Hi,
Wireshark on the client sees the DNS request packets going out but no
reply. On the PF server I can see the requests coming in but no reply from
the PF server. In fact pretty much the only traffic coming out of the PF
server is DHCP and SNMP traffic.
I tried configuring the external dns manually on the client but I don't
think this will work as there is no routing between the registration vlan
and the normal vlan
Nslookup from the packetfence server works fine.
Anything else I can check?
On Mon, Mar 19, 2012 at 4:07 PM, Sallee, Stephen (Jake) <
[email protected]> wrote:
> What does a wireshark capture on the client show? If you can capture
> the traffic on the server as well, that would help.****
>
> ** **
>
> Also, try manually setting your DNS to one of your other DNS servers (NOT
> PF) and while on the registration vlan see if you can go anywhere.****
>
> ** **
>
> You can also try doing a DNS lookup on the PF server using either dig or
> nslookup.****
>
> ** **
>
> Jake Sallee****
>
> Godfather of Bandwidth****
>
> System Engineer****
>
> University of Mary Hardin-Baylor****
>
> 900 College St.****
>
> Belton TX. 76513****
>
> Fone: 254-295-4658****
>
> Phax: 254-295-4221****
>
> ** **
>
> *From:* Adrian Mulgrew [mailto:[email protected]]
> *Sent:* Monday, March 19, 2012 10:58 AM
> *To:* [email protected]
> *Subject:* Re: [Packetfence-users] Unable to access captive portal from
> registration vlan****
>
> ** **
>
> Hi Jake,****
>
> ** **
>
> The only firewall is iptables but that's configured by PF so would expect
> it to allow DNS traffic?****
>
> ** **
>
> I've checked and named is running and configured to run from the webui.***
> *
>
> ** **
>
> Below is my iptables.conf if that's any help?****
>
> ** **
>
> Thanks****
>
> ** **
>
> Adrian****
>
> ** **
>
> ** **
>
> *filter****
>
> ** **
>
> ### INPUT ###****
>
> :INPUT DROP [0:0]****
>
> # accept loopback stuff****
>
> -A INPUT --in-interface lo --jump ACCEPT****
>
> # accept anything related****
>
> -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT****
>
> # Accept Ping (easier troubleshooting)****
>
> -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT****
>
> ** **
>
> :input-management-if - [0:0]****
>
> # SSH****
>
> -A input-management-if --match state --state NEW --match tcp --protocol
> tcp --dport 22 --jump ACCEPT****
>
> # Web Admin****
>
> -A input-management-if --protocol tcp --match tcp --dport
> %%web_admin_port%% --jump ACCEPT****
>
> # HTTPS for email confirmation on the captive portal****
>
> -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
> ****
>
> # RADIUS****
>
> -A input-management-if --protocol tcp --match tcp --dport 1812 --jump
> ACCEPT****
>
> -A input-management-if --protocol udp --match udp --dport 1812 --jump
> ACCEPT****
>
> -A input-management-if --protocol tcp --match tcp --dport 1813 --jump
> ACCEPT****
>
> -A input-management-if --protocol udp --match udp --dport 1813 --jump
> ACCEPT****
>
> # SNMP Traps****
>
> -A input-management-if --protocol udp --match udp --dport 162 --jump
> ACCEPT****
>
> # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)****
>
> -A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT
> ****
>
> -A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
> ****
>
> # OpenVAS Administration Interface****
>
> -A input-management-if --protocol tcp --match tcp --dport 9392 --jump
> ACCEPT****
>
> ** **
>
> :input-internal-vlan-if - [0:0]****
>
> # DNS****
>
> -A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump
> ACCEPT****
>
> # DHCP****
>
> -A input-internal-vlan-if --protocol udp --match udp --dport 67 --jump
> ACCEPT****
>
> -A input-internal-vlan-if --protocol tcp --match tcp --dport 67 --jump
> ACCEPT****
>
> # HTTP (captive-portal)****
>
> -A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump
> ACCEPT****
>
> -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump
> ACCEPT****
>
> ** **
>
> :input-internal-inline-if - [0:0]****
>
> # DHCP****
>
> -A input-internal-inline-if --protocol udp --match udp --dport 67 --jump
> ACCEPT****
>
> -A input-internal-inline-if --protocol tcp --match tcp --dport 67 --jump
> ACCEPT****
>
> # HTTP (captive-portal)****
>
> # prevent registered users from reaching it****
>
> -A input-internal-inline-if --protocol tcp --match tcp --dport 80 --match
> mark --mark 0x1 --jump DROP****
>
> -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match
> mark --mark 0x1 --jump DROP****
>
> # allow everyone else behind inline interface (not registered, isolated,
> etc.)****
>
> -A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump
> ACCEPT****
>
> -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump
> ACCEPT****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> On Mon, Mar 19, 2012 at 1:23 PM, Sallee, Stephen (Jake) <
> [email protected]> wrote:****
>
> Sorry if it sounds silly, but have you made sure that:****
>
> 1) There are no firewalls blocking you and****
>
> 2) Named is running on the PF box****
>
> ****
>
> Also, make sure that the config is set to run DNS, it is in the config tab
> -> services in the webUI.****
>
> ****
>
> Jake Sallee****
>
> Godfather of Bandwidth****
>
> System Engineer****
>
> University of Mary Hardin-Baylor****
>
> 900 College St.****
>
> Belton TX. 76513****
>
> Fone: 254-295-4658****
>
> Phax: 254-295-4221****
>
> ****
>
> *From:* Adrian Mulgrew [mailto:[email protected]]
> *Sent:* Friday, March 16, 2012 11:42 AM
> *To:* [email protected]
> *Subject:* [Packetfence-users] Unable to access captive portal from
> registration vlan****
>
> ****
>
> Hi,****
>
> ****
>
> I am stuck in the registration vlan 2. When my client connects it gets
> moved to registration network and obtains a DHCP IP 192.168.2.10 with DNS
> server 192.168.2.1 (PF Server).****
>
> I then open a Chrome browser and type in www.google.com. As I understand
> it, PF should be running it's own DNS server on this VLAN which will
> intercept the request and redirect to a registration page. But for me, all
> that happens is the page times out saying unable to resolve the URL.****
>
> ****
>
> Does the PF installation automatically setup a DNS server or do I have to
> do this manually? Also what is the URL it should be redirecting clients to
> for the registration page?****
>
> ****
>
> Thanks****
>
> ****
>
> Adrian****
>
> ****
>
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Packetfence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Packetfence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
