Issue with DHCP with Wireless card
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Mar 13 12:34:02 CET 2014
On 13 Mar 2014, at 01:08, Hugh McLenaghan <hughmcl at hotmail.com> wrote:
> I think i've got it.
>
> Ok, I now know what the problem is.
>
> When i set this up before I didn't have an IPSEC VPN set up and I got it working.
> When I came back to work on it, I had set up an IPSEC VPN in the meantime. Now freeradius wasn't working for DHCP, however ISC DHCPD WAS working. So i was assuming it was completely an issue with freeradius. It does have an issue causing the problem, however it has at least identified WHY things are broken for me!
>
> Here's what I've got.
>
> The Pi is set up with an IPSEC VPN to a remote server. A client connects to the Pi's wireless network (getting an IP Address). ALL traffic from that client needs to go across the VPN (since the network at the other side will control internet access for the clients).
>
> So i have 2 rules in my ipsec-tools.conf file:-
>
> spdadd 10.199.100.0/28 0.0.0.0/0 any -P out ipsec
> esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/require;
> spdadd 0.0.0.0/0 10.199.100.0/28 any -P in ipsec
> esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/require;
>
> So all traffic from the WLAN (10.199.100.0/28) needs to go across the VPN, hence the above rules.
>
>
> NOW, what's happening is that the freeradius DHCP server is sending the reply packets FROM 0.0.0.0 to the 10.199.100.x network. Now since 0.0.0.0 -> 10.199.100.x fits in the 2nd rule above, what is happening is that it's trying to process the packet as an encrypted esp packet and dropping it. So the packets NEVER reach the interface.
>
> Ok, the reason that the ISC DHCP server works is that the reply packets are being sent from the IP address of the WLAN0 interface: 10.199.100.1, so the reply would be: 10.199.100.1 -> 10.199.100.x. since it's the same network, the above rules aren't being implemented.
>
> So I guess to fully fix the freeradius DHCP we need to try to get the SRC address of the reply packets coming from the Interface IP and not from 0.0.0.0
>
>
> If I can help in any way, PLEASE let me know. I'd like to get this resolved, since the features in freeradius are worth it :) Well done on all the features, it's a great product.
>
Out of interest have you tried setting:
listen {
type = dhcp
broadcast = no
}
?
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140313/e149c830/attachment.pgp>
More information about the Freeradius-Users
mailing list