such, I think your 
way is better, so I'll do that.


> ..or actually, why bother with IPv4 - just go native...
>
> ja-net-roaming0_server6
> ja-net-roaming1_server6
> ja-net-roaming2_server6

Maybe when things have been running on v6 for a while and I'm happy with 
all the other aspects of that.  ;)


> you might want to look at client-port-balance or the hashed balance 
> method as you get more spread through the remote proxies then.
>
> also, keep the name in the config but add the IPv6/IP address in 
> /etc/hosts

I'll look at those - we certainly have the majority of our access from our 
two main wireless controllers - I haven't checked if those hash to 
different home servers.


> (also, dont forget that you'll need to add a listener to your 
> virtual-server or radiusd.conf too - you cannot have ipv4 and ipv6 
> listener in the same statement - you just add a second listener

Yup -- I have the client side going (although just on the EUI-64 address 
so far - not on the service address; getting that set up was something 
slightly lateral in the distribution we use).

We have a large number of internal proxies/clients so work needs to be 
done on our configuration script to auto-generate the v4 and v6 client and 
home server entries.


Thanks for yours and other Alan's help -- we should have this going in a 
couple of weeks, when we renumber the other of our two servers.

   - Bob


-- 
  Bob Franklin <rcf34 at cam.ac.uk>              +44 1223 748479
  Network Division, University of Cambridge Computing Service

More information about the Freeradius-Users mailing list