ippool excluded IP addresses

Nathan Ward lists+freeradius at daork.net
Wed Jan 10 12:45:51 CET 2018


Hi,

> On 10/01/2018, at 10:05 PM, artur at jaroschek.net wrote:
> 
>> Hi Artur,
>> 
>>> Betreff: ippool excluded IP addresses
>>> 
>>> We are using freeradius version (debian) 2.1.12+dfsg-1.2 (we will
>>> consider to
>>> upgrade to min. 2.2.10 soon)
>>> 
>>> We want to manage the IP pool for our ipsec client on radius side. For
>>> this I
>>> have set
>>> 
>>> start-ip: 10.150.0.0
>>> end-ip: 10.150.255.255
>>> netmask: 255.255.255.0
>> 
>> start and end-ip dont match your netmask, for a ipv4 class B net  it needs
>> to be set to 255.255.0.0 (/16)
> 
> Yes I know - this was totaly intended, see below…

Here is why this behaviour happens - if, based on the netmask, it is going to create an entry for the first or last address, it skips it. What you’re doing is certainly not the intended use for this code, but, it works I guess:

/*
 * Net and Broadcast addresses are excluded
 */
or_result = i | data->netmask;
if (~data->netmask != 0 &&
  (or_result == data->netmask ||
    (~or_result == 0))) {
  DEBUG("rlm_ippool: IP %s excluded",
        ip_ntoa(str, ntohl(i)));
  continue;
}

>> 
>>> 
>>> Will this automatically exclude all IPs ending with .0 and .255???
>>> e.g.:
>>> 
>>> 10.150.0.0
>>> 10.150.0.255
>>> 10.150.1.0
>>> 10.150.1.255
>>> .
>>> .
>>> .
>>> 10.150.255.0
>>> 10.150.255.255
>> 
>> Excluding .0 and .255 is not necessary as they are valid and usable
>> ip-addresses within that range.
>> 
>> What are you trying to achieve by exluding them?
> 
> We want to exclude all IPs ending with ".255" as out VPN client does not
> like them, even though we set Netmask to be /32 or /16.

How 1990s. What client and server is this?

--
Nathan Ward




More information about the Freeradius-Users mailing list