Source IP address for proxy requests

Nicolas Baradakis nbk at sitadelle.com
Mon Sep 25 18:05:52 CEST 2006


Angel L. Mateo wrote:

> El lun, 25-09-2006 a las 14:46 +0200, Nicolas Baradakis escribió:
> > Angel L. Mateo wrote:
> > 
> > > 	Freeradius is working fine with this configuration, except the proxy
> > > module. The problema I have is that proxy requests are originated with
> > > the IP address of the member, not the IP of the cluster. And I haven't
> > > found any configuration option to configure this. Is there any way to do
> > > it?
> > 
> > Why is this a problem?
>
> 	This is a problem for the next reasons:
> 
> * I have to configure my firewall to accept radius conections to
> different addresses, not just the clustered IP.

You could accept a small IP range like 192.168.1.0/30 on the firewall.

> * The radius that receives the request has to define two different
> clients (to accept my request) and also my clustered radius (to send
> requests to me).

I think a realm server would reply to the same IP which it received
the packet from.

> 	I now it can be solved with configuration but I think this is not a
> elegant solution to the problem. If I have configured freeradius to
> listen in just one interface of the server, why it has to use another
> different interface?

That has nothing to do with FreeRADIUS. The source address of an
outgoing UDP packet is chosen by the kernel according to the local
network configuration.

I'd suggest to look at the network routes on the host like suggested
in an other reply to your mail.

> > I note RADIUS packets are using UDP, which means they're connectionless.
> > I think you don't want a machine from the cluster send a proxy request,
> > and a different machine get the proxy reply. This wouldn't work.
>
> 	This is an impossible situation, because I have an active/standby
> configuration of the cluster. Just one node is running the IP and the
> server. The other node is just a backup one (in a normal environment).

I was confused because you didn't mention it was an active/backup
setup. However, I note a virtual IP is usually used for incoming
traffic, not the requests originated from a node of the cluser.

-- 
Nicolas Baradakis




More information about the Freeradius-Users mailing list