Hi Joel, J.T. Langill wrote: > I have been working with PacketFence a lot recently, and am very > impressed with the inherent functionality it provides. Having used the > rather "expensive" Enterasys solution in the past, I have been showing > customers that you can get the security needed without the enormous > capital investment!
I'm very glad to hear that! That's exactly what we are aiming to do. Providing a dramatically cheaper yet feature complete alternative. [...] > > A key aspect of the virtual environment is that in addition to the ESX > virtual switches, I will also connect these virtual switches to Vyatta > Core and use Vyatta as a router, firewall and VPN gateway. We have never had access or experimented with Vyatta products or ESX virtual switches.. > I have tried > numerous configuration permutations with VLAN, DHCP and ARP isolation, > but cannot seem to get the VPN clients connecting through Vyatta using > either OpenVPN or PPTP to isolate, register, etc. with PacketFence. I > do see traps being sent to PacketFence, and the nodes show up as > "unregistered" upon connection to the Vyatta VPN gateway, however, the > network it resides is not isolated from the other nodes. > > I have searched endlessly for some information on proper configuration > of PacketFence using DHCP and ARP isolation techniques, but there just > is not much detail posted on how to get this working. I don't think DHCP or ARP is what I would be looking for.. Can't these devices do RADIUS AAA? If so, I would recommend that approach. As for ESX, how sophisticated are these switches? Manageable (through SNMP or an API)? Back to ARP/DHCP. For both modes remember that configurator.pl can help you. ARP mode Forcing device registration through ARP is covered by a US patent and so the functionality is not available for legal reasons (my opinion: fear of patent threatening). There is a patch wondering around. I couldn't find config for ARP mode but it's fairly easy if I remember correctly (configurator.pl). DHCP mode DHCP mode is easy to bypass. If you hardcode the proper router and an IP allowed to route (which could be sniffed?) you are good to go. But, in any case, here's what I was able to find by grepping the Internet ;) It's for PacketFence 1.6.x and it's probably an invalid config now but it can help you. ==== Basic DHCP Configuration ==== Change /usr/local/pf/conf/pf.conf [network] mode=dhcp [service] dhcp=path/to/dhcp Add your dhcp networks to pf.conf (example below) [dhcp studentnet] isolation_scopes=iso registered_scopes=reg unregistered_scopes=unreg device=eth0 [scope iso] network=192.168.10.0/24 gateway=192.168.10.1 range=192.168.10.10-192.168.10.50 [scope reg] network=192.168.0.0/24 gateway=192.168.0.1 range=192.168.0.100-192.168.0.200 [scope unreg] network=192.168.1.0/24 gateway=192.168.1.1 range=192.168.1.150-192.168.1.160 Start packetfence /usr/local/pf/bin/start ===== All that said, I would be really interested in experimenting with virtual ESX switches and Vyatta products. I'm adding this to my R&D task list. Meanwhile, I hope that with the pointers I provided, you will be able to move forward! Have a good one! -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
