We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will consider to upgrade to min. 2.2.10 soon) We want to manage the IP pool for our ipsec client on radius side. For this I have set start-ip: 10.150.0.0 end-ip: 10.150.255.255 netmask: 255.255.255.0 Will this automatically exclude all IPs ending with .0 and .255??? e.g.: 10.150.0.0 10.150.0.255 10.150.1.0 10.150.1.255 . . . 10.150.255.0 10.150.255.255 Thank you.
On Jan 9, 2018, at 3:00 PM, Artur Jaroschek <artur@jaroschek.net> wrote:
We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will consider to upgrade to min. 2.2.10 soon)
That's good.
We want to manage the IP pool for our ipsec client on radius side. For this I have set
start-ip: 10.150.0.0 end-ip: 10.150.255.255 netmask: 255.255.255.0
Will this automatically exclude all IPs ending with .0 and .255???
No. It will use the IPs you tell it to use. Alan DeKok.
On Jan 9, 2018, at 3:00 PM, Artur Jaroschek <artur@jaroschek.net> wrote:
We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will consider to upgrade to min. 2.2.10 soon)
That's good.
We want to manage the IP pool for our ipsec client on radius side. For this I have set
start-ip: 10.150.0.0 end-ip: 10.150.255.255 netmask: 255.255.255.0
Will this automatically exclude all IPs ending with .0 and .255???
No. It will use the IPs you tell it to use.
Hi , because my first impression was that it will do and I was kind of supprised by your answer, I run some test with radclient and above network configuration. Result was that ANY .0/.255 were excluded. I hope this is not a bug but a feature because we need it exactly this way.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Artur,
Betreff: ippool excluded IP addresses
We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will consider to upgrade to min. 2.2.10 soon)
We want to manage the IP pool for our ipsec client on radius side. For this I have set
start-ip: 10.150.0.0 end-ip: 10.150.255.255 netmask: 255.255.255.0
start and end-ip dont match your netmask, for a ipv4 class B net it needs to be set to 255.255.0.0 (/16)
Will this automatically exclude all IPs ending with .0 and .255??? e.g.:
10.150.0.0 10.150.0.255 10.150.1.0 10.150.1.255 . . . 10.150.255.0 10.150.255.255
Excluding .0 and .255 is not necessary as they are valid and usable ip-addresses within that range. What are you trying to achieve by exluding them? Chris
Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Artur,
Betreff: ippool excluded IP addresses
We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will consider to upgrade to min. 2.2.10 soon)
We want to manage the IP pool for our ipsec client on radius side. For this I have set
start-ip: 10.150.0.0 end-ip: 10.150.255.255 netmask: 255.255.255.0
start and end-ip dont match your netmask, for a ipv4 class B net it needs to be set to 255.255.0.0 (/16)
Yes I know - this was totaly intended, see below...
Will this automatically exclude all IPs ending with .0 and .255??? e.g.:
10.150.0.0 10.150.0.255 10.150.1.0 10.150.1.255 . . . 10.150.255.0 10.150.255.255
Excluding .0 and .255 is not necessary as they are valid and usable ip-addresses within that range.
What are you trying to achieve by exluding them?
We want to exclude all IPs ending with ".255" as out VPN client does not like them, even though we set Netmask to be /32 or /16.
Chris
Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
On 10/01/2018, at 10:05 PM, artur@jaroschek.net wrote:
Hi Artur,
Betreff: ippool excluded IP addresses
We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will consider to upgrade to min. 2.2.10 soon)
We want to manage the IP pool for our ipsec client on radius side. For this I have set
start-ip: 10.150.0.0 end-ip: 10.150.255.255 netmask: 255.255.255.0
start and end-ip dont match your netmask, for a ipv4 class B net it needs to be set to 255.255.0.0 (/16)
Yes I know - this was totaly intended, see below…
Here is why this behaviour happens - if, based on the netmask, it is going to create an entry for the first or last address, it skips it. What you’re doing is certainly not the intended use for this code, but, it works I guess: /* * Net and Broadcast addresses are excluded */ or_result = i | data->netmask; if (~data->netmask != 0 && (or_result == data->netmask || (~or_result == 0))) { DEBUG("rlm_ippool: IP %s excluded", ip_ntoa(str, ntohl(i))); continue; }
Will this automatically exclude all IPs ending with .0 and .255??? e.g.:
10.150.0.0 10.150.0.255 10.150.1.0 10.150.1.255 . . . 10.150.255.0 10.150.255.255
Excluding .0 and .255 is not necessary as they are valid and usable ip-addresses within that range.
What are you trying to achieve by exluding them?
We want to exclude all IPs ending with ".255" as out VPN client does not like them, even though we set Netmask to be /32 or /16.
How 1990s. What client and server is this? -- Nathan Ward
Hi,
On 10/01/2018, at 10:05 PM, artur@jaroschek.net wrote:
Hi Artur,
Betreff: ippool excluded IP addresses
We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will consider to upgrade to min. 2.2.10 soon)
We want to manage the IP pool for our ipsec client on radius side. For this I have set
start-ip: 10.150.0.0 end-ip: 10.150.255.255 netmask: 255.255.255.0
start and end-ip dont match your netmask, for a ipv4 class B net it needs to be set to 255.255.0.0 (/16)
Yes I know - this was totaly intended, see belowâ¦
Here is why this behaviour happens - if, based on the netmask, it is going to create an entry for the first or last address, it skips it. What youâre doing is certainly not the intended use for this code, but, it works I guess:
/* * Net and Broadcast addresses are excluded */ or_result = i | data->netmask; if (~data->netmask != 0 && (or_result == data->netmask || (~or_result == 0))) { DEBUG("rlm_ippool: IP %s excluded", ip_ntoa(str, ntohl(i))); continue; }
Will this automatically exclude all IPs ending with .0 and .255??? e.g.:
10.150.0.0 10.150.0.255 10.150.1.0 10.150.1.255 . . . 10.150.255.0 10.150.255.255
Excluding .0 and .255 is not necessary as they are valid and usable ip-addresses within that range.
What are you trying to achieve by exluding them?
We want to exclude all IPs ending with ".255" as out VPN client does not like them, even though we set Netmask to be /32 or /16.
How 1990s. What client and server is this?
Server is not relevant, but anyhow: its a Forigate (firewall). On client side we are using NCP. I'm already in contact with NCP... but I like the way freeradius handles it.
-- Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Artur Jaroschek -
artur@jaroschek.net -
Christian Kaufmann -
Nathan Ward