Hi Andrew, Are you sure the networking side is fine? VLANs are created on the switch, trunks are OK, etc.
On 12-03-21 7:21 AM, Adrian Mulgrew wrote: > Ok so still haven't made any progress. > My theory is that something on the PacketFence server is blocking the > traffic from my client or it's configured not to respond. I know this > because if I ping the PF server from my client on the 192.168.2.0 > network the request times out. But if I stop the packetfence service > then I immediately get ping replies from the server. > So I thought the most likely thing to be blocking would be ipables. So I > started packetfence service then did a 'sudo service iptables stop' but > I still don't get any ping responses from the server. So I guess it's > something other than iptables blocking. Anybody have some idea? > > Thanks > > > > On Tue, Mar 20, 2012 at 1:10 PM, Adrian Mulgrew > <[email protected] <mailto:[email protected]>> wrote: > > Hi Jake, > > I don't think this will work either as even if I try to open > http://192.168.2.1 or https://192.168.2.1 (that's the PF server > registration interface) I get no response. > So as far as I can tell the only traffic this port responds to is DHCP . > > > > On Mon, Mar 19, 2012 at 8:05 PM, Sallee, Stephen (Jake) > <[email protected] <mailto:[email protected]>> wrote: > > > I tried configuring the external dns manually on the client > but I don't think this will work as there is no routing between > the registration vlan and the normal vlan____ > > __ __ > > Try editing the host file on your client to contain an entry > that should direct you to your PF box. IE: <IP of PF Server> > google.com <http://google.com>____ > > __ __ > > __ __ > > Jake Sallee____ > > Godfather of Bandwidth____ > > System Engineer____ > > University of Mary Hardin-Baylor____ > > 900 College St.____ > > Belton TX. 76513____ > > Fone: 254-295-4658 <tel:254-295-4658>____ > > Phax: 254-295-4221 <tel:254-295-4221>____ > > __ __ > > *From:*Adrian Mulgrew [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Monday, March 19, 2012 12:20 PM > > > *To:* [email protected] > <mailto:[email protected]> > *Subject:* Re: [Packetfence-users] Unable to access captive > portal from registration vlan____ > > __ __ > > Hi,____ > > __ __ > > Wireshark on the client sees the DNS request packets going out > but no reply. On the PF server I can see the requests coming in > but no reply from the PF server. In fact pretty much the only > traffic coming out of the PF server is DHCP and SNMP traffic.____ > > __ __ > > I tried configuring the external dns manually on the client but > I don't think this will work as there is no routing between the > registration vlan and the normal vlan____ > > __ __ > > Nslookup from the packetfence server works fine.____ > > __ __ > > Anything else I can check?____ > > On Mon, Mar 19, 2012 at 4:07 PM, Sallee, Stephen (Jake) > <[email protected] <mailto:[email protected]>> wrote:____ > > What does a wireshark capture on the client show? If you can > capture the traffic on the server as well, that would help.____ > > ____ > > Also, try manually setting your DNS to one of your other DNS > servers (NOT PF) and while on the registration vlan see if you > can go anywhere.____ > > ____ > > You can also try doing a DNS lookup on the PF server using > either dig or nslookup.____ > > ____ > > Jake Sallee____ > > Godfather of Bandwidth____ > > System Engineer____ > > University of Mary Hardin-Baylor____ > > 900 College St.____ > > Belton TX. 76513____ > > Fone: 254-295-4658 <tel:254-295-4658>____ > > Phax: 254-295-4221 <tel:254-295-4221>____ > > ____ > > *From:*Adrian Mulgrew [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Monday, March 19, 2012 10:58 AM > *To:* [email protected] > <mailto:[email protected]> > *Subject:* Re: [Packetfence-users] Unable to access captive > portal from registration vlan____ > > ____ > > Hi Jake,____ > > ____ > > The only firewall is iptables but that's configured by PF so > would expect it to allow DNS traffic?____ > > ____ > > I've checked and named is running and configured to run from the > webui.____ > > ____ > > Below is my iptables.conf if that's any help?____ > > ____ > > Thanks____ > > ____ > > Adrian____ > > ____ > > ____ > > *filter____ > > ____ > > ### INPUT ###____ > > :INPUT DROP [0:0]____ > > # accept loopback stuff____ > > -A INPUT --in-interface lo --jump ACCEPT____ > > # accept anything related____ > > -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT____ > > # Accept Ping (easier troubleshooting)____ > > -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT____ > > ____ > > :input-management-if - [0:0]____ > > # SSH____ > > -A input-management-if --match state --state NEW --match tcp > --protocol tcp --dport 22 --jump ACCEPT____ > > # Web Admin____ > > -A input-management-if --protocol tcp --match tcp --dport > %%web_admin_port%% --jump ACCEPT____ > > # HTTPS for email confirmation on the captive portal____ > > -A input-management-if --protocol tcp --match tcp --dport 443 > --jump ACCEPT____ > > # RADIUS____ > > -A input-management-if --protocol tcp --match tcp --dport 1812 > --jump ACCEPT____ > > -A input-management-if --protocol udp --match udp --dport 1812 > --jump ACCEPT____ > > -A input-management-if --protocol tcp --match tcp --dport 1813 > --jump ACCEPT____ > > -A input-management-if --protocol udp --match udp --dport 1813 > --jump ACCEPT____ > > # SNMP Traps____ > > -A input-management-if --protocol udp --match udp --dport 162 > --jump ACCEPT____ > > # DHCP (for IP Helpers to mgmt to track users' IP in production > VLANs)____ > > -A input-management-if --protocol udp --match udp --dport 67 > --jump ACCEPT____ > > -A input-management-if --protocol tcp --match tcp --dport 67 > --jump ACCEPT____ > > # OpenVAS Administration Interface____ > > -A input-management-if --protocol tcp --match tcp --dport 9392 > --jump ACCEPT____ > > ____ > > :input-internal-vlan-if - [0:0]____ > > # DNS____ > > -A input-internal-vlan-if --protocol udp --match udp --dport 53 > --jump ACCEPT____ > > # DHCP____ > > -A input-internal-vlan-if --protocol udp --match udp --dport 67 > --jump ACCEPT____ > > -A input-internal-vlan-if --protocol tcp --match tcp --dport 67 > --jump ACCEPT____ > > # HTTP (captive-portal)____ > > -A input-internal-vlan-if --protocol tcp --match tcp --dport 80 > --jump ACCEPT____ > > -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 > --jump ACCEPT____ > > ____ > > :input-internal-inline-if - [0:0]____ > > # DHCP____ > > -A input-internal-inline-if --protocol udp --match udp --dport > 67 --jump ACCEPT____ > > -A input-internal-inline-if --protocol tcp --match tcp --dport > 67 --jump ACCEPT____ > > # HTTP (captive-portal)____ > > # prevent registered users from reaching it____ > > -A input-internal-inline-if --protocol tcp --match tcp --dport > 80 --match mark --mark 0x1 --jump DROP____ > > -A input-internal-inline-if --protocol tcp --match tcp --dport > 443 --match mark --mark 0x1 --jump DROP____ > > # allow everyone else behind inline interface (not registered, > isolated, etc.)____ > > -A input-internal-inline-if --protocol tcp --match tcp --dport > 80 --jump ACCEPT____ > > -A input-internal-inline-if --protocol tcp --match tcp --dport > 443 --jump ACCEPT____ > > ____ > > ____ > > ____ > > ____ > > On Mon, Mar 19, 2012 at 1:23 PM, Sallee, Stephen (Jake) > <[email protected] <mailto:[email protected]>> wrote:____ > > Sorry if it sounds silly, but have you made sure that:____ > > 1)There are no firewalls blocking you and____ > > 2)Named is running on the PF box____ > > ____ > > Also, make sure that the config is set to run DNS, it is in the > config tab -> services in the webUI.____ > > ____ > > Jake Sallee____ > > Godfather of Bandwidth____ > > System Engineer____ > > University of Mary Hardin-Baylor____ > > 900 College St.____ > > Belton TX. 76513____ > > Fone: 254-295-4658 <tel:254-295-4658>____ > > Phax: 254-295-4221 <tel:254-295-4221>____ > > ____ > > *From:*Adrian Mulgrew [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Friday, March 16, 2012 11:42 AM > *To:* [email protected] > <mailto:[email protected]> > *Subject:* [Packetfence-users] Unable to access captive portal > from registration vlan____ > > ____ > > Hi,____ > > ____ > > I am stuck in the registration vlan 2. When my client connects > it gets moved to registration network and obtains a DHCP IP > 192.168.2.10 with DNS server 192.168.2.1 (PF Server).____ > > I then open a Chrome browser and type in www.google.com > <http://www.google.com>. As I understand it, PF should be > running it's own DNS server on this VLAN which will intercept > the request and redirect to a registration page. But for me, all > that happens is the page times out saying unable to resolve the > URL.____ > > ____ > > Does the PF installation automatically setup a DNS server or do > I have to do this manually? Also what is the URL it should be > redirecting clients to for the registration page?____ > > ____ > > Thanks____ > > ____ > > Adrian____ > > ____ > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Packetfence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users____ > > ____ > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Packetfence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users____ > > __ __ > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Packetfence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > > > > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
