• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

CARP/HA Source IP for Authentication is interface IP instead of CARP IP.

Scheduled Pinned Locked Moved HA/CARP/VIPs
6 Posts 3 Posters 928 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sthames42
    last edited by Apr 6, 2017, 5:27 PM

    On my LAN side:

    Primary  = .63.98
    Backup    = .63.126
    CARP VIP = .63.1

    I have a Radius server at .63.230. I can't set the interface to use for calls to the Authentication server so when the authentication request goes out to my radius server, the source IP is the device IP (.98 or .126) instead of the VIP .63.1. I solve this problem by adding an outbound NAT rule on the LAN interface to map the device IP to the VIP without port translation (static port).

    Is there a more appropriate way to do this? Are there any problems it might create?

    1 Reply Last reply Reply Quote 0
    • D
      dotdash
      last edited by Apr 6, 2017, 5:52 PM

      I usually just authorize the interface addresses for each firewall on the radius side. This means you can't sync the auth server from the primary to the backup, as the keys will be different.

      1 Reply Last reply Reply Quote 0
      • S
        sthames42
        last edited by Apr 6, 2017, 9:14 PM

        Thanks for responding.

        That's a solution, sure. And the sync isn't a problem since the server authenticates the client by Shared Secret. The ideal solution is to be able to set the interface to use but that isn't an option.

        My question is if anyone can think of any problems my solution will cause given all requests to the LAN from the routers will have the source IP of the CARP VIP.

        1 Reply Last reply Reply Quote 0
        • S
          sthames42
          last edited by Apr 7, 2017, 12:14 AM

          Ok, here I go answering my own question.  Bad idea!

          Using the outbound NAT for anything from the router broke dhcpd failover. The lease sync failed because the requests were blocked at the firewall by the default deny rule.

          So I guess I'll have to go with setting up two interfaces on the radius server.
          One more thing to have to remember.

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Apr 7, 2017, 12:49 AM Apr 7, 2017, 12:45 AM

            If you properly limit the scope of the outbound NAT to just RADIUS ports, it shouldn't touch DHCP. Limit the Destination to .63.230 ports udp/1812-1813 for instance.

            But I would tend to be in the "add the LAN interfaces for both nodes as RADIUS clients on the server" camp.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              sthames42
              last edited by Apr 7, 2017, 4:37 PM

              I agree, Derelict. I tend to be in that camp also.

              What I like about the NAT solution is it allows me to interchange a single router with an HA cluster without making changes to the rest of my network.

              Thank you for the answer on NAT.

              1 Reply Last reply Reply Quote 0
              2 out of 6
              • First post
                2/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received