Yes I believe all is fine as I can ping from the client (192.168.2.10) to
the PacketFence server registration interface (192.168.2.1) when the
packetfence service is *stopped* but as soon as I start the service I can
no longer ping.
On Wed, Mar 21, 2012 at 1:24 PM, Francois Gaudreault <[email protected]
> wrote:
> Hi Andrew,
>
> Are you sure the networking side is fine? VLANs are created on the
> switch, trunks are OK, etc.
>
> On 12-03-21 7:21 AM, Adrian Mulgrew wrote:
> > Ok so still haven't made any progress.
> > My theory is that something on the PacketFence server is blocking the
> > traffic from my client or it's configured not to respond. I know this
> > because if I ping the PF server from my client on the 192.168.2.0
> > network the request times out. But if I stop the packetfence service
> > then I immediately get ping replies from the server.
> > So I thought the most likely thing to be blocking would be ipables. So I
> > started packetfence service then did a 'sudo service iptables stop' but
> > I still don't get any ping responses from the server. So I guess it's
> > something other than iptables blocking. Anybody have some idea?
> >
> > Thanks
> >
> >
> >
> > On Tue, Mar 20, 2012 at 1:10 PM, Adrian Mulgrew
> > <[email protected] <mailto:[email protected]>> wrote:
> >
> > Hi Jake,
> >
> > I don't think this will work either as even if I try to open
> > http://192.168.2.1 or https://192.168.2.1 (that's the PF server
> > registration interface) I get no response.
> > So as far as I can tell the only traffic this port responds to is
> DHCP .
> >
> >
> >
> > On Mon, Mar 19, 2012 at 8:05 PM, Sallee, Stephen (Jake)
> > <[email protected] <mailto:[email protected]>> wrote:
> >
> > > I tried configuring the external dns manually on the client
> > but I don't think this will work as there is no routing between
> > the registration vlan and the normal vlan____
> >
> > __ __
> >
> > Try editing the host file on your client to contain an entry
> > that should direct you to your PF box. IE: <IP of PF Server>
> > google.com <http://google.com>____
> >
> > __ __
> >
> > __ __
> >
> > Jake Sallee____
> >
> > Godfather of Bandwidth____
> >
> > System Engineer____
> >
> > University of Mary Hardin-Baylor____
> >
> > 900 College St.____
> >
> > Belton TX. 76513____
> >
> > Fone: 254-295-4658 <tel:254-295-4658>____
> >
> > Phax: 254-295-4221 <tel:254-295-4221>____
> >
> > __ __
> >
> > *From:*Adrian Mulgrew [mailto:[email protected]
> > <mailto:[email protected]>]
> > *Sent:* Monday, March 19, 2012 12:20 PM
> >
> >
> > *To:* [email protected]
> > <mailto:[email protected]>
> > *Subject:* Re: [Packetfence-users] Unable to access captive
> > portal from registration vlan____
> >
> > __ __
> >
> > Hi,____
> >
> > __ __
> >
> > Wireshark on the client sees the DNS request packets going out
> > but no reply. On the PF server I can see the requests coming in
> > but no reply from the PF server. In fact pretty much the only
> > traffic coming out of the PF server is DHCP and SNMP traffic.____
> >
> > __ __
> >
> > I tried configuring the external dns manually on the client but
> > I don't think this will work as there is no routing between the
> > registration vlan and the normal vlan____
> >
> > __ __
> >
> > Nslookup from the packetfence server works fine.____
> >
> > __ __
> >
> > Anything else I can check?____
> >
> > On Mon, Mar 19, 2012 at 4:07 PM, Sallee, Stephen (Jake)
> > <[email protected] <mailto:[email protected]>> wrote:____
> >
> > What does a wireshark capture on the client show? If you can
> > capture the traffic on the server as well, that would help.____
> >
> > ____
> >
> > Also, try manually setting your DNS to one of your other DNS
> > servers (NOT PF) and while on the registration vlan see if you
> > can go anywhere.____
> >
> > ____
> >
> > You can also try doing a DNS lookup on the PF server using
> > either dig or nslookup.____
> >
> > ____
> >
> > Jake Sallee____
> >
> > Godfather of Bandwidth____
> >
> > System Engineer____
> >
> > University of Mary Hardin-Baylor____
> >
> > 900 College St.____
> >
> > Belton TX. 76513____
> >
> > Fone: 254-295-4658 <tel:254-295-4658>____
> >
> > Phax: 254-295-4221 <tel:254-295-4221>____
> >
> > ____
> >
> > *From:*Adrian Mulgrew [mailto:[email protected]
> > <mailto:[email protected]>]
> > *Sent:* Monday, March 19, 2012 10:58 AM
> > *To:* [email protected]
> > <mailto:[email protected]>
> > *Subject:* Re: [Packetfence-users] Unable to access captive
> > portal from registration vlan____
> >
> > ____
> >
> > Hi Jake,____
> >
> > ____
> >
> > The only firewall is iptables but that's configured by PF so
> > would expect it to allow DNS traffic?____
> >
> > ____
> >
> > I've checked and named is running and configured to run from the
> > webui.____
> >
> > ____
> >
> > Below is my iptables.conf if that's any help?____
> >
> > ____
> >
> > Thanks____
> >
> > ____
> >
> > Adrian____
> >
> > ____
> >
> > ____
> >
> > *filter____
> >
> > ____
> >
> > ### INPUT ###____
> >
> > :INPUT DROP [0:0]____
> >
> > # accept loopback stuff____
> >
> > -A INPUT --in-interface lo --jump ACCEPT____
> >
> > # accept anything related____
> >
> > -A INPUT --match state --state ESTABLISHED,RELATED --jump
> ACCEPT____
> >
> > # Accept Ping (easier troubleshooting)____
> >
> > -A INPUT --protocol icmp --icmp-type echo-request --jump
> ACCEPT____
> >
> > ____
> >
> > :input-management-if - [0:0]____
> >
> > # SSH____
> >
> > -A input-management-if --match state --state NEW --match tcp
> > --protocol tcp --dport 22 --jump ACCEPT____
> >
> > # Web Admin____
> >
> > -A input-management-if --protocol tcp --match tcp --dport
> > %%web_admin_port%% --jump ACCEPT____
> >
> > # HTTPS for email confirmation on the captive portal____
> >
> > -A input-management-if --protocol tcp --match tcp --dport 443
> > --jump ACCEPT____
> >
> > # RADIUS____
> >
> > -A input-management-if --protocol tcp --match tcp --dport 1812
> > --jump ACCEPT____
> >
> > -A input-management-if --protocol udp --match udp --dport 1812
> > --jump ACCEPT____
> >
> > -A input-management-if --protocol tcp --match tcp --dport 1813
> > --jump ACCEPT____
> >
> > -A input-management-if --protocol udp --match udp --dport 1813
> > --jump ACCEPT____
> >
> > # SNMP Traps____
> >
> > -A input-management-if --protocol udp --match udp --dport 162
> > --jump ACCEPT____
> >
> > # DHCP (for IP Helpers to mgmt to track users' IP in production
> > VLANs)____
> >
> > -A input-management-if --protocol udp --match udp --dport 67
> > --jump ACCEPT____
> >
> > -A input-management-if --protocol tcp --match tcp --dport 67
> > --jump ACCEPT____
> >
> > # OpenVAS Administration Interface____
> >
> > -A input-management-if --protocol tcp --match tcp --dport 9392
> > --jump ACCEPT____
> >
> > ____
> >
> > :input-internal-vlan-if - [0:0]____
> >
> > # DNS____
> >
> > -A input-internal-vlan-if --protocol udp --match udp --dport 53
> > --jump ACCEPT____
> >
> > # DHCP____
> >
> > -A input-internal-vlan-if --protocol udp --match udp --dport 67
> > --jump ACCEPT____
> >
> > -A input-internal-vlan-if --protocol tcp --match tcp --dport 67
> > --jump ACCEPT____
> >
> > # HTTP (captive-portal)____
> >
> > -A input-internal-vlan-if --protocol tcp --match tcp --dport 80
> > --jump ACCEPT____
> >
> > -A input-internal-vlan-if --protocol tcp --match tcp --dport 443
> > --jump ACCEPT____
> >
> > ____
> >
> > :input-internal-inline-if - [0:0]____
> >
> > # DHCP____
> >
> > -A input-internal-inline-if --protocol udp --match udp --dport
> > 67 --jump ACCEPT____
> >
> > -A input-internal-inline-if --protocol tcp --match tcp --dport
> > 67 --jump ACCEPT____
> >
> > # HTTP (captive-portal)____
> >
> > # prevent registered users from reaching it____
> >
> > -A input-internal-inline-if --protocol tcp --match tcp --dport
> > 80 --match mark --mark 0x1 --jump DROP____
> >
> > -A input-internal-inline-if --protocol tcp --match tcp --dport
> > 443 --match mark --mark 0x1 --jump DROP____
> >
> > # allow everyone else behind inline interface (not registered,
> > isolated, etc.)____
> >
> > -A input-internal-inline-if --protocol tcp --match tcp --dport
> > 80 --jump ACCEPT____
> >
> > -A input-internal-inline-if --protocol tcp --match tcp --dport
> > 443 --jump ACCEPT____
> >
> > ____
> >
> > ____
> >
> > ____
> >
> > ____
> >
> > On Mon, Mar 19, 2012 at 1:23 PM, Sallee, Stephen (Jake)
> > <[email protected] <mailto:[email protected]>> wrote:____
> >
> > Sorry if it sounds silly, but have you made sure that:____
> >
> > 1)There are no firewalls blocking you and____
> >
> > 2)Named is running on the PF box____
> >
> > ____
> >
> > Also, make sure that the config is set to run DNS, it is in the
> > config tab -> services in the webUI.____
> >
> > ____
> >
> > Jake Sallee____
> >
> > Godfather of Bandwidth____
> >
> > System Engineer____
> >
> > University of Mary Hardin-Baylor____
> >
> > 900 College St.____
> >
> > Belton TX. 76513____
> >
> > Fone: 254-295-4658 <tel:254-295-4658>____
> >
> > Phax: 254-295-4221 <tel:254-295-4221>____
> >
> > ____
> >
> > *From:*Adrian Mulgrew [mailto:[email protected]
> > <mailto:[email protected]>]
> > *Sent:* Friday, March 16, 2012 11:42 AM
> > *To:* [email protected]
> > <mailto:[email protected]>
> > *Subject:* [Packetfence-users] Unable to access captive portal
> > from registration vlan____
> >
> > ____
> >
> > Hi,____
> >
> > ____
> >
> > I am stuck in the registration vlan 2. When my client connects
> > it gets moved to registration network and obtains a DHCP IP
> > 192.168.2.10 with DNS server 192.168.2.1 (PF Server).____
> >
> > I then open a Chrome browser and type in www.google.com
> > <http://www.google.com>. As I understand it, PF should be
> > running it's own DNS server on this VLAN which will intercept
> > the request and redirect to a registration page. But for me, all
> > that happens is the page times out saying unable to resolve the
> > URL.____
> >
> > ____
> >
> > Does the PF installation automatically setup a DNS server or do
> > I have to do this manually? Also what is the URL it should be
> > redirecting clients to for the registration page?____
> >
> > ____
> >
> > Thanks____
> >
> > ____
> >
> > Adrian____
> >
> > ____
> >
> >
> >
> ------------------------------------------------------------------------------
> > This SF email is sponsosred by:
> > Try Windows Azure free for 90 days Click Here
> > http://p.sf.net/sfu/sfd2d-msazure
> > _______________________________________________
> > Packetfence-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> >
> https://lists.sourceforge.net/lists/listinfo/packetfence-users____
> >
> > ____
> >
> >
> >
> ------------------------------------------------------------------------------
> > This SF email is sponsosred by:
> > Try Windows Azure free for 90 days Click Here
> > http://p.sf.net/sfu/sfd2d-msazure
> > _______________________________________________
> > Packetfence-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> >
> https://lists.sourceforge.net/lists/listinfo/packetfence-users____
> >
> > __ __
> >
> >
> >
> ------------------------------------------------------------------------------
> > This SF email is sponsosred by:
> > Try Windows Azure free for 90 days Click Here
> > http://p.sf.net/sfu/sfd2d-msazure
> > _______________________________________________
> > Packetfence-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > This SF email is sponsosred by:
> > Try Windows Azure free for 90 days Click Here
> > http://p.sf.net/sfu/sfd2d-msazure
> >
> >
> >
> > _______________________________________________
> > Packetfence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Francois Gaudreault, ing. jr
> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Packetfence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
