source ip check

[Phil Frost]

On Fri, Apr 6, 2018 at 4:50 PM Bassem Mettichi <mettichi at gmail.com> wrote:

> thakns a lot Alan for this response this is really my problem. because when
> i send the packet from the client side the destion IP is the VIP ( ported
> by keeplaived)
>
> however when i receive the response i get source IP of freerdaius server
> instead of the VIP ( normally the source IP of the response packet should
> be the VIP ) .
>
> but i don't know this behavior why keepalived and lvs are changing the IP
> source of the packet.
>

I'm no expert with freeradius, but it sounds like it's sending its
responses from 0.0.0.0 which means "let the kernel pick", regardless of
where it received the request. Searching github and mailing list archives
for "multihoming" will find some people who have been down this road before.

Possibly there's some configuration you can make to freeradius to
explicitly bind it to the VIP address. Again I'm very much not an expert
here.

But I'll offer an alternate direction of research in case adjusting the
freeradius configuration turns out to be a dead end. If the sending socket
isn't explicitly bound to an address, the kernel will consult the routing
tables to decide on a source address. For example, on my Linux desktop
packets destined for 8.8.8.8 will use the source address 192.168.1.102:

$ ip route get 8.8.8.8
8.8.8.8 via 192.168.1.1 dev em1 src 192.168.1.102

You can view the entire routing table with "ip route". You might be able to
tweak your keepalived configuration so when it installs the VIP address, it
also inserts a route with a lower metric than the existing ones such that
the VIP is used as the default source address. You can also play games with
ip-rule(8) if you want this to happen for only some ports or hosts in a way
that you can't express with just one routing table.

Hope that gives you some possible solutions to research.