Quick summary: I have RADIUS servers that are performing authentication and accounting for various NAS devices. I recently set up a new accounting proxy, to put a copy of my accounting files on remote hosts via a private network. I've created an additional detail writer, and created a reader. With radclient, this works. With radiusd, it does not.
Problem: The detail reader, when sending the accounting packets, sends them out the *correct* interface, but with the *wrong* source IP address. (It will send out eth2, but have the source IP of eth0.) I proxy to other hosts as well, so I cannot simply force a single proxy ip address, since that will break other things. (As far as I can tell.) All my routing is good, no firewalls are in the way, etc. When I send a packet from the RADIUS servers to the new proxy hosts via radclient, it works perfectly. When radiusd tries, it doesn't work (and the new proxies show up as zombies, and then dead.) I've dug through the mailing list, the release notes, and dug through bugzilla, and about the closest thing I found was this bug: https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=38 The mailing list shows some results, but not quite what I'm looking for. Is my problem a simple lack of 'udpfromto'? My RADIUS servers bind on specific IP addresses, and not '*', so they aren't listening on INADDR_ANY. Attempting to get the server reading the detail files to also bind to an IP address and port doesn't fix it, nor does configuring the server to have an interface in addition to an ipaddr. Creating a 'middleman' - a local proxy, listening on the private IP address, which then proxies to the final accounting servers - doesn't work either. (I had hoped that if it were receiving packets on an interface, that it would know where they were accepted, and then proxy out that same interface, with the same source IP.) The 'fix' I found was a mixture of arptables and iptables. It works but I'm not happy with having to mangle any proxied packets. I'm on freeRADIUS 2.1.10, and I know there's a newer version. Should I simply build a new version, and make sure that I change my spec file to include '--with-udpfromto' (in the current one doesn't?) -- Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html