I am in the testing phase right now of PF using exactly what you
requested. Here is what I have successfully setup in our lab:
1) PF server setup
2) DHCP provided by PF
3) DNS black hole (captive portal) provided by PF.
4) Remote registration and isolation configuration
Network: 128.252.71.0/25 - production network PF is in (PF server is
128.252.71.90). 172.21.39.0/24 - remote reg network. 172.21.40.0/24
- remote isolation vlan.
Here are the snippets of the configuration files I had to modify to
get this working. It took me a while to figure this out, so I
figured I will help you with actual configuration files (not all
configs are included, just stuff I had to modify to make this work - I
may have forgot to add something, so let me know if it does not work
out for you):
pf.conf
=======
[trapping]
testing=disabled
range=128.252.71.0/25,172.21.39.0/24,172.21.40.0/24
registration=enabled
[vlan]
dhcpd=enabled
named=enabled
# increase bounce time because our switches were not holding down long enough.
bounce_duration=8s
[registration]
auth=radius
[interface eth0]
ip=128.252.71.90
mask=255.255.255.128
type=internal,managed
gateway=128.252.71.126
authorizedips=
dhcpd_vlan.conf
=================
# NOTE: I had to modify this file because we want to use DHCP on the
public interface of our PF server. DHCP WON'T listen on this
interface unless there is a subnet configured. However I don't want
it to return anything for the local subnet, just the remote
registration subnets.
subnet 128.252.71.0 netmask 255.255.255.128 {
max-lease-time 300;
}
networks.conf
====================
[172.21.39.0]
type=registration
netmask=255.255.255.0
gateway=172.21.39.254
pf_gateway=
named=enabled
domain-name=registration.nts.wustl.edu
dns=128.252.71.90
dhcpd=enabled
dhcp_start=172.21.39.1
dhcp_end=172.21.39.250
dhcp_default_lease_time=300
dhcp_max_lease_time=300
[172.21.40.0]
type=isolation
netmask=255.255.255.0
gateway=172.21.40.254
pf_gateway=
named=enabled
domain-name=isolation.nts.wustl.edu
dns=128.252.71.90
dhcpd=enabled
dhcp_start=172.21.40.1
dhcp_end=172.21.40.250
dhcp_default_lease_time=300
dhcp_max_lease_time=300
switches.conf
============================
[default]
## You can over ride this in a specific switch config.
vlans = 4,555,556,900
normalVlan = 900
registrationVlan = 555
isolationVlan = 556
macDetectionVlan = 4
SNMPCommunityTrap = NOT_FOR_EMAIL
named-registration.ca
=============================
; Registration network DNS configuration
; This file is manipulated on PacketFence's startup before being given to named
$TTL 3600
. IN SOA %%hostname%%. %%incharge%% (
2009020901 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
86400 ; default_ttl
)
IN NS %%hostname%%.
*. IN A 128.252.71.90
IN MX 5 %%hostname%%.
90.71.252.128.in-addr.arpa. IN PTR %%hostname%%
named-isolation.ca
================================
; Isolation network DNS configuration
; This file is manipulated on PacketFence's startup before being given to named
$TTL 3600
. IN SOA %%hostname%%. %%incharge%% (
2009020901 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
86400 ; default_ttl
)
IN NS %%hostname%%.
*. IN A 128.252.71.90
IN MX 5 %%hostname%%.
90.71.252.128.in-addr.arpa. IN PTR %%hostname%%
Cisco Switch Configuration
=====================================
On switch:
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
snmp-server host 128.252.71.90 trap version 2c NOT_FOR_EMAIL
snmp mac-notification
mac address-table notification change interval 0
mac address-table notification change
mac address-table aging-time 3600
All ports:
switchport mode access
switchport access vlan 900
snmp trap mac-notification change added
Router configuration (remote isolation / registration)
==============================================
### NOTE: There is one MAJOR piece missing here. You MUST block all
outbound traffic on your isolation. You should ONLY allow outbound
traffic to your PF server. Otherwise your clients will change their
DNS settings and bypass your reg vlan if it is routed out. This is
just my lab, so I don't do it yet.
interface Vlan555
description packetfence-lab-registration
ip address 172.21.39.254 255.255.255.0
ip helper-address 128.252.71.90
no ip redirects
no ip unreachables
end
interface Vlan556
description packetfence-lab-isolation
ip address 172.21.40.254 255.255.255.0
ip helper-address 128.252.71.90
no ip redirects
no ip unreachables
end
This should be everything you need to get a basic PF server up and
running with captive portal for remote registration/isolation. So
far it is has worked for me.
On Thu, Jun 30, 2011 at 7:17 PM, Mark Duling <[email protected]> wrote:
> Hello all,
> I'm new to PF and planning a test setup. I've read as much as I can of the
> docs and mailing lists, but I still have a few questions about how I need to
> setup PF.
> My planned setup is for all registration and isolation vlans to be routed
> --none will be local--since our campus uses routed links between buildings
> and all vlans are local to a given building's L2 domain.
> Q1) My assumption therefore is that I don't do trunking on the PF server's
> NIC. No problem with all routed vlans, correct?
> Q2) What will be the pf_gateway for each routed registration and isolation
> vlan?
> In the Guide_To_Deploy_PF_In_Routed_Network, in section "Routed Registration
> and Isolation Vlans," it says:
> "For a remote routed network, this has to be set to the PacketFence local
> network gateway in this Vlan. PacketFence uses it to create local static
> routes to the remote routed network."
> In the example, it uses an ip for pf_gateway that is in the ip range of a
> local vlan defined in networks.conf. Does there need to be a local vlan for
> each routed one just to have a gateway? If not, how are the vlans related
> to each other, and why would there need to be a dhcp range for both a local
> and a routed registration vlan?
> Or, to put it another way, what is the simplest and best way to set up PF to
> have all registration and isolation vlans routed?
> Best regards,
> Mark
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Packetfence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Jason E. Murray
[email protected]
http://www.zweck.net/
.
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
