[j-nsp] DHCP server recommendation for subscribers management

Nathan Ward juniper-nsp at daork.net
Tue Aug 10 20:53:25 EDT 2021 

> On 11/08/2021, at 8:44 AM, Andrey Kostin <ankost at podolsk.ru> wrote:
> 
> Nathan Ward via juniper-nsp писал 2021-08-10 08:00:
>>> On 10/08/2021, at 10:40 PM, Bjørn Mork via juniper-nsp <juniper-nsp at puck.nether.net> wrote:
> 
> Thank you Nathan and Bjorn for your explanations, they are very helpful!
> I'll definitely look at ip pool management in RADIUS. I'm struggling to find a good freeradius documentation source, could you give some links?

Yeah the FreeRADIUS docs are hard to navigate - but getting better.

You want to look in the example configs. Start from an understanding of what you want the RADIUS messages to have in them. You can do this with just a static Users file in your test environment with just one subscriber, and then look at moving that in to sqlippool or similar, with whatever logic you need to get those attributes in to the right place. Framed-IP-Address obviously, but maybe also Framed-IP-Netmask etc. - better to experiment with the attributes and get them right without the sqlippool complexity.

https://wiki.freeradius.org/modules/Rlm_sqlippool This is alright (it appears outdated on the surface, but is up to date I think)
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/sqlippool This is the example config and has some more detail than the above.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-config/sql/ippool/postgresql/queries.conf This is useful to understand some of the internals

>> Note that you also must have a unique address as the primary address
>> on the interface as the giaddr - which the the centralised dhcp server
>> talks to. If that giaddr is shared across BNGs, your replies will go
>> to the wrong place a large % of the time, and not get to the
>> subscriber.
>> The giaddr does not need to be an address in any of the subnets you
>> want to hand out addresses in - in isc dhcpd, you can configure the
>> giaddr in a subnet as part of the “shared network” you want to hand
>> out addresses from, which if you have a lot of BNGs saves you a
>> handful of addresses you can give to customers.
> 
> Good point, thanks. I find Juniper documentation on primary and preferred IP very confusing, for me it's always try and fail method to find a working combination. Even more confusing, few years ago I had a TAC case opened regarding the meaning of preferred address for IPv6 assignment to pppoe subscriber and I was told by TAC that it's not supported for IPv6 at all. I think it changed in recent releases.
> For example, there is unique IP on lo0 that is used as router-id etc., and also there should be one or more IPs that match subnets in address pools. In dynamic profile address is specified this way:
> unnumbered-address "$junos-loopback-interface" preferred-source-address "$junos-preferred-source-address"
> Currently I don't have neither primary or preferred specified on lo0 and .225 is somehow selected.
> In my understanding preferred-source-address has to match subnet in address pool, otherwise it will fail to assign an address. And it also will be used as giaddr in this case. Which address should be primary and which preferred in this case?

I can see that being the case for IPv6 - IPv6 has a source address selection mechanism which will, in theory, choose the best address for the destination IP.

I’m not entirely sure re. your other question - but the giaddr must be unique within your network - or the DHCP server cannot route packets back to it.

A good setup for IPv4 DHCP relay is:

lo0 addresses on BNG-1
192.168.0.1/32 - use as giaddr
10.0.0.1/32
10.0.1.1/32
10.0.2.1/32
10.0.3.1/32

lo0 addresses on BNG-2
192.168.0.2/32 - use as giaddr
10.0.0.1/32
10.0.1.1/32
10.0.2.1/32
10.0.3.1/32

DHCP server:
Single shared network over all these subnets:
Subnet 192.168.0.0/24 - i.e. covering giaddrs
  No pool
Subnet 10.0.0.0/24
  pool 10.0.0.2-254
Subnet 10.0.1.0/24
  pool 10.0.1.2-254
Subnet 10.0.2.0/24
  pool 10.0.2.2-254
Subnet 10.0.3.0/24
  pool 10.0.3.2-254

This causes your giaddrs to be in the shared network with the subnets you want to assign addresses from (i.e. the ones with pools), so the DHCP server can match them up, but, with no pool in the 192.168.0.0/24 subnet you don’t assign addresses out of that network.

Otherwise you have to have a unique /32 for each BNG in each subnet and you burn lots of addresses that way.

I am sorry I can’t recall the configuration to make the above behave like that - but can probably dig something up if you are stuck.

--
Nathan Ward

More information about the juniper-nsp mailing list