How to accept RADIUS traffic on multiple interfaces?

McNutt, Justin M. McNuttJ at
Wed Aug 14 22:25:05 CEST 2013

One other thing with multiple interfaces:  RHEL 6 comes with some anti-spoofing features in the kernel enabled by default.  I'm afraid I forget exactly what they are, but the idea is this:  If the kernel gets a packet from HostA on eth1, but the routing table says that the return path to HostA is via eth0, the kernel will drop the packet.

If you have this case, you have two choices:
	1)  Make sure that requests come IN the same interface that will send the replies.
	2)  Turn off the anti-spoofing features in the kernel.

There's also the third option in which you create separate routing tables for each interface (plus the "master" routing table for sessions initiated outbound).  It's a pretty big hammer, but has other advantages for multi-homed systems.  Write back to me off-list if you want to go that route (pardon the pun).


-----Original Message-----
From: at [ at] On Behalf Of Matteo Vocale
Sent: Wednesday, August 14, 2013 2:32 PM
To: FreeRadius users mailing list
Subject: Re: How to accept RADIUS traffic on multiple interfaces?

Before running radius in debug mode, try iptables -F with root privileges, it disables iptables default rules

Phil Mayers <p.mayers at> ha scritto:

>On 14/08/13 15:07, Kurt Hillig wrote:
>> But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 - 
>> tcpdump shows it coming in, but "radiusd -X" shows no indication of 
>> this traffic (but is reporting all of the traffic on eth0).
>If "radiusd -X" isn't reporting *anything*, then it's not reaching 
>FreeRADIUS, which means some part of the network stack is dropping it.
>If you're sure your iptables are correct, google "linux log martians" 
>and "linux rp filter". RHEL6 has different defaults to previous RHEL 
>versions in this regard.
>List info/subscribe/unsubscribe? See 
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list