> -----Original Message-----
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 26, 2000 6:39 PM
> To: Andrew Pollock; [EMAIL PROTECTED]
> Subject: RE: (RADIATOR) Radiator proxying and NAT
>
>
>
> Hello Andrew -
>
> On Tue, 26 Sep 2000, Andrew Pollock wrote:
> > > -----Original Message-----
> > > From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, September 25, 2000 12:17 PM
> > > To: Andrew Pollock; [EMAIL PROTECTED]
> > > Subject: Re: (RADIATOR) Radiator proxying and NAT
> > >
> > >
> > >
> > > Hello Andrew -
> > >
> > > On Mon, 25 Sep 2000, Andrew Pollock wrote:
> > > > Hi,
> > > >
> > > > I'm currently troubleshooting a curious problem with Radiator
> > > proxying to a
> > > > second Radiator server that is behind a firewall and is
> having address
> > > > translation performed on it.
> > > >
> > > > The Radiator server doing the proxying is on the Internet, and
> > > the Radiator
> > > > server being proxied to has a private IP address and a fixed
> > > public address
> > > > is translated to that private IP address.
> > > >
> > > > Translation is occuring some of the time, but not
> consistently, and it's
> > > > naturally causing all sorts of problems. The problem is going
> > > have to be the
> > > > firewall, but I'm wondering if anything Radiator is doing
> isn't helping
> > > > either. One thing I noticed is Radiator is proxying on the
> > > packets with a
> > > > high source port (not 1645). I'm pretty sure that
> previously I've seen
> > > > RADIUS servers do all the talking in all directions on port
> > > 1645, is this
> > > > the case?
> > > >
> > >
> > > As far as I know, radius clients (which is what Radiator is when
> > > acting as a
> > > proxy) use high source port numbers when sending requests. The
> > > only time we
> > > have seen something different (ie. broken) is with some versions
> > > of GRIC on NT,
> > > which don't reply to the source port as sent in the request.
> > >
> > > Someone else on the list may have other comments.
> >
> > Hi again,
> >
> > I've done a little bit more research and noticed the following:
> >
> > NAS (outside firewall) talking to RADIUS (Radiator) server
> (inside firewall)
> > The NAS will change it's source port (the high port) with each
> new request.
> > Retransmitted requests all use the same source port as the
> original request.
> > Everything works fine with the firewall and the NATing.
> >
> > Radiator server (outside firewall) talking to Radiator server (inside
> > firewall)
> > The Radiator server outside the firewall changes it's source port every
> > minute or so. Multiple different requests are sent to the other Radiator
> > server on the same source port. The first request is NATed
> correctly, the
> > subsequent requests are not. Once the Radiator server outside
> the firewall
> > changes it's source port again, that first request is also NATed
> > successfully, the rest are not.
> >
> > How hard is it going to be to change Radiator to use a new
> source port for
> > each request that it proxies?
> >
>
> Your description is most curious, as Radiator opens a socket and
> then keeps
> using it forever. How are you starting radiusd? And what hardware/software
> platform are you running on?
>
> In any case, it sounds like you should fix the firewall.
Hi Hugh,
We're running Radiator under Solaris 7 on a Sun Ultra 5.
I'm pushing for the firewall to be fixed, it would help if Radiator behaving
exactly the same way as a NAS did, so the firewall people can't point the
finger at it. (Note, NASes talking through the firewall in exactly the same
manner Radiator is are not experiencing any problems whatsoever).
We're starting Radiator like so, on bootup:
PATH=/usr/bin:/bin:/usr/local/bin
case $1 in
'start')
/usr/local/bin/radiusd
rc=$?
;;
'stop')
kill `cat /var/run/radiusd.pid`
rc=$?
;;
*)
echo "usage: $0 {start|stop}"
exit 1
;;
esac
exit ${rc}
I provide a packet dump of the typical behaviour if you like...
Andrew
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
