Re: [RADIATOR] Radiator and Load Balancer
On 27/07/16 19:32, Robert Blayzor wrote: > DSR load balancing assumes the real servers know about the load balanced VIP > and is generally configured on a loopback. > > The problem with this I think is that Radiator responds with a source address > of where the packet leaves. (at least that’s been my experience). Most > clients will probably ignore the response as it’s coming from a different > address. > > With Radiator being Perl, I don’t think you can force Radiator to answer from > a specific source address on the server. i've used radiator with dsr for some fairly large radius installs, works fine as long as you set it up correctly. the loopback alias or firewall packet mangling rules will make sure that the return packets are not ignored ... -- no name ... no slogan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator and Load Balancer
DSR load balancing assumes the real servers know about the load balanced VIP and is generally configured on a loopback. The problem with this I think is that Radiator responds with a source address of where the packet leaves. (at least that’s been my experience). Most clients will probably ignore the response as it’s coming from a different address. With Radiator being Perl, I don’t think you can force Radiator to answer from a specific source address on the server. NAT will work via the F5, you just have to make sure that the response traffic goes back out to the load balancer it came in on. -- Robert inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu > On Jul 27, 2016, at 1:38 PM, shaun gibson wrote: > > i've used direct server return for radius and it seemed to work well : > > http://blog.haproxy.com/2011/07/29/layer-4-load-balancing-direct-server-return-mode/ > https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return > > using the f5 for inbound and outbound traffic nat will also work, just > depends what your requirements are ... ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator and Load Balancer
Thanks Shaun. This is good reading. Barry On Wed, Jul 27, 2016 at 11:38 AM, shaun gibson wrote: > On 27/07/2016 18:14, Barry Ard wrote: > > > We are running into some challenges configuring a new environment for > > Eduroam. > > > > Recently we have moved away from 2 servers running multiple radiator > > processes to a multiple VMs behind an F5 load balancer. This has been > > working well for our wireless infrastructure but has been posing > > challenges as we are trying to include our Eduroam config. > > > > The F5 is NATing to the VMs. The VMs have 2 interfaces: eth0 is a > > private address facing the F5, eth1 is a public address and is the > > default gateway. > > > > I have created a test enviroment with an external radius server to > > simulate Eduroam. > > Initially proxied requests would transit the VMs default gateway which > > I think is undesriable so I created a static route for the external > > radius server to force it out the load balancer facing interface. Now > > proxied requests have a private address which of course will not work. > > > > I think the desirable scenario would be for proxied requests to exit > > through the F5 and be NAT’d to source from the F5 external address. My > > colleague who admins the load balancer is hesitant to NAT externally > > using an address that is currently listening on a service. He thinks > > this is getting too complicated. > > > > I am sure others are using a load balancer in this scenario so please > > tell me what you are doing. > > > i've used direct server return for radius and it seemed to work well : > > > http://blog.haproxy.com/2011/07/29/layer-4-load-balancing-direct-server-return-mode/ > > https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return > > using the f5 for inbound and outbound traffic nat will also work, just > depends what your requirements are ... > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Barry Ard barry@ualberta.ca IST University of Alberta Edmonton, Alberta Canada ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator and Load Balancer
On 27/07/2016 18:14, Barry Ard wrote: > We are running into some challenges configuring a new environment for > Eduroam. > > Recently we have moved away from 2 servers running multiple radiator > processes to a multiple VMs behind an F5 load balancer. This has been > working well for our wireless infrastructure but has been posing > challenges as we are trying to include our Eduroam config. > > The F5 is NATing to the VMs. The VMs have 2 interfaces: eth0 is a > private address facing the F5, eth1 is a public address and is the > default gateway. > > I have created a test enviroment with an external radius server to > simulate Eduroam. > Initially proxied requests would transit the VMs default gateway which > I think is undesriable so I created a static route for the external > radius server to force it out the load balancer facing interface. Now > proxied requests have a private address which of course will not work. > > I think the desirable scenario would be for proxied requests to exit > through the F5 and be NAT’d to source from the F5 external address. My > colleague who admins the load balancer is hesitant to NAT externally > using an address that is currently listening on a service. He thinks > this is getting too complicated. > > I am sure others are using a load balancer in this scenario so please > tell me what you are doing. > i've used direct server return for radius and it seemed to work well : http://blog.haproxy.com/2011/07/29/layer-4-load-balancing-direct-server-return-mode/ https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return using the f5 for inbound and outbound traffic nat will also work, just depends what your requirements are ... signature.asc Description: OpenPGP digital signature ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator and Load Balancer
We are running into some challenges configuring a new environment for Eduroam. Recently we have moved away from 2 servers running multiple radiator processes to a multiple VMs behind an F5 load balancer. This has been working well for our wireless infrastructure but has been posing challenges as we are trying to include our Eduroam config. The F5 is NATing to the VMs. The VMs have 2 interfaces: eth0 is a private address facing the F5, eth1 is a public address and is the default gateway. I have created a test enviroment with an external radius server to simulate Eduroam. Initially proxied requests would transit the VMs default gateway which I think is undesriable so I created a static route for the external radius server to force it out the load balancer facing interface. Now proxied requests have a private address which of course will not work. I think the desirable scenario would be for proxied requests to exit through the F5 and be NAT’d to source from the F5 external address. My colleague who admins the load balancer is hesitant to NAT externally using an address that is currently listening on a service. He thinks this is getting too complicated. I am sure others are using a load balancer in this scenario so please tell me what you are doing. Thanks, Barry -- Barry Ard barry@ualberta.ca IST University of Alberta Edmonton, Alberta Canada ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator