ippool excluded IP addresses

artur at jaroschek.net artur at jaroschek.net
Wed Jan 10 16:41:02 CET 2018 

> Hi,
>
>> On 10/01/2018, at 10:05 PM, artur at jaroschek.net wrote:
>>
>>> Hi Artur,
>>>
>>>> Betreff: ippool excluded IP addresses
>>>>
>>>> We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will
>>>> consider to
>>>> upgrade to min. 2.2.10 soon)
>>>>
>>>> We want to manage the IP pool for our ipsec client on radius side. For
>>>> this I
>>>> have set
>>>>
>>>> start-ip: 10.150.0.0
>>>> end-ip: 10.150.255.255
>>>> netmask: 255.255.255.0
>>>
>>> start and end-ip dont match your netmask, for a ipv4 class B net  it
>>> needs
>>> to be set to 255.255.0.0 (/16)
>>
>> Yes I know - this was totaly intended, see below…
>
> Here is why this behaviour happens - if, based on the netmask, it is going
> to create an entry for the first or last address, it skips it. What
> you’re doing is certainly not the intended use for this code, but, it
> works I guess:
>
> /*
>  * Net and Broadcast addresses are excluded
>  */
> or_result = i | data->netmask;
> if (~data->netmask != 0 &&
>   (or_result == data->netmask ||
>     (~or_result == 0))) {
>   DEBUG("rlm_ippool: IP %s excluded",
>         ip_ntoa(str, ntohl(i)));
>   continue;
> }
>
>>>
>>>>
>>>> Will this automatically exclude all IPs ending with .0 and .255???
>>>> e.g.:
>>>>
>>>> 10.150.0.0
>>>> 10.150.0.255
>>>> 10.150.1.0
>>>> 10.150.1.255
>>>> .
>>>> .
>>>> .
>>>> 10.150.255.0
>>>> 10.150.255.255
>>>
>>> Excluding .0 and .255 is not necessary as they are valid and usable
>>> ip-addresses within that range.
>>>
>>> What are you trying to achieve by exluding them?
>>
>> We want to exclude all IPs ending with ".255" as out VPN client does not
>> like them, even though we set Netmask to be /32 or /16.
>
> How 1990s. What client and server is this?

Server is not relevant, but anyhow: its a Forigate (firewall). On client
side we are using NCP. I'm already in contact with NCP... but I like the
way freeradius handles it.

>
> --
> Nathan Ward
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list