Actually, nevermind. I see that iptables is doing NAT on my management
interface and not the interface I'm sending all of my traffic out. That
doesn't really seem to make any sense to me. Shouldn't the management
interface be the interface you manage packetfence by and no necessarily the
interface that your client traffic goes out of?
Russ
---
Russel Ingram
Associate Systems Administrator
Institute for Systems Biology
401 Terry Ave N
+1 206 732 2140
On Tue, Dec 11, 2012 at 12:28 PM, Russel Ingram <
[email protected]> wrote:
> There hasn't been any response on this for a few weeks, I realize, but I
> thought I'd update anyway. I was able to get past the memory allocation
> errors in the logs by adding more swap. I'm not really sure why it needs so
> much swap just for ipset to do it's thing, but adding more seems to have
> made the error go away and ipset is able to make it's changes.
>
> Unfortunately, my system still isn't working because even though traffic
> is allowed through, it needs to be NAT'ed and isn't. Seems like this is
> something that should probably be a simple fix. Does anyone know how I can
> fix that?
>
> Thanks,
> Russ
>
> ---
> Russel Ingram
> Associate Systems Administrator
> Institute for Systems Biology
> 401 Terry Ave N
> +1 206 732 2140
>
>
>
> On Mon, Nov 5, 2012 at 8:50 AM, Russel Ingram <
> [email protected]> wrote:
>
>> I have 1GB of memory and 512MB of swap on this machine. I forgot to
>> mention in my original message that we had this working on 3.5.1, but we're
>> trying to use 3.6.0 now and we've also added a third network interface. I'm
>> not sure which change broke things. We were running with just the inline
>> interface and a management interface and the network traffic going out
>> would go out the management interface. The end goal, however, is to not
>> have that traffic going over our internal network so we needed to have a
>> third separate interface for that traffic to get to the Internet by.
>> Anyway, I hope the extra information helps. Let me know if there's any more
>> information that might be helpful.
>>
>> Thanks,
>> Russ
>> ---
>> Russel Ingram
>> Associate Systems Administrator
>> Institute for Systems Biology
>> 401 Terry Ave N
>> +1 206 732 2140
>>
>>
>> On Fri, Nov 2, 2012 at 5:29 PM, Fabrice Durand <[email protected]>wrote:
>>
>>> Hello Russel,
>>> i don't have answer right now.
>>> In all my test there is no problem about that.
>>> How many memory do you have on your server and swap ?
>>>
>>> I think that system command isn't the right way to configure ipset, but
>>> there is no perl module that interact with ipset.
>>> I have a look about perlxs but i have to understand how it work.
>>>
>>> Let me know if after ipset -F the problem disppear or if after you
>>> restart packetfence the problem persist.
>>>
>>> Regards
>>>
>>> Le jeudi 1 novembre 2012 17:50:51, Russel Ingram a écrit :
>>>
>>>> I'm having trouble getting my packetfence server to allow registered
>>>> clients through. From looking at the logs, it looks like the ipset
>>>> command is failing when it tries to add the newly registered node to
>>>> the registered set. Here's what I'm seeing in the log:
>>>>
>>>> Nov 01 14:24:44 register.cgi(0) INFO: 172.16.0.11 - 00:19:d2:7b:e4:2c
>>>> on registration page
>>>> (ModPerl::ROOT::ModPerl::**PerlRun::usr_local_pf_html_**
>>>> captive_2dportal_register_**2ecgi::handler)
>>>> Nov 01 14:24:45 register.cgi(0) INFO: performing node registration
>>>> MAC: 00:19:d2:7b:e4:2c pid: guest (pf::web::_sanitize_and_**register)
>>>> Nov 01 14:24:45 register.cgi(0) INFO: re-evaluating access for node
>>>> 00:19:d2:7b:e4:2c (manage_register called)
>>>> (pf::enforcement::reevaluate_**access)
>>>> Nov 01 14:24:45 register.cgi(0) INFO: Instantiate a new iptables
>>>> modification method. pf::ipset (pf::inline::get_technique)
>>>> Nov 01 14:24:45 register.cgi(0) INFO: 172.16.0.11 - 00:19:d2:7b:e4:2c
>>>> on registration page
>>>> (ModPerl::ROOT::ModPerl::**PerlRun::usr_local_pf_html_**
>>>> captive_2dportal_register_**2ecgi::handler)
>>>> Nov 01 14:24:48 pfsetvlan(22) INFO: local (127.0.0.1) trap for switch
>>>> 127.0.0.1 (main::parseTrap)
>>>> Nov 01 14:24:48 pfsetvlan(3) INFO: nb of items in queue: 1; nb of
>>>> threads running: 0 (main::startTrapHandlers)
>>>> Nov 01 14:24:48 pfsetvlan(3) INFO: firewallRequest trap received for
>>>> inline client: 00:19:d2:7b:e4:2c. Modifying firewall. (main::handleTrap)
>>>> Nov 01 14:24:48 pfsetvlan(3) INFO: Instantiate a new iptables
>>>> modification method. pf::ipset (pf::inline::get_technique)
>>>> Nov 01 14:24:48 pfsetvlan(3) WARN: Problem trying to run command:
>>>> LANG=C sudo ipset --test pfsession_Unreg_172.16.0.0
>>>> 172.16.0.11,00:19:d2:7b:e4:2c 2>&1 called from
>>>> get_mangle_mark_for_mac. OS Error: Cannot allocate memory
>>>> (pf::util::pf_run)
>>>> Nov 01 14:24:48 pfsetvlan(3) WARN: Problem trying to run command:
>>>> LANG=C sudo ipset --test pfsession_Reg_172.16.0.0
>>>> 172.16.0.11,00:19:d2:7b:e4:2c 2>&1 called from
>>>> get_mangle_mark_for_mac. OS Error: Cannot allocate memory
>>>> (pf::util::pf_run)
>>>> Nov 01 14:24:48 pfsetvlan(3) WARN: Problem trying to run command:
>>>> LANG=C sudo ipset --test pfsession_Isol_172.16.0.0
>>>> 172.16.0.11,00:19:d2:7b:e4:2c 2>&1 called from
>>>> get_mangle_mark_for_mac. OS Error: Cannot allocate memory
>>>> (pf::util::pf_run)
>>>> Nov 01 14:24:48 pfsetvlan(3) INFO: MAC: 00:19:d2:7b:e4:2c stated
>>>> changed, adapting firewall rules for proper enforcement
>>>> (pf::inline::**performInlineEnforcement)
>>>> Nov 01 14:24:48 pfsetvlan(3) WARN: Problem trying to run command:
>>>> LANG=C sudo ipset --list pfsession_Unreg_172.16.0.0 2>&1 called from
>>>> get_ip_from_ipset_by_mac. OS Error: Cannot allocate memory
>>>> (pf::util::pf_run)
>>>> Use of uninitialized value $out in split at
>>>> /usr/local/pf/lib/pf/ipset.pm <http://ipset.pm> line 304.
>>>>
>>>> Nov 01 14:24:48 pfsetvlan(3) WARN: Problem trying to run command:
>>>> LANG=C sudo ipset --list pfsession_Reg_172.16.0.0 2>&1 called from
>>>> ipset_remove_ip. OS Error: Cannot allocate memory (pf::util::pf_run)
>>>> Use of uninitialized value $out in split at
>>>> /usr/local/pf/lib/pf/ipset.pm <http://ipset.pm> line 266.
>>>>
>>>> Nov 01 14:24:48 pfsetvlan(3) WARN: Problem trying to run command:
>>>> LANG=C sudo ipset --add pfsession_Reg_172.16.0.0
>>>> 172.16.0.11,00:19:d2:7b:e4:2c 2>&1 called from iptables_mark_node. OS
>>>> Error: Cannot allocate memory (pf::util::pf_run)
>>>> Nov 01 14:24:48 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)
>>>>
>>>> You can see there that it's logging a memory allocation problem. When
>>>> I run those same commands as the pf user, with sudo, just like it
>>>> shows in the log, they run without any errors. Has anyone seen this
>>>> before? Anyone have any ideas on how to troubleshoot it?
>>>>
>>>> I'm running PacketFence 3.6.0 installed from the PacketFence Red Hat
>>>> repository on CentOS 6.3 x86_64. The full log is attached.
>>>>
>>>> Thanks,
>>>> Russ
>>>> ---
>>>> Russel Ingram
>>>> Associate Systems Administrator
>>>> Institute for Systems Biology
>>>> 401 Terry Ave N
>>>> +1 206 732 2140
>>>>
>>>>
>>>> ------------------------------**------------------------------**
>>>> ------------------
>>>> LogMeIn Central: Instant, anywhere, Remote PC access and management.
>>>> Stay in control, update software, and manage PCs from one command center
>>>> Diagnose problems and improve visibility into emerging IT issues
>>>> Automate, monitor and manage. Do more in less time with Central
>>>> http://p.sf.net/sfu/**logmein12331_d2d<http://p.sf.net/sfu/logmein12331_d2d>
>>>>
>>>>
>>>> ______________________________**_________________
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.**sourceforge.net<[email protected]>
>>>> https://lists.sourceforge.net/**lists/listinfo/packetfence-**users<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>>>>
>>>
>>>
>>>
>>
>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
