DHCP server failing to add ARP entry?

Toby Walsh walshtj at gmail.com
Sun Nov 6 14:47:01 CET 2016


Sorry, I wasn't clear - the hardware is a small server running as an ESXi
box. I have one VM running pfSense and one VM running Ubuntu Server.
Freeradius is running on the Linux VM. So when I've switched off pfSense's
DHCP and switched on FR's, the ARP update should be on the Linux VM, right?

They're communicating through a virtual switch, so I want them on the same
subnet but different hosts/IPs (with everything on my network
served/configured hopefully by FR/mysql and routed by pfSense).

Thanks,
Toby

On Sun, 6 Nov 2016 21:28 Alan DeKok, <aland at deployingradius.com> wrote:

>

>
> > On Nov 6, 2016, at 7:02 AM, Toby Walsh <walshtj at gmail.com> wrote:
> >
> > I have a box running Freeradius as a backend to pfSense. I'd like to
use FR
> > as a DHCP server. With Alan's help I set up DHCP and EAP on separate sql
> > modules. It works OK when pfSense is serving IPs (FR fails to add an ARP
> > entry but pfSense's DHCP server overrides/ignores FR's anyway). When I
turn
> > off the DHCP server on pfSense and try to run exclusively FR's, I get
the
> > following key message in my debug:
> >
> > "Failed adding ARP entry: Failed to add entry in ARP cache: Operation
not
> > permitted (1)"
> >
> > I read the doco for FR's DHCP server and used the command:
> >
> > "sudo setcap cap_net_admin=ei /usr/sbin/freeradius"
>
>   As the docs say, that's a Linux command.  pfSense is FreeBSD.  The
command might do something for Linux compatibility, but it's most likely
that it won't work.
>
> > I'm running:
> >
> > "sudo freeradius -X"
> >
> > as well, just to make sure the privileges are OK. Here is the debug
output
> > from a sample connection attempt - http://pastebin.com/raw/acNazHPA .
>
>   If it runs as root, it should have permission to update the ARP table
entry.
>
> > One thing I did not do is obey the comments at the top of that file
> > instructing to call setfib because I thought the comments implied it was
> > unnecessary when a config doesn't have multiple interfaces.
>
>   It isn't necessary for ARP.
>
> > So that's a pretty big clue corresponding to my debug output. However
when
> > I run it as sudo it works, obviously. And I run freeradius as sudo so I
> > presumed along with the set capabilities it _should_ work, right?
>
>   On FreeBSD, you should just run it as root.  It should be able to
update the ARP table entries.
>
>   There is code in the server to create raw DHCP packets, which should
mean that it isn't necessary to update the ARP tables.  But that code is
Linux only.  The code for FreeBSD is more complex, and no one has gotten
around to implementing it yet.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list