On 2012-09-21 5:41 AM, Brian Candler wrote:
> On Thu, Sep 20, 2012 at 11:33:33PM +0000, Brian Candler wrote:
>> (2) I need to restart dhcpd, and indeed it is running, but the
>> administration->services page shows
>>
>> dhcpd (expected status) stopped (actual status) running
>>
>> with no action buttons next to it. Clearly I cannot use the usual initscript
>> because, for example, DHCPDARGS is set to empty string in
>> /etc/sysconfig/dhcpd
>
> So I went through the code to work out why "Expected Status" is Stopped.
>
> # /usr/local/pf/bin/pfcmd config get services.dhcpd
> services.dhcpd=|enabled|enabled;disabled|toggle
>
> # /usr/local/pf/bin/pfcmd service pf status
> service|shouldBeStarted|pid
> named|0|7310
> dhcpd|0|7319
> snort|0|0
> suricata|0|0
> radiusd|0|7328
> httpd|1|8890 8889 8888 8887 8880 8879 8873 8048 7426 7335 7079 6800 6264 6263
> 6261
> snmptrapd|1|7337
> pfdetect|0|0
> pfredirect|0|0
> pfsetvlan|1|7351
> pfdhcplistener|1|7350
> pfmon|1|7352
>
> Tracing this back through
> html/admin/administration/services.php
> bin/pfcmd # service()
> lib/pf/services.pm # pf::services::service_list() for
> services_which_should_be_started
>
> } elsif ( $service eq "dhcpd" ) {
> push @finalServiceList, $service
> if ( (is_inline_enforcement_enabled() ||
> is_vlan_enforcement_enabled())
> && isenabled($Config{'services'}{'dhcpd'}) );
>
> lib/pf/config.pm # is_vlan_enforcement_enabled()
>
> # cache hit
> return $cache_vlan_enforcement_enabled if
> (defined($cache_vlan_enforcement_enabled));
>
> Hmm.. we don't like caches, so I did /etc/init.d/packetfence restart but
> that didn't help.
>
> foreach my $interface (@internal_nets) {
> my $device = "interface " . $interface->tag("int");
>
> if (defined($Config{$device}{'enforcement'}) &&
> $Config{$device}{'enforcement'} eq $IF_ENFORCEMENT_VLAN) {
> # cache the answer for future access
> $cache_vlan_enforcement_enabled = $TRUE;
> return $TRUE;
> }
> }
>
> Oh right, here's the problem:
>
> # /usr/local/pf/bin/pfcmd config get interface.eth0.enforcement
> interface.eth0.enforcement=||vlan;inline|toggle
>
> # cat conf/pf.conf
> [interface eth0]
> ip=X.X.X.14
> type=internal,management
> mask=255.255.255.224
> enforcement=
> ...
Why your eth0 is internal? You should set it to management only.
Do you have other interfaces tagged internal with enforcement set to VLAN?
> I am left wondering if (a) I am being extremely dense, or (b) PacketFence is
> not really expected to be used out-of-the-box for enforcement on routed
> subnets.
I think you should have a look about how routed reg/isol vlans works in
the admin guide. PF needs to have an interface on a LOCAL
registration/isolation vlan, and the infra needs to ROUTE remote
reg/isol vlans to those interfaces. You cannot simply use the
management interface (eth0) for that.
In other words, you need:
- eth0 : Management
- eth0.2 : Reg LOCAL (VLAN2) - say 192.168.2.10 (L3 gateway 192.168.2.1)
- eth0.3 : Isol LOCAL (VLAN3) - say 192.168.3.10 (L3 gateway 192.168.3.1)
Then you have:
- VLAN 20 : Remote REG (VLAN 20) routed to 192.168.2.10 VIA 192.168.20.1
(L3 gateway of VLAN 20)
- VLAN 30 : Remote ISOL (VLAN 30) routed to 192.168.3.10 VIA
192.168.30.1 (L3 gateway of VLAN 30)
You need also to use ip helper addresses on the VLAN20/30 L3 interfaces
to relay DHCP to 192.168.2.10 or 192.168.3.10.
So in networks.conf you will have something like:
[192.168.20.0]
netmask=255.255.255.0
gateway=192.168.20.1
domain-name=remote-reg.patate.org
dns=192.168.2.10
dhcp_start=192.168.20.11
dhcp_end=192.168.20.254
dhcp_default_lease_time=300
dhcp_max_lease_time=600
type=vlan-registration
named=enabled
dhcpd=enabled
next_hop=192.168.2.1
Is it more clear now?
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
