Multiple Interfaces, Not Seeing Requests

Matthew West matthew.t.west at gmail.com
Wed Feb 8 00:32:16 CET 2017


Hi List,

Thank you all for pointing me in the right direction. We had
asymmetric routing going on.

> I can't be certain it is the cause as you redacted your addresses and didn't mention your gateway/prefix lengths, but the root cause would be that strict mode requires that a packet arrives at the "best" source interface.

The sysadmin that built the system and I worked through the issue.
There was, in fact, a default route causing the packets to be returned
out of the management interface rather than the source interface.  He
implemented source-based routing and I returned the reverse packet
filter back to 'strict' and FreeRADIUS still works.

On to returning to configuration.

Thank you guys!  You're the best,

Matthew

On Mon, Feb 6, 2017 at 4:31 PM, Adam Bishop <Adam.Bishop at jisc.ac.uk> wrote:
> On 7 Feb 2017, at 00:08, Matthew West <matthew.t.west at gmail.com> wrote:
>> Since the requests are coming in the same interface that they would be
>> going out (same interface/address) why is this required?  I'm going to
>> do some troubleshooting and will let you know the results.
>
> I can't be certain it is the cause as you redacted your addresses and didn't mention your gateway/prefix lengths, but the root cause would be that strict mode requires that a packet arrives at the "best" source interface.
>
> e.g:
>
>   eth0 as 10.0.0.2/24
>   eth1 as 172.16.0.2/24
>   default gw as 10.0.0.1/24
>
>   A packet from 0.0.0.0/0         to eth0 will pass, as it's not from a directly connected subnet and is via the default routed interface
>   A packet from 172.16.0.0/12 to eth0 will pass, as it's not from a directly connected subnet and is via the default routed interface
>   A packet from 172.16.0.0/24 to eth1 will pass, as it's from the directly connected subnet for eth0
>   A packet from 10.0.0.0/24     to eth1 will be rejected, as it's from the directly connected subnet for eth0
>   A packet from 172.16.0.0/12 to eth1 will be rejected, as it's not from a directly connected subnet but is not via the default routed interface
>
> When you switch to loose filtering the "best" requirement is dropped; all that matters is that the packets source is reachable via some interface.
>
> Regards,
>
> Adam Bishop
>
>   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list