Re: [Packetfence-users] Unable to access captive portal from registration vlan

[Sallee, Stephen (Jake)]

> I tried configuring the external dns manually on the client but I don't think 
> this will work as there is no routing between the registration vlan and the 
> normal vlan

Try editing the host file on your client to contain an entry that should direct 
you to your PF box.  IE: <IP of PF Server>      google.com



Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221

From: Adrian Mulgrew [mailto:adrian.mulg...@gmail.com]
Sent: Monday, March 19, 2012 12:20 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [Packetfence-users] Unable to access captive portal from 
registration vlan

Hi,

Wireshark on the client sees the DNS request packets going out but no reply. On 
the PF server I can see the requests coming in but no reply from the PF server. 
In fact pretty much the only traffic coming out of the PF server is DHCP and 
SNMP traffic.

I tried configuring the external dns manually on the client but I don't think 
this will work as there is no routing between the registration vlan and the 
normal vlan

Nslookup from the packetfence server works fine.

Anything else I can check?
On Mon, Mar 19, 2012 at 4:07 PM, Sallee, Stephen (Jake) 
<jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu>> wrote:
What does a wireshark capture on the client show?  If you can capture the 
traffic on the server as well, that would help.

Also, try manually setting your DNS to one of your other DNS servers (NOT PF) 
and while on the registration vlan see if you can go anywhere.

You can also try doing a DNS lookup on the PF server using either dig or 
nslookup.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658<tel:254-295-4658>
Phax: 254-295-4221<tel:254-295-4221>

From: Adrian Mulgrew 
[mailto:adrian.mulg...@gmail.com<mailto:adrian.mulg...@gmail.com>]
Sent: Monday, March 19, 2012 10:58 AM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [Packetfence-users] Unable to access captive portal from 
registration vlan

Hi Jake,

The only firewall is iptables but that's configured by PF so would expect it to 
allow DNS traffic?

I've checked and named is running and configured to run from the webui.

Below is my iptables.conf if that's any help?

Thanks

Adrian


*filter

### INPUT ###
:INPUT DROP [0:0]
# accept loopback stuff
-A INPUT --in-interface lo --jump ACCEPT
# accept anything related
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept Ping (easier troubleshooting)
-A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT

:input-management-if - [0:0]
# SSH
-A input-management-if --match state --state NEW --match tcp --protocol tcp 
--dport 22 --jump ACCEPT
# Web Admin
-A input-management-if --protocol tcp --match tcp --dport %%web_admin_port%% 
--jump ACCEPT
# HTTPS for email confirmation on the captive portal
-A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
# RADIUS
-A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT
# SNMP Traps
-A input-management-if --protocol udp --match udp --dport 162  --jump ACCEPT
# DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
-A input-management-if --protocol udp --match udp --dport 67  --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
# OpenVAS Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT

:input-internal-vlan-if - [0:0]
# DNS
-A input-internal-vlan-if --protocol udp --match udp --dport 53  --jump ACCEPT
# DHCP
-A input-internal-vlan-if --protocol udp --match udp --dport 67  --jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
# HTTP (captive-portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT

:input-internal-inline-if - [0:0]
# DHCP
-A input-internal-inline-if --protocol udp --match udp --dport 67  --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
# HTTP (captive-portal)
# prevent registered users from reaching it
-A input-internal-inline-if --protocol tcp --match tcp --dport 80  --match mark 
--mark 0x1 --jump DROP
-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match mark 
--mark 0x1 --jump DROP
# allow everyone else behind inline interface (not registered, isolated, etc.)
-A input-internal-inline-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump ACCEPT




On Mon, Mar 19, 2012 at 1:23 PM, Sallee, Stephen (Jake) 
<jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu>> wrote:
Sorry if it sounds silly, but have you made sure that:

1)      There are no firewalls blocking you and

2)      Named is running on the PF box

Also, make sure that the config is set to run DNS, it is in the config tab -> 
services in the webUI.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658<tel:254-295-4658>
Phax: 254-295-4221<tel:254-295-4221>

From: Adrian Mulgrew 
[mailto:adrian.mulg...@gmail.com<mailto:adrian.mulg...@gmail.com>]
Sent: Friday, March 16, 2012 11:42 AM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: [Packetfence-users] Unable to access captive portal from registration 
vlan

Hi,

I am stuck in the registration vlan 2. When my client connects it gets moved to 
registration network and obtains a DHCP IP 192.168.2.10 with DNS server 
192.168.2.1 (PF Server).
I then open a Chrome browser and type in www.google.com<http://www.google.com>. 
As I understand it, PF should be running it's own DNS server on this VLAN which 
will intercept the request and redirect to a registration page. But for me, all 
that happens is the page times out saying unable to resolve the URL.

Does the PF installation automatically setup a DNS server or do I have to do 
this manually? Also what is the URL it should be redirecting clients to for the 
registration page?

Thanks

Adrian


------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net<mailto:Packetfence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net<mailto:Packetfence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users