Community discussions

MikroTik App
 
jkroon
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Thu Apr 03, 2008 2:18 am
Contact:

radius proxy requests

Thu Dec 02, 2010 12:17 pm

Hi All,

Simplistic case I've got two MT router boards that connects to each other using some link (/30 subnet), say 10.1 (nodeA) and 10.2 (nodeB), on nodeA I've got a link to the internet, this link is (unfortunately) a NATed link (ie, the IP assigned to my pppoe connection is the only one I've got avaiable).

Both nodes also acts as pppoe servers, authenticating against a radius server that's sitting off-site on a public IP. This radius server logs the last known public IP for each NAS-Identifier on each and every packet enabling me to track the public IPs of each of the nodes (there are obviously more nodes in the full network than just the two, and in some cases multiple internet uplinks in the same cluster of nodes, routing done with dynamic routing, so the uplink a node uses can change at relatively short notice).

In the example then nodeA and nodeB would have the same public IP. At times I need to be able to send disconnect packets to the nodes, currently I can think of some nasty kludges that might work.

1. For each node, set a dedicated port number, and on ALL border routers, forward that UDP port to the correct loopback address for each internal router (a border router may turn into an internal router should it's internet link fail). This has very high administrative overhead, seriously doubting I'll see 10k+ nodes per cluster, so this is potentially feasible.

2. For each border router set up a VPN link that is forced to go out over it's public internet link (possible using some nasty routing hacks) to the radius server and then route all radius traffic onto the VPN (each VPN link would need to form part of the dynamic routing setup, or some really nasty DNAT + policy routing hacks would be required and may not even work due to the way sending of udp packets works, this would mean that none of my clusters can share IP space, which seeing that I'm restricted to using the private IP ranges can potentially become a problem.

Of the above I think I prefer option 1 - will just implement some scripted update of the UDP port numbers mapped to the internal NAS IP addresses for sending disconnect packets.

What I'd prefer over both of these if it is possible to just send to the lastip value, always on the same port, give it the NAS-Identifier values and have the MT cluster route it internally. I'm not even sure what would be required on this - I'm guessing if I could write a custom app to run on the border gateways I'd be able to intercept radius packets destined to the main radius server, and keep an in-memory cache of NAS-Identifier + cluster IP and then on receiving disconnect packets I could use this cache to route it correctly on the cluster. This feels like a more scalable solution for me, least admin, but requires me to write some of my own code to run on the router border routers. Unless ROS has something similar built in?

Who is online

Users browsing this forum: Bing [Bot], mkx, xstrid3rx and 82 guests