Nathan Ward via juniper-nsp писал 2021-08-10 08:00:
On 10/08/2021, at 10:40 PM, Bjørn Mork via juniper-nsp
<juniper-nsp@puck.nether.net> wrote:
Thank you Nathan and Bjorn for your explanations, they are very helpful!
I'll definitely look at ip pool management in RADIUS. I'm struggling to
find a good freeradius documentation source, could you give some links?
So far, I started to play with KEA dhcp server and stumbled on "shared
subnet" with multiple pools topic. I have two clients connected. The
first pool has only one IP available to force the client who comes last
to use the second pool. The first client successfully gets .226 IP from
the first pool, but the second client fails.
My config has this:
"subnet4": [
{
"subnet": "X.X.X.224/28",
"pools": [ { "pool": "X.X.X.226 - X.X.X.226" } ],
"relay": {
"ip-addresses": [ "X.X.X.225" ]
},
"option-data": [
{
// For each IPv4 subnet you most likely need to
specify at
// least one router.
"name": "routers",
"data": "X.X.X.225"
}
]
},
{
"subnet": "X.X.X.240/28",
"pools": [ { "pool": "X.X.X.242 - X.X.X.245" } ],
"relay": {
"ip-addresses": [ "X.X.X.225" ]
},
"option-data": [
{
// For each IPv4 subnet you most likely need to
specify at
// least one router.
"name": "routers",
"data": "X.X.X.241"
}
],
In the log I get this:
Aug 10 15:51:17 testradius kea-dhcp4[44325]: WARN
ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET [hwtype=1 d0:76:8f:a7:43:ca], cid=[no
info], tid=0x485c2228: failed to allocate an IPv4 address in the subnet
X.X.X.224/28, subnet-id 1, shared network
Aug 10 15:51:17 testradius kea-dhcp4[44325]: WARN
ALLOC_ENGINE_V4_ALLOC_FAIL [hwtype=1 d0:76:8f:a7:43:ca], cid=[no info],
tid=0x485c2228: failed to allocate an IPv4 address after 1 attempt(s)
Aug 10 15:51:17 testradius kea-dhcp4[44325]: WARN
ALLOC_ENGINE_V4_ALLOC_FAIL_CLASSES [hwtype=1 d0:76:8f:a7:43:ca], cid=[no
info], tid=0x485c2228: Failed to allocate an IPv4 address for client
with classes: ALL, VENDOR_CLASS_xxxxxxxx.dslforum.org, UNKNOWN
Looks like KEA doesn't consider the second subnet as belonging to the
same shared network despite the matching giaddr. I followed example in
Kea documentation and expect that relay address matching giaddr should
do the trick, but I feel maybe subnets have to be in the same bracket,
however don't know how to put it there. At one moment I saw addresses
leased from both pools but later it returned back to this. Maybe it was
a transient state when previous lease didn't expire yet, I'm not sure.
Note that you also must have a unique address as the primary address
on the interface as the giaddr - which the the centralised dhcp server
talks to. If that giaddr is shared across BNGs, your replies will go
to the wrong place a large % of the time, and not get to the
subscriber.
The giaddr does not need to be an address in any of the subnets you
want to hand out addresses in - in isc dhcpd, you can configure the
giaddr in a subnet as part of the “shared network” you want to hand
out addresses from, which if you have a lot of BNGs saves you a
handful of addresses you can give to customers.
Good point, thanks. I find Juniper documentation on primary and
preferred IP very confusing, for me it's always try and fail method to
find a working combination. Even more confusing, few years ago I had a
TAC case opened regarding the meaning of preferred address for IPv6
assignment to pppoe subscriber and I was told by TAC that it's not
supported for IPv6 at all. I think it changed in recent releases.
For example, there is unique IP on lo0 that is used as router-id etc.,
and also there should be one or more IPs that match subnets in address
pools. In dynamic profile address is specified this way:
unnumbered-address "$junos-loopback-interface" preferred-source-address
"$junos-preferred-source-address"
Currently I don't have neither primary or preferred specified on lo0 and
.225 is somehow selected.
In my understanding preferred-source-address has to match subnet in
address pool, otherwise it will fail to assign an address. And it also
will be used as giaddr in this case. Which address should be primary and
which preferred in this case?
Kind regards,
Andrey
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
