I wonder if someone can help clarify isolation with routed networks. The diagram on page 24 of http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Administration_Guide-3.5.1.pdf shows a network where the "registration" and "isolation" networks are routed. However it is not clear how PF expects the network to be configured such that user traffic is contained and redirected to the captive portal.
I can think of two possible ways how it could work: (1) PF DNS returns the correct IP address for the page requested, but the outbound traffic on the registration VLAN is forced via the PF server itself and is captured via iptables rules. Then PF returns a HTTP redirect to the PF registration page. AFAICS, to do this on a routed network would require VRFs deployed across the network (or policy routing or IP-IP tunnels), so that traffic from the remote registration network would be forced via the PF box but normal data traffic follows a normal default route without putting PF inline. (2) PF DNS returns a fake IP address for all hostnames. In this case, applying ACLs would be sufficient to block traffic from the registration VLAN to all IPs apart from the PF server itself. But there is a risk the client will cache this fake IP once it is granted access. Can someone tell me which of these models PF follows, or have I completely misunderstood something here? I'm afraid the diagram on page 4 is even more confusing. It shows a "WAN" but no external Internet link. Does "WAN" actually mean "The Internet"? Or are these four branch offices linked by a private WAN, in which case, where is the egress? Thanks in advance, Brian. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
