diff --git a/ops/nixos/bvm-radius/default.nix b/ops/nixos/bvm-radius/default.nix index d58331d260..acb6040b2e 100644 --- a/ops/nixos/bvm-radius/default.nix +++ b/ops/nixos/bvm-radius/default.nix @@ -39,9 +39,12 @@ in { # roaming1.ja.net iptables -A nixos-fw -p udp --dport 1812 --src 194.83.56.233 -j nixos-fw-accept ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:12a::233 -j nixos-fw-accept - # roaming2.ja.net + # roaming2.ja.net (old) iptables -A nixos-fw -p udp --dport 1812 --src 194.83.56.249 -j nixos-fw-accept ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:129::249 -j nixos-fw-accept + # roaming2.ja.net (new) + iptables -A nixos-fw -p udp --dport 1812 --src 193.63.195.50 -j nixos-fw-accept + ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:133::50 -j nixos-fw-accept # Allow inbound RADIUS from authenticators. ip6tables -A nixos-fw -p udp --dport 1812 --src 2a09:a443::/64 -j nixos-fw-accept diff --git a/ops/nixos/bvm-radius/raddb/clients.conf b/ops/nixos/bvm-radius/raddb/clients.conf index cc1207e48c..008e010ee0 100644 --- a/ops/nixos/bvm-radius/raddb/clients.conf +++ b/ops/nixos/bvm-radius/raddb/clients.conf @@ -27,6 +27,18 @@ client eduroam_flr_server_2_v6 { secret = {{JANET_ROAMING1_SECRET}} nastype = 'eduroam_flr' } +client eduroam_flr_server_3_v4 { + # roaming2.ja.net + ipaddr = 193.63.195.50 + secret = {{JANET_ROAMING2_SECRET}} + nastype = 'eduroam_flr' +} +client eduroam_flr_server_2_v6 { + # roaming2.ja.net + ipv6addr = 2001:630:1:133::50 + secret = {{JANET_ROAMING2_SECRET}} + nastype = 'eduroam_flr' +} client wireless_access_points_mgmt { ipaddr = 92.118.30.0/24 diff --git a/ops/nixos/bvm-radius/raddb/proxy.conf b/ops/nixos/bvm-radius/raddb/proxy.conf index 6acc97594d..3250b062c3 100644 --- a/ops/nixos/bvm-radius/raddb/proxy.conf +++ b/ops/nixos/bvm-radius/raddb/proxy.conf @@ -18,11 +18,22 @@ home_server eduroam_flr_server_2 { check_timeout = 5 require_message_authenticator = yes } +home_server eduroam_flr_server_3 { + # roaming2.ja.net + ipv6addr = 2001:630:1:133::50 + secret = {{JANET_ROAMING2_SECRET}} + status_check = status-server + response_window = 5 + check_interval = 10 + check_timeout = 5 + require_message_authenticator = yes +} home_server_pool eduroam_flr_pool { type = keyed-balance home_server = eduroam_flr_server_1 home_server = eduroam_flr_server_2 + home_server = eduroam_flr_server_3 } realm eduroam_flr { auth_pool = eduroam_flr_pool