Interesting ....
First make sure PF logging is set to debug, then monitor the packetfence.log
file if PF is blocking your requests it should show up there. Otherwise it
could be a service misconfigured, tshark would help finding that out.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
From: Adrian Mulgrew [mailto:[email protected]]
Sent: Wednesday, March 21, 2012 6:22 AM
To: [email protected]
Subject: Re: [Packetfence-users] Unable to access captive portal from
registration vlan
Ok so still haven't made any progress.
My theory is that something on the PacketFence server is blocking the traffic
from my client or it's configured not to respond. I know this because if I ping
the PF server from my client on the 192.168.2.0 network the request times out.
But if I stop the packetfence service then I immediately get ping replies from
the server.
So I thought the most likely thing to be blocking would be ipables. So I
started packetfence service then did a 'sudo service iptables stop' but I still
don't get any ping responses from the server. So I guess it's something other
than iptables blocking. Anybody have some idea?
Thanks
On Tue, Mar 20, 2012 at 1:10 PM, Adrian Mulgrew
<[email protected]<mailto:[email protected]>> wrote:
Hi Jake,
I don't think this will work either as even if I try to open http://192.168.2.1
or https://192.168.2.1 (that's the PF server registration interface) I get no
response.
So as far as I can tell the only traffic this port responds to is DHCP .
On Mon, Mar 19, 2012 at 8:05 PM, Sallee, Stephen (Jake)
<[email protected]<mailto:[email protected]>> wrote:
> I tried configuring the external dns manually on the client but I don't think
> this will work as there is no routing between the registration vlan and the
> normal vlan
Try editing the host file on your client to contain an entry that should direct
you to your PF box. IE: <IP of PF Server> google.com<http://google.com>
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658<tel:254-295-4658>
Phax: 254-295-4221<tel:254-295-4221>
From: Adrian Mulgrew
[mailto:[email protected]<mailto:[email protected]>]
Sent: Monday, March 19, 2012 12:20 PM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Packetfence-users] Unable to access captive portal from
registration vlan
Hi,
Wireshark on the client sees the DNS request packets going out but no reply. On
the PF server I can see the requests coming in but no reply from the PF server.
In fact pretty much the only traffic coming out of the PF server is DHCP and
SNMP traffic.
I tried configuring the external dns manually on the client but I don't think
this will work as there is no routing between the registration vlan and the
normal vlan
Nslookup from the packetfence server works fine.
Anything else I can check?
On Mon, Mar 19, 2012 at 4:07 PM, Sallee, Stephen (Jake)
<[email protected]<mailto:[email protected]>> wrote:
What does a wireshark capture on the client show? If you can capture the
traffic on the server as well, that would help.
Also, try manually setting your DNS to one of your other DNS servers (NOT PF)
and while on the registration vlan see if you can go anywhere.
You can also try doing a DNS lookup on the PF server using either dig or
nslookup.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658<tel:254-295-4658>
Phax: 254-295-4221<tel:254-295-4221>
From: Adrian Mulgrew
[mailto:[email protected]<mailto:[email protected]>]
Sent: Monday, March 19, 2012 10:58 AM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Packetfence-users] Unable to access captive portal from
registration vlan
Hi Jake,
The only firewall is iptables but that's configured by PF so would expect it to
allow DNS traffic?
I've checked and named is running and configured to run from the webui.
Below is my iptables.conf if that's any help?
Thanks
Adrian
*filter
### INPUT ###
:INPUT DROP [0:0]
# accept loopback stuff
-A INPUT --in-interface lo --jump ACCEPT
# accept anything related
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept Ping (easier troubleshooting)
-A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
:input-management-if - [0:0]
# SSH
-A input-management-if --match state --state NEW --match tcp --protocol tcp
--dport 22 --jump ACCEPT
# Web Admin
-A input-management-if --protocol tcp --match tcp --dport %%web_admin_port%%
--jump ACCEPT
# HTTPS for email confirmation on the captive portal
-A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
# RADIUS
-A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT
# SNMP Traps
-A input-management-if --protocol udp --match udp --dport 162 --jump ACCEPT
# DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
-A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
# OpenVAS Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT
:input-internal-vlan-if - [0:0]
# DNS
-A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump ACCEPT
# DHCP
-A input-internal-vlan-if --protocol udp --match udp --dport 67 --jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
# HTTP (captive-portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
:input-internal-inline-if - [0:0]
# DHCP
-A input-internal-inline-if --protocol udp --match udp --dport 67 --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
# HTTP (captive-portal)
# prevent registered users from reaching it
-A input-internal-inline-if --protocol tcp --match tcp --dport 80 --match mark
--mark 0x1 --jump DROP
-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match mark
--mark 0x1 --jump DROP
# allow everyone else behind inline interface (not registered, isolated, etc.)
-A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
On Mon, Mar 19, 2012 at 1:23 PM, Sallee, Stephen (Jake)
<[email protected]<mailto:[email protected]>> wrote:
Sorry if it sounds silly, but have you made sure that:
1) There are no firewalls blocking you and
2) Named is running on the PF box
Also, make sure that the config is set to run DNS, it is in the config tab ->
services in the webUI.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658<tel:254-295-4658>
Phax: 254-295-4221<tel:254-295-4221>
From: Adrian Mulgrew
[mailto:[email protected]<mailto:[email protected]>]
Sent: Friday, March 16, 2012 11:42 AM
To:
[email protected]<mailto:[email protected]>
Subject: [Packetfence-users] Unable to access captive portal from registration
vlan
Hi,
I am stuck in the registration vlan 2. When my client connects it gets moved to
registration network and obtains a DHCP IP 192.168.2.10 with DNS server
192.168.2.1 (PF Server).
I then open a Chrome browser and type in www.google.com<http://www.google.com>.
As I understand it, PF should be running it's own DNS server on this VLAN which
will intercept the request and redirect to a registration page. But for me, all
that happens is the page times out saying unable to resolve the URL.
Does the PF installation automatically setup a DNS server or do I have to do
this manually? Also what is the URL it should be redirecting clients to for the
registration page?
Thanks
Adrian
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
