In this article, I will give an example of balancing users on several accel-ppp servers, or in other words, this can also be called redundant accel-ppp servers.
All accel-ppp servers will serve users in the same VLANs, just the servers will have a different gateway, and which server the client connects to faster, that gateway will be issued to him via DHCP. For example, on one server the gateway is 10.0.0.1/24, on the second 10.0.0.2/24, etc. There is no need to transfer the gateway through Radius, so we will remove it in advance in the billing settings. The required networks and gateway must be specified in the accel-ppp configuration. I transfer user routes between servers via iBGP. In billing, it is also necessary to prohibit issuing gateway IP addresses to users, for example, in ABillS, you can exclude IP addresses from the user IP Poll, but if the user tries to issue an IP address that is a gateway to Accel-ppp, then there will be an error in the logs and the session will not start:
info: ipoe2071: .[0;39mf8:0d:ac:00:26:00: authentication succeeded error: ipoe2071: .[0;39mcan't determine Server-ID info: ipoe2071: .[0;39mipoe: session finished
In ABillS, the dynamic guest IP Pool must be linked to all access servers, the same one can be set to different servers.
You can use the weight or offer-delay parameter to reserve accel-ppp servers.
With offer-delay, both servers will send accel-ppp to the client DHCPOFFER, with weight – only one, which will reduce the load on radius and the database, well, if the database is on a good raid array, then this does not matter. When using offer-delay, inactive sessions that are in the process of launching will end when offer-timeout expires, if it is not specified, then the default value is 10 seconds, that is, the session will start only on one server and there will also be one in billing.
I set up an offer-delay, because in addition to the accel-ppp servers, I also used JuniperMX, in which you can also make an artificial DHCPOFFER delay, but most likely this will not even be needed, since the servers have a more powerful CPU and it will issue IP addresses to clients faster, so offer-delay needs to be configured just on servers with Accel-ppp. For example, when I took 10,000 users and launched the HP DL380 G10 server with two Xeon5120 CPUs and launched Juniper MX204 in the same VLANs, Juniper managed to authorize only 30 users, and all the rest were authorized on the server with accel-ppp, only when I specified an offer-delay of about 500mc on a server with accel-ppp, then user sessions began to be evenly distributed.
offer-delay is specified in the ipoe section (not used by default), I will give an example of specifying:
In the example I have given, users 1 to 999 will receive DHCPOFFER without delay, users 1000 to 2999 will receive DHCPOFFER with a delay of 100ms, from 3000 to 9999 with a delay of 200ms, after 10000 for everyone else there will be a delay of 500ms (half a second).
You can specify -1 to stop the server from accepting new connections, for example when 12000 connected devices are reached:
You can apply the offer-delay change by executing reload:
telnet 127.0.0.1 2000 reload
If it is necessary to smoothly terminate sessions on one of the Accel-ppps, then we can do it (in the ipoe section, the soft-terminate=1 parameter must be specified in advance):
telnet 127.0.0.1 2000 shutdown soft
After that, the server will not accept new connections, and old ones will be terminated when users disconnect themselves. This process can take a long time, so for example, at night, you can mark user sessions as finished and when they renew the lease of the IP address, Accel-ppp will respond to them with a DHCPNAK, which in essence should provoke the client to execute DHCPDISCOVER and log in to another server.
Let’s mark sessions as finish:
terminate all soft
If anything, you can cancel the shutdown of Accel-ppp:
It is also desirable that all servers issue a different first DNS server, since if it is the same, then I have seen that some routers from TP-Link, Tenda on older firmware versions, after authorization on the new server, received a new gateway, and the route remained in their routing table by default to the old gateway, this bug is of course fixed in new firmware versions, but then you will have to update the firmware on users’ routers or users constantly reboot their router.
Sessions can also be terminated using a script:
Accel-ppp session termination script
The second balancing/redundancy mechanism is weight=n (not specified by default), can be specified in the ipoe section for each interface, or globally for all at once, it is desirable to run a pair of servers with Accel-ppp.
If you specify weight=0, then Accel-ppp will be considered a standby and will only hold sessions if there is no response from other Accel-ppp servers.
You can specify the same weight for both servers, for example weight=1.
How “weight” works is described in the official documentation:
On reception of DHCPDISCOVER accel-ppp sends broadcast DHCP message to port 67 with same xid and add special vendor-specific option where encodes its current session count multiplied by weight. On reception of such message accel-ppp searches session with same xid and compares weight. If received weight is less than session’s weight then it terminates this session.
I will give another example of the radius section of one of my servers with Accel-ppp:
[radius] dictionary=/usr/share/accel-ppp/radius/dictionary nas-identifier=accel-ipoe2 nas-ip-address=192.168.5.11 server=192.168.5.5,pass,auth-port=1812,acct-port=0,req-limit=110,fail-timeout=0,max-fail=0,weight=1 server=192.168.5.5,pass,acct-port=1813,auth-port=0,req-limit=0,fail-timeout=0,max-fail=0,weight=1 dae-server=192.168.5.11:3799,pass acct-timeout=0 verbose=0 timeout=10 max-try=9 acct-interim-jitter=60
Another example of the ipoe section of one of my servers:
[ipoe] verbose=0 unit-cache=0 offer-delay=0,300:999,500:2500,700:14999 interface=re:(?!(^vlan500$))(?!(^vlan501$))(^vlan[2-9][0-9][0-9]+$),mode=L2,start=dhcpv4,shared=1,ifcfg=1,ip-unnumbered=1,proxy-arp=1 interface=re:^vlan1[0-2][0-9][0-9]$,mode=L2,start=dhcpv4,shared=1,ifcfg=1,ip-unnumbered=1,proxy-arp=1 gw-ip-address=172.18.0.2/19 gw-ip-address=172.16.0.2/19 gw-ip-address=172.19.0.2/20 gw-ip-address=172.17.0.2/21 gw-ip-address=10.10.0.2/20 lease-time=600 max-lease-time=660 renew-time=300 username=lua:username lua-file=/etc/accel-ppp.lua nas-identifier=ixnfo.com soft-terminate=1