On Fri, Sep 21, 2012 at 09:22:28AM -0400, Francois Gaudreault wrote: > > # cat conf/pf.conf > > [interface eth0] > > ip=X.X.X.14 > > type=internal,management > > mask=255.255.255.224 > > enforcement= > > ... > Why your eth0 is internal?
Only a lack of understanding/definition of what the flags "internal" and "management" are intended to signify and how they affect the configuration. > You should set it to management only. > > Do you have other interfaces tagged internal with enforcement set to VLAN? Nope, just eth0 with a real IP on the server network. > > I am left wondering if (a) I am being extremely dense, or (b) PacketFence is > > not really expected to be used out-of-the-box for enforcement on routed > > subnets. > I think you should have a look about how routed reg/isol vlans works in > the admin guide. Believe me, I have read this several times :-) As a user it's not at all clear to me. The diagram on page 24 has very little info about actual routing. It doesn't say that the red and blue networks are VRFs, but neither does it say that these are part of the same L3 domain and their are ACLs at the edge router. It doesn't show the PF interfaces config, only the networks config. > PF needs to have an interface on a LOCAL > registration/isolation vlan, and the infra needs to ROUTE remote > reg/isol vlans to those interfaces. You cannot simply use the > management interface (eth0) for that. Why does PF need three different local IP addresses and subnets, if they are all routed together by the infrastructure anyway? As far as I can see: - DNS views are handled by looking at the client source IP only - DHCP doesn't care which interface a forwarded request arrives on So why not use the same IP for both? Having said that, I'm not 100% sure about how dhcplistener and dhcpd interact. At the moment I am getting messages like this: Sep 21 15:31:28 pfdhcplistener(13981) WARN: X.X.X.14 (unknown) was detected offering 10.21.255.12 to 00:21:9b:XX:XX:XX on eth0 (main::rogue_dhcp_handling) where X.X.X.14 is the PF box itself. So perhaps the listener and the DHCP server need to be on different interfaces? Looking at page 22, it says "Add PacketFence’s management IP address as the last ip helper-address statement in your network equipment." I haven't done this, and yet I do seem to have PF working now. > So in networks.conf you will have something like: > [192.168.20.0] > netmask=255.255.255.0 > gateway=192.168.20.1 > domain-name=remote-reg.patate.org > dns=192.168.2.10 > dhcp_start=192.168.20.11 > dhcp_end=192.168.20.254 > dhcp_default_lease_time=300 > dhcp_max_lease_time=600 > type=vlan-registration > named=enabled > dhcpd=enabled > next_hop=192.168.2.1 > > Is it more clear now? Not really. The networks.conf info is in the documentation on p25, and from looking at the generated config files it's clear that PF sets up ACLs for named and apache based on these IPs, and configures its DHCP server. What's not clear to me (yet) is why any VLANs are needed at all at the PF server at all. Regards, Brian. ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
