Re: [Packetfence-users] DHCP hitting packetfence server but not being registered

[Francois Gaudreault]

By default we do not allow DHCP on the management interface.  You will 
saw it in tcpdump, but it won't reach the listener.  I believe eth0 is 
your management interface?

Chain input-management-if (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    3   192 ACCEPT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0           state NEW tcp dpt:22
   35  2240 ACCEPT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0           tcp dpt:1443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0           tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0           tcp dpt:1812
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0           udp dpt:1812
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0           tcp dpt:1813
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0           udp dpt:1813
    3   534 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0           udp dpt:162
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0           udp dpt:53

What you need to do is, in iptables.conf, add the following line at the 
end of the managemetn chain:
-A input-management-if --protocol udp --match udp --dport 67  --jump ACCEPT

Restart httpd after (bin/pfcmd service httpd restart) to reload iptables.

On 11-11-01 11:18 AM, Dan Nelson wrote:

Do you have a pfdhcplistener running on that interface?  Can you check 
if the port 67 is allowed in the iptables.conf for that interface?

I have these lines in the Iptables.conf.

:input-internal-inline-if - [0:0]

# DHCP

-A input-internal-inline-if --protocol udp --match udp --dport 67  
--jump ACCEPT

-A input-internal-inline-if --protocol tcp --match tcp --dport 67  
--jump ACCEPT

Checking the status of packetfence I have this

[root@fennel conf]# service packetfence status

service|shouldBeStarted|pid

named|1|24274

dhcpd|1|24282

snort|0|0

radiusd|1|24284

httpd|1|24338 24334 24332 24331 24325 24315 24314 24291 6356 5574 1764

snmptrapd|1|24293

pfdetect|0|0

pfredirect|0|0

pfsetvlan|1|24424

pfdhcplistener|1|24430 24381 24372

pfmon|1|24393

It appears to be running normally.  I have restarted packetfence as well.

Thanks

Dan Nelson

*Nutraceutical Corporation*

Network Administrator

801-334-3702


------------------------------------------------------------------------------
RSA® Conference 2012
Save$700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1


_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

------------------------------------------------------------------------------
RSA® Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users