Re: [RADIATOR] Radiator and Load Balancer

2016-07-27 Thread xcorpse 
On 27/07/16 19:32, Robert Blayzor wrote:
> DSR load balancing assumes the real servers know about the load balanced VIP 
> and is generally configured on a loopback.
>
> The problem with this I think is that Radiator responds with a source address 
> of where the packet leaves. (at least that’s been my experience). Most 
> clients will probably ignore the response as it’s coming from a different 
> address.
>
> With Radiator being Perl, I don’t think you can force Radiator to answer from 
> a specific source address on the server.

i've used radiator with dsr for some fairly large radius installs, works 
fine as long as you set it up correctly. the loopback alias or firewall 
packet mangling rules will make sure that the return packets are not 
ignored ...

-- 
no name ... no slogan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator and Load Balancer

2016-07-27 Thread Robert Blayzor 
DSR load balancing assumes the real servers know about the load balanced VIP 
and is generally configured on a loopback.

The problem with this I think is that Radiator responds with a source address 
of where the packet leaves. (at least that’s been my experience). Most clients 
will probably ignore the response as it’s coming from a different address.

With Radiator being Perl, I don’t think you can force Radiator to answer from a 
specific source address on the server.


NAT will work via the F5, you just have to make sure that the response traffic 
goes back out to the load balancer it came in on.

--
Robert
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP Key: 78BEDCE1 @ pgp.mit.edu




> On Jul 27, 2016, at 1:38 PM, shaun gibson  wrote:
> 
> i've used direct server return for radius and it seemed to work well :
> 
> http://blog.haproxy.com/2011/07/29/layer-4-load-balancing-direct-server-return-mode/
> https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return
> 
> using the f5 for inbound and outbound traffic nat will also work, just
> depends what your requirements are ...

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator and Load Balancer

2016-07-27 Thread Barry Ard 
Thanks Shaun. This is good reading.

Barry

On Wed, Jul 27, 2016 at 11:38 AM, shaun gibson  wrote:

> On 27/07/2016 18:14, Barry Ard wrote:
>
> > We are running into some challenges configuring a new environment for
> > Eduroam.
> >
> > Recently we have moved away from 2 servers running multiple radiator
> > processes to a multiple VMs behind an F5 load balancer. This has been
> > working well for our wireless infrastructure but has been posing
> > challenges as we are trying to include our Eduroam config.
> >
> > The F5 is NATing to the VMs. The VMs have 2 interfaces: eth0 is a
> > private address facing the F5, eth1 is a public address and is the
> > default gateway.
> >
> > I have created a test enviroment with an external radius server to
> > simulate Eduroam.
> > Initially proxied requests would transit the VMs default gateway which
> > I think is undesriable so I created a static route for the external
> > radius server to force it out the load balancer facing interface. Now
> > proxied requests have a private address which of course will not work.
> >
> > I think the desirable scenario would be for proxied requests to exit
> > through the F5 and be NAT’d to source from the F5 external address. My
> > colleague who admins the load balancer is hesitant to NAT externally
> > using an address that is currently listening on a service. He thinks
> > this is getting too complicated.
> >
> > I am sure others are using a load balancer in this scenario so please
> > tell me what you are doing.
> >
> i've used direct server return for radius and it seemed to work well :
>
>
> http://blog.haproxy.com/2011/07/29/layer-4-load-balancing-direct-server-return-mode/
>
> https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return
>
> using the f5 for inbound and outbound traffic nat will also work, just
> depends what your requirements are ...
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>



-- 

Barry Ard   barry@ualberta.ca
IST
University of Alberta
Edmonton, Alberta   Canada
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator and Load Balancer

2016-07-27 Thread shaun gibson 
On 27/07/2016 18:14, Barry Ard wrote:

> We are running into some challenges configuring a new environment for
> Eduroam. 
>
> Recently we have moved away from 2 servers running multiple radiator
> processes to a multiple VMs behind an F5 load balancer. This has been
> working well for our wireless infrastructure but has been posing
> challenges as we are trying to include our Eduroam config. 
>
> The F5 is NATing to the VMs. The VMs have 2 interfaces: eth0 is a
> private address facing the F5, eth1 is a public address and is the
> default gateway.
>
> I have created a test enviroment with an external radius server to
> simulate Eduroam.
> Initially proxied requests would transit the VMs default gateway which
> I think is undesriable so I created a static route for the external
> radius server to force it out the load balancer facing interface. Now
> proxied requests have a private address which of course will not work.
>
> I think the desirable scenario would be for proxied requests to exit
> through the F5 and be NAT’d to source from the F5 external address. My
> colleague who admins the load balancer is hesitant to NAT externally
> using an address that is currently listening on a service. He thinks
> this is getting too complicated.
>
> I am sure others are using a load balancer in this scenario so please
> tell me what you are doing.
>
i've used direct server return for radius and it seemed to work well :

http://blog.haproxy.com/2011/07/29/layer-4-load-balancing-direct-server-return-mode/
https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return

using the f5 for inbound and outbound traffic nat will also work, just
depends what your requirements are ...



signature.asc
Description: OpenPGP digital signature
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Radiator and Load Balancer

2016-07-27 Thread Barry Ard 
We are running into some challenges configuring a new environment for
Eduroam.

Recently we have moved away from 2 servers running multiple radiator
processes to a multiple VMs behind an F5 load balancer. This has been
working well for our wireless infrastructure but has been posing challenges
as we are trying to include our Eduroam config.

The F5 is NATing to the VMs. The VMs have 2 interfaces: eth0 is a private
address facing the F5, eth1 is a public address and is the default gateway.

I have created a test enviroment with an external radius server to simulate
Eduroam.
Initially proxied requests would transit the VMs default gateway which I
think is undesriable so I created a static route for the external radius
server to force it out the load balancer facing interface. Now proxied
requests have a private address which of course will not work.

I think the desirable scenario would be for proxied requests to exit
through the F5 and be NAT’d to source from the F5 external address. My
colleague who admins the load balancer is hesitant to NAT externally using
an address that is currently listening on a service. He thinks this is
getting too complicated.

I am sure others are using a load balancer in this scenario so please tell
me what you are doing.

Thanks,
Barry


-- 

Barry Ard   barry@ualberta.ca
IST
University of Alberta
Edmonton, Alberta   Canada
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator