[RADIATOR] Radiator and Load Balancer

[shaun gibson]

On 27/07/2016 18:14, Barry Ard wrote:

> We are running into some challenges configuring a new environment for
> Eduroam. 
>
> Recently we have moved away from 2 servers running multiple radiator
> processes to a multiple VMs behind an F5 load balancer. This has been
> working well for our wireless infrastructure but has been posing
> challenges as we are trying to include our Eduroam config. 
>
> The F5 is NATing to the VMs. The VMs have 2 interfaces: eth0 is a
> private address facing the F5, eth1 is a public address and is the
> default gateway.
>
> I have created a test enviroment with an external radius server to
> simulate Eduroam.
> Initially proxied requests would transit the VMs default gateway which
> I think is undesriable so I created a static route for the external
> radius server to force it out the load balancer facing interface. Now
> proxied requests have a private address which of course will not work.
>
> I think the desirable scenario would be for proxied requests to exit
> through the F5 and be NAT’d to source from the F5 external address. My
> colleague who admins the load balancer is hesitant to NAT externally
> using an address that is currently listening on a service. He thinks
> this is getting too complicated.
>
> I am sure others are using a load balancer in this scenario so please
> tell me what you are doing.
>
i've used direct server return for radius and it seemed to work well :

http://blog.haproxy.com/2011/07/29/layer-4-load-balancing-direct-server-return-mode/
https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return

using the f5 for inbound and outbound traffic nat will also work, just
depends what your requirements are ...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: OpenPGP digital signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20160727/92f363b7/attachment.bin