Proxy with two interfaces configuration

Alan DeKok aland at
Fri Feb 13 09:56:36 CET 2009

> All following ipv6 addresses are to be read with global scope (but as I
> said, if they were ipv4 it would be the same I think)
> Server address : 2001::400
> Proxy (interface to the server) 2001::300
> Proxy (interface to the client) 2000::300
> Client 2000:200
> Now when I try to run the test what it happens is that the client sends
> the auth request, the proxy correctly forwards it to the server, and the
> server correctly authenticate the client. The problem is that the proxy
> sends the proxied message with the address 2000::300, not 2001::300.
> When the server tries to reply to the proxy, it tries to send the packet
> to 2000::300 but since it is a different network there is no route for it.

  Then your routing tables are broken.  You have a route FROM 2000::300
to the server.  This is why that source IP is being chosen by the OS for
proxied packets.  You don't, however, have a route BACK, which is why
the packets never make it back.

> I have been searching for a while in the users / radiusd.conf /
> clients.conf / proxy.conf for a option to set the proxy ip address when
> proxying messages. It seemed to me that I saw something like that , but
> if I did I just can't find it again.

  You can't fix routing issues by editing FreeRADIUS configuration files.

> P.S: another quick question. It is possible with some logging option (or
> in other ways) to save  the attributes that the server adds to the auth
> accept message locally in a file in the proxy machine? I saw that there
> is some options to add/modify the attributes in the reply, but it is
> possible to save them in a file?

  See the "detail" module.

  Alan DeKok.

More information about the Freeradius-Users mailing list