Source IP address for proxy requests
Peter Nixon
listuser at peternixon.net
Tue Sep 26 11:26:05 CEST 2006
On Tue 26 Sep 2006 11:55, Nicolas Baradakis wrote:
> Peter Nixon wrote:
> > On Mon 25 Sep 2006 19:05, Nicolas Baradakis wrote:
> > > That has nothing to do with FreeRADIUS. The source address of an
> > > outgoing UDP packet is chosen by the kernel according to the local
> > > network configuration.
> >
> > I had this problem previously with FreeRADIUS where radius had to reply
> > from the inside interface of a multihomed server else the packets would
> > not match the IPSec tunnel ACLs bound to the external interface (A common
> > config) I solved it by telling freeradius to only bind to one IP. Does
> > this config no longer work??
>
> This example is different from the one we're discussing. FreeRADIUS
> replies indeed to the NAS from the same address as the request arrived
> at.
>
> However, a proxy request is different, because it's a new outgoing
> packet. In this case, we don't force the source IP in FreeRADIUS and
> we shouldn't do so because the NAS and the realm server are possibly
> on a different network. (it depends on the local network configuration)
>
> The network configuration of the host is outside the scope of
> FreeRADIUS. The correct way to solve the problem is to fix the
> network routes on the host, so the outgoing requests have the
> desired source IP.
Yes you are correct. Abviously I didn't read the thread in enough depth. It
does bring up the issue that we maybe should have an optional proxy_source_ip
config option..
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060926/206ca473/attachment.pgp>
More information about the Freeradius-Users
mailing list