Multiple Interfaces, Not Seeing Requests

Tue Feb 7 01:30:42 CET 2017

Hi List,

It appears that the issue was indeed net.ipv4.conf.default.rp_filter.
I'm still not sure why this would block an incoming and outgoing
packet if the incoming and outgoing interface/ip address was the same,
but I'm glad the issue was confirmed.

Thanks for your insight, Adam.  It would have taken me a long time to
find that by digging through logs.

Take Care,

Matthew

On Mon, Feb 6, 2017 at 4:08 PM, Matthew West <matthew.t.west at gmail.com> wrote:
> Hi FR List,
>
>> look to verify the server is listening.
>
> Appears to be listening to all:
>     udp        0      0 0.0.0.0:1812            0.0.0.0:*
>              12779/radiusd
>     udp        0      0 0.0.0.0:1813            0.0.0.0:*
>              12779/radiusd
>
> Firewall off:
>     # systemctl status firewalld.service
>     ● firewalld.service - firewalld - dynamic firewall daemon
>        Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
> disabled; vendor preset: enabled)
>        Active: inactive (dead)
>          Docs: man:firewalld(1)
>
>> RHEL/CentOS does not work well with multiple interfaces out of the box for some network configurations. You need to enable a > few kernel settings to make it do the right thing.
>>
>> It sounds like you may have one of the affected configurations.
>>
>> The issue is detailed here:
>>   https://access.redhat.com/solutions/53031
>
> OK, that makes sense in this circumstance.  I checked the setting and
> it appears that the OS is running in strict mode for reverse path
> filtering.
>
> net.ipv4.conf.default.rp_filter = 1
>
> Since the requests are coming in the same interface that they would be
> going out (same interface/address) why is this required?  I'm going to
> do some troubleshooting and will let you know the results.
>
> Thank You,
>
> Matthew
>
> On Mon, Feb 6, 2017 at 3:16 PM, Adam Bishop <Adam.Bishop at jisc.ac.uk> wrote:
>> On 6 Feb 2017, at 22:38, Matthew West <matthew.t.west at gmail.com> wrote:
>>> I'm happy to do the legwork for this one.  Can someone point me in the
>>> right direction for further troubleshooting?
>>
>> RHEL/CentOS does not work well with multiple interfaces out of the box for some network configurations. You need to enable a few kernel settings to make it do the right thing.
>>
>> It sounds like you may have one of the affected configurations.
>>
>> The issue is detailed here:
>>   https://access.redhat.com/solutions/53031
>>
>> You can confirm this by enabling martian logging using sysctl:
>>   net.ipv4.conf.*.log_martians=1
>>
>> I wouldn't enable martial logging permanently; it's not necessary in normal operation and could cause your logging process  (rysslog/journald) to start discarding useful traffic.
>>
>> Note that in my experience, setting default/all is not sufficient; you need to apply it to each individual interface explicitly. This may have changed in 7.3, or may not be the case if you're using an interface naming scheme that doesn't start with 'eno'.
>>
>> If you're using firewalld, you also need to make sure that auxiliary interfaces are assigned to the correct zone.
>>
>> Regards,
>>
>> Adam Bishop
>>
>>   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
>>
>> jisc.ac.uk
>>
>> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>
>> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html