FreeRADIUS sends proxy packets out the proper interface, but with the wrong source IP (simple udpfromto problem?)

Adam Bultman abultman at mtasolutions.com
Tue Oct 18 23:25:31 CEST 2011


Quick summary:  I have RADIUS servers that are performing authentication
and accounting for various NAS devices.  I recently set up a new
accounting proxy, to put a copy of my accounting files on remote hosts
via a private network.  I've created an additional detail writer, and
created a reader.  With radclient, this works. With radiusd, it does not.

Problem: The detail reader, when sending the accounting packets, sends
them out the *correct* interface, but with the *wrong* source IP
address. (It will send out eth2, but have the source IP of eth0.)  I
proxy to other hosts as well, so I cannot simply force a single proxy ip
address, since that will break other things. (As far as I can tell.) All
my routing is good, no firewalls are in the way, etc.

When I send a packet from the RADIUS servers to the new proxy hosts via
radclient, it works perfectly.  When radiusd tries, it doesn't work (and
the new proxies show up as zombies, and then dead.)

I've dug through the mailing list, the release notes, and dug through
bugzilla, and about the closest thing I found was this bug:
https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=38

The mailing list shows some results, but not quite what I'm looking for.
 Is my problem a simple lack of 'udpfromto'?  My RADIUS servers bind on
specific IP addresses, and not '*', so they aren't listening on
INADDR_ANY.  Attempting to get the server reading the detail files to
also bind to an IP address and port doesn't fix it, nor does configuring
the server to have an interface in addition to an ipaddr.  Creating a
'middleman' - a local proxy, listening on the private IP address, which
then proxies to the final accounting servers - doesn't work either.  (I
had hoped that if it were receiving packets on an interface, that it
would know where they were accepted, and then proxy out that same
interface, with the same source IP.)

The 'fix' I found was a mixture of arptables and iptables.  It works but
I'm not happy with having to mangle any proxied packets.

I'm on freeRADIUS 2.1.10, and I know there's a newer version.  Should I
simply build a new version, and make sure that I change my spec file to
include '--with-udpfromto' (in the current one doesn't?)




-- 
Adam



More information about the Freeradius-Users mailing list