Hi - I'm completely stuck at this point. Yesterday I built a new server
from scratch but have the exact same problem so not really sure where to go
from here.
Any suggestions would be greatly appreciated.
Thanks
Adrian
On Wed, Mar 21, 2012 at 2:09 PM, Adrian Mulgrew <[email protected]>wrote:
> Sorry, can you let me know how to switch logging to debug.
>
>
> On Wed, Mar 21, 2012 at 1:50 PM, Adrian Mulgrew
> <[email protected]>wrote:
>
>> Yes I believe all is fine as I can ping from the client (192.168.2.10) to
>> the PacketFence server registration interface (192.168.2.1) when the
>> packetfence service is *stopped* but as soon as I start the service I can
>> no longer ping.
>>
>>
>> On Wed, Mar 21, 2012 at 1:24 PM, Francois Gaudreault <
>> [email protected]> wrote:
>>
>>> Hi Andrew,
>>>
>>> Are you sure the networking side is fine? VLANs are created on the
>>> switch, trunks are OK, etc.
>>>
>>> On 12-03-21 7:21 AM, Adrian Mulgrew wrote:
>>> > Ok so still haven't made any progress.
>>> > My theory is that something on the PacketFence server is blocking the
>>> > traffic from my client or it's configured not to respond. I know this
>>> > because if I ping the PF server from my client on the 192.168.2.0
>>> > network the request times out. But if I stop the packetfence service
>>> > then I immediately get ping replies from the server.
>>> > So I thought the most likely thing to be blocking would be ipables. So
>>> I
>>> > started packetfence service then did a 'sudo service iptables stop' but
>>> > I still don't get any ping responses from the server. So I guess it's
>>> > something other than iptables blocking. Anybody have some idea?
>>> >
>>> > Thanks
>>> >
>>> >
>>> >
>>> > On Tue, Mar 20, 2012 at 1:10 PM, Adrian Mulgrew
>>> > <[email protected] <mailto:[email protected]>> wrote:
>>> >
>>> > Hi Jake,
>>> >
>>> > I don't think this will work either as even if I try to open
>>> > http://192.168.2.1 or https://192.168.2.1 (that's the PF server
>>> > registration interface) I get no response.
>>> > So as far as I can tell the only traffic this port responds to is
>>> DHCP .
>>> >
>>> >
>>> >
>>> > On Mon, Mar 19, 2012 at 8:05 PM, Sallee, Stephen (Jake)
>>> > <[email protected] <mailto:[email protected]>> wrote:
>>> >
>>> > > I tried configuring the external dns manually on the client
>>> > but I don't think this will work as there is no routing between
>>> > the registration vlan and the normal vlan____
>>> >
>>> > __ __
>>> >
>>> > Try editing the host file on your client to contain an entry
>>> > that should direct you to your PF box. IE: <IP of PF Server>
>>> > google.com <http://google.com>____
>>> >
>>> > __ __
>>> >
>>> > __ __
>>> >
>>> > Jake Sallee____
>>> >
>>> > Godfather of Bandwidth____
>>> >
>>> > System Engineer____
>>> >
>>> > University of Mary Hardin-Baylor____
>>> >
>>> > 900 College St.____
>>> >
>>> > Belton TX. 76513____
>>> >
>>> > Fone: 254-295-4658 <tel:254-295-4658>____
>>> >
>>> > Phax: 254-295-4221 <tel:254-295-4221>____
>>> >
>>> > __ __
>>> >
>>> > *From:*Adrian Mulgrew [mailto:[email protected]
>>> > <mailto:[email protected]>]
>>> > *Sent:* Monday, March 19, 2012 12:20 PM
>>> >
>>> >
>>> > *To:* [email protected]
>>> > <mailto:[email protected]>
>>> > *Subject:* Re: [Packetfence-users] Unable to access captive
>>> > portal from registration vlan____
>>> >
>>> > __ __
>>> >
>>> > Hi,____
>>> >
>>> > __ __
>>> >
>>> > Wireshark on the client sees the DNS request packets going out
>>> > but no reply. On the PF server I can see the requests coming in
>>> > but no reply from the PF server. In fact pretty much the only
>>> > traffic coming out of the PF server is DHCP and SNMP
>>> traffic.____
>>> >
>>> > __ __
>>> >
>>> > I tried configuring the external dns manually on the client but
>>> > I don't think this will work as there is no routing between the
>>> > registration vlan and the normal vlan____
>>> >
>>> > __ __
>>> >
>>> > Nslookup from the packetfence server works fine.____
>>> >
>>> > __ __
>>> >
>>> > Anything else I can check?____
>>> >
>>> > On Mon, Mar 19, 2012 at 4:07 PM, Sallee, Stephen (Jake)
>>> > <[email protected] <mailto:[email protected]>>
>>> wrote:____
>>> >
>>> > What does a wireshark capture on the client show? If you can
>>> > capture the traffic on the server as well, that would help.____
>>> >
>>> > ____
>>> >
>>> > Also, try manually setting your DNS to one of your other DNS
>>> > servers (NOT PF) and while on the registration vlan see if you
>>> > can go anywhere.____
>>> >
>>> > ____
>>> >
>>> > You can also try doing a DNS lookup on the PF server using
>>> > either dig or nslookup.____
>>> >
>>> > ____
>>> >
>>> > Jake Sallee____
>>> >
>>> > Godfather of Bandwidth____
>>> >
>>> > System Engineer____
>>> >
>>> > University of Mary Hardin-Baylor____
>>> >
>>> > 900 College St.____
>>> >
>>> > Belton TX. 76513____
>>> >
>>> > Fone: 254-295-4658 <tel:254-295-4658>____
>>> >
>>> > Phax: 254-295-4221 <tel:254-295-4221>____
>>> >
>>> > ____
>>> >
>>> > *From:*Adrian Mulgrew [mailto:[email protected]
>>> > <mailto:[email protected]>]
>>> > *Sent:* Monday, March 19, 2012 10:58 AM
>>> > *To:* [email protected]
>>> > <mailto:[email protected]>
>>> > *Subject:* Re: [Packetfence-users] Unable to access captive
>>> > portal from registration vlan____
>>> >
>>> > ____
>>> >
>>> > Hi Jake,____
>>> >
>>> > ____
>>> >
>>> > The only firewall is iptables but that's configured by PF so
>>> > would expect it to allow DNS traffic?____
>>> >
>>> > ____
>>> >
>>> > I've checked and named is running and configured to run from
>>> the
>>> > webui.____
>>> >
>>> > ____
>>> >
>>> > Below is my iptables.conf if that's any help?____
>>> >
>>> > ____
>>> >
>>> > Thanks____
>>> >
>>> > ____
>>> >
>>> > Adrian____
>>> >
>>> > ____
>>> >
>>> > ____
>>> >
>>> > *filter____
>>> >
>>> > ____
>>> >
>>> > ### INPUT ###____
>>> >
>>> > :INPUT DROP [0:0]____
>>> >
>>> > # accept loopback stuff____
>>> >
>>> > -A INPUT --in-interface lo --jump ACCEPT____
>>> >
>>> > # accept anything related____
>>> >
>>> > -A INPUT --match state --state ESTABLISHED,RELATED --jump
>>> ACCEPT____
>>> >
>>> > # Accept Ping (easier troubleshooting)____
>>> >
>>> > -A INPUT --protocol icmp --icmp-type echo-request --jump
>>> ACCEPT____
>>> >
>>> > ____
>>> >
>>> > :input-management-if - [0:0]____
>>> >
>>> > # SSH____
>>> >
>>> > -A input-management-if --match state --state NEW --match tcp
>>> > --protocol tcp --dport 22 --jump ACCEPT____
>>> >
>>> > # Web Admin____
>>> >
>>> > -A input-management-if --protocol tcp --match tcp --dport
>>> > %%web_admin_port%% --jump ACCEPT____
>>> >
>>> > # HTTPS for email confirmation on the captive portal____
>>> >
>>> > -A input-management-if --protocol tcp --match tcp --dport 443
>>> > --jump ACCEPT____
>>> >
>>> > # RADIUS____
>>> >
>>> > -A input-management-if --protocol tcp --match tcp --dport 1812
>>> > --jump ACCEPT____
>>> >
>>> > -A input-management-if --protocol udp --match udp --dport 1812
>>> > --jump ACCEPT____
>>> >
>>> > -A input-management-if --protocol tcp --match tcp --dport 1813
>>> > --jump ACCEPT____
>>> >
>>> > -A input-management-if --protocol udp --match udp --dport 1813
>>> > --jump ACCEPT____
>>> >
>>> > # SNMP Traps____
>>> >
>>> > -A input-management-if --protocol udp --match udp --dport 162
>>> > --jump ACCEPT____
>>> >
>>> > # DHCP (for IP Helpers to mgmt to track users' IP in production
>>> > VLANs)____
>>> >
>>> > -A input-management-if --protocol udp --match udp --dport 67
>>> > --jump ACCEPT____
>>> >
>>> > -A input-management-if --protocol tcp --match tcp --dport 67
>>> > --jump ACCEPT____
>>> >
>>> > # OpenVAS Administration Interface____
>>> >
>>> > -A input-management-if --protocol tcp --match tcp --dport 9392
>>> > --jump ACCEPT____
>>> >
>>> > ____
>>> >
>>> > :input-internal-vlan-if - [0:0]____
>>> >
>>> > # DNS____
>>> >
>>> > -A input-internal-vlan-if --protocol udp --match udp --dport 53
>>> > --jump ACCEPT____
>>> >
>>> > # DHCP____
>>> >
>>> > -A input-internal-vlan-if --protocol udp --match udp --dport 67
>>> > --jump ACCEPT____
>>> >
>>> > -A input-internal-vlan-if --protocol tcp --match tcp --dport 67
>>> > --jump ACCEPT____
>>> >
>>> > # HTTP (captive-portal)____
>>> >
>>> > -A input-internal-vlan-if --protocol tcp --match tcp --dport 80
>>> > --jump ACCEPT____
>>> >
>>> > -A input-internal-vlan-if --protocol tcp --match tcp --dport
>>> 443
>>> > --jump ACCEPT____
>>> >
>>> > ____
>>> >
>>> > :input-internal-inline-if - [0:0]____
>>> >
>>> > # DHCP____
>>> >
>>> > -A input-internal-inline-if --protocol udp --match udp --dport
>>> > 67 --jump ACCEPT____
>>> >
>>> > -A input-internal-inline-if --protocol tcp --match tcp --dport
>>> > 67 --jump ACCEPT____
>>> >
>>> > # HTTP (captive-portal)____
>>> >
>>> > # prevent registered users from reaching it____
>>> >
>>> > -A input-internal-inline-if --protocol tcp --match tcp --dport
>>> > 80 --match mark --mark 0x1 --jump DROP____
>>> >
>>> > -A input-internal-inline-if --protocol tcp --match tcp --dport
>>> > 443 --match mark --mark 0x1 --jump DROP____
>>> >
>>> > # allow everyone else behind inline interface (not registered,
>>> > isolated, etc.)____
>>> >
>>> > -A input-internal-inline-if --protocol tcp --match tcp --dport
>>> > 80 --jump ACCEPT____
>>> >
>>> > -A input-internal-inline-if --protocol tcp --match tcp --dport
>>> > 443 --jump ACCEPT____
>>> >
>>> > ____
>>> >
>>> > ____
>>> >
>>> > ____
>>> >
>>> > ____
>>> >
>>> > On Mon, Mar 19, 2012 at 1:23 PM, Sallee, Stephen (Jake)
>>> > <[email protected] <mailto:[email protected]>>
>>> wrote:____
>>> >
>>> > Sorry if it sounds silly, but have you made sure that:____
>>> >
>>> > 1)There are no firewalls blocking you and____
>>> >
>>> > 2)Named is running on the PF box____
>>> >
>>> > ____
>>> >
>>> > Also, make sure that the config is set to run DNS, it is in the
>>> > config tab -> services in the webUI.____
>>> >
>>> > ____
>>> >
>>> > Jake Sallee____
>>> >
>>> > Godfather of Bandwidth____
>>> >
>>> > System Engineer____
>>> >
>>> > University of Mary Hardin-Baylor____
>>> >
>>> > 900 College St.____
>>> >
>>> > Belton TX. 76513____
>>> >
>>> > Fone: 254-295-4658 <tel:254-295-4658>____
>>> >
>>> > Phax: 254-295-4221 <tel:254-295-4221>____
>>> >
>>> > ____
>>> >
>>> > *From:*Adrian Mulgrew [mailto:[email protected]
>>> > <mailto:[email protected]>]
>>> > *Sent:* Friday, March 16, 2012 11:42 AM
>>> > *To:* [email protected]
>>> > <mailto:[email protected]>
>>> > *Subject:* [Packetfence-users] Unable to access captive portal
>>> > from registration vlan____
>>> >
>>> > ____
>>> >
>>> > Hi,____
>>> >
>>> > ____
>>> >
>>> > I am stuck in the registration vlan 2. When my client connects
>>> > it gets moved to registration network and obtains a DHCP IP
>>> > 192.168.2.10 with DNS server 192.168.2.1 (PF Server).____
>>> >
>>> > I then open a Chrome browser and type in www.google.com
>>> > <http://www.google.com>. As I understand it, PF should be
>>> > running it's own DNS server on this VLAN which will intercept
>>> > the request and redirect to a registration page. But for me,
>>> all
>>> > that happens is the page times out saying unable to resolve the
>>> > URL.____
>>> >
>>> > ____
>>> >
>>> > Does the PF installation automatically setup a DNS server or do
>>> > I have to do this manually? Also what is the URL it should be
>>> > redirecting clients to for the registration page?____
>>> >
>>> > ____
>>> >
>>> > Thanks____
>>> >
>>> > ____
>>> >
>>> > Adrian____
>>> >
>>> > ____
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > This SF email is sponsosred by:
>>> > Try Windows Azure free for 90 days Click Here
>>> > http://p.sf.net/sfu/sfd2d-msazure
>>> > _______________________________________________
>>> > Packetfence-users mailing list
>>> > [email protected]
>>> > <mailto:[email protected]>
>>> >
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users____
>>> >
>>> > ____
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > This SF email is sponsosred by:
>>> > Try Windows Azure free for 90 days Click Here
>>> > http://p.sf.net/sfu/sfd2d-msazure
>>> > _______________________________________________
>>> > Packetfence-users mailing list
>>> > [email protected]
>>> > <mailto:[email protected]>
>>> >
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users____
>>> >
>>> > __ __
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > This SF email is sponsosred by:
>>> > Try Windows Azure free for 90 days Click Here
>>> > http://p.sf.net/sfu/sfd2d-msazure
>>> > _______________________________________________
>>> > Packetfence-users mailing list
>>> > [email protected]
>>> > <mailto:[email protected]>
>>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > This SF email is sponsosred by:
>>> > Try Windows Azure free for 90 days Click Here
>>> > http://p.sf.net/sfu/sfd2d-msazure
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Packetfence-users mailing list
>>> > [email protected]
>>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Francois Gaudreault, ing. jr
>>> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
>>> (www.packetfence.org)
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF email is sponsosred by:
>>> Try Windows Azure free for 90 days Click Here
>>> http://p.sf.net/sfu/sfd2d-msazure
>>> _______________________________________________
>>> Packetfence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>>
>
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
