Hello, Open the /etc/sysctl.conf file and set net.ipv4.ip_forward parameter to 1.
On Fri, Jun 7, 2013 at 5:54 AM, Alastair Ferguson <[email protected]>wrote: > Hi there, > > I am trying to setup Packetfence 4 to do Inline enforcement (as I have > some unmanaged switches) and so I went to work on Saturday to try and set > it up, so this is the setup: > > Cisco ASA Firewall internal IP address 192.168.10.1 > Packetfence ETH1 will be route to firewall through which all traffic will > go from my wired and wireless subnets (192.168.16.0/24 and 192.168.15.0/24) > - IP address 192.168.10.254 > ETH0 Management is 192.168.16.254 > > I set on my core switch default gateway to be 192.168.16.254. > > My issue is that I can't ping 192.168.10.254 from the core switch. > > From the firewall I can ping 192.168.16.254 so it is routing that way but > can't seem to get further. > > From the Packetfence I can ping 8.8.8.8 (so get to the internet), but DNS > works but probably just need to add DNS server to ifcfg-eth1 or whatever. > > Here are my conf files: > > [general] > # > # general.domain > # > # Domain name of PacketFence system. > domain=cmcrc.com > # > # general.dnsservers > # > # Comma-delimited list of DNS servers. Passthroughs are created to allow > queries to these servers from even "trapped" nodes. > dnsservers=192.168.16.77,192.168.16.40,172.16.16.98 > # > # general.dhcpservers > # > # Comma-delimited list of DHCP servers. Passthroughs are created to allow > DHCP transactions from even "trapped" nodes. > dhcpservers=192.168.16.77,192.168.15.250 > # > # general.timezone > # > # System's timezone in string format. Supported list: > # http://www.php.net/manual/en/timezones.php > timezone=Australia/Sydney > > #[registration] > #auth=ldap > [trapping] > # > # trapping.range > # > # Comma-delimited list of address ranges/CIDR blocks that PacketFence will > monitor/detect/trap on. Gateway, network, and > # broadcast addresses are ignored. > range=192.168.15.0/24,192.168.16.0/24,172.16.0.0/22 > # > # trapping.whitelist > # > # Comma-delimited list of MAC addresses that are immune to isolation. In > # inline enforcement, the firewall is opened for them as if they were > # registered. This "feature" will probably be reworked in the future. > whitelist=192.168.16.40,192.168.16.77,192.168.16.98 > # > # trapping.detection > # > # > # Enables snort-based worm detection. If you don't have a span interface > available, don't bother enabling it. If you do, > # you'll most definately want this on. > detection=enabled > # > # trapping.detection_engine > # > # Let you choose from our supported IDS: snort or suricata > # > detection_engine=suricata > # > # trapping.wireless_ips > # > # Enable wids trapping detection > wireless_ips=enabled > > [registration] > # > # registration.range > # > # > range=192.168.15.0/24,192.168.16.0/24,172.16.0.0/22 > # > # registration.nbregpages > # > # The number of registration pages to show to the user > nbregpages=1 > > #[guests_self_registration] > #modes=email,sms,sponsor > [alerting] > # > # alerting.emailaddr > # > # Email address to which notifications of rogue DHCP servers, violations > with an action of "email", or any other > # PacketFence-related message goes to. > [email protected] > # > # alerting.fromaddr > # > # Source email address for email notifications. Empty means root@ > <server-domain-name>. > # Source email address for email notifications. Empty means root@ > <server-domain-name>. > [email protected] > > [scan] > # > # scan.engine > # > # Which scan engine to use to perform client-side policy compliance. > engine=openvas > # > # scan.registration > # > # If this option is enabled, the PF system will scan each host after > # registration is complete. > registration=enabled > # > # scan.user > # > # Username to log into scanning engine with. > user=sysadmin > # > # scan.pass > # > # Password to log into scanning engine with. > pass=C@p1t@lsys! > # > # scan.openvas_configid > # > # ID of the scanning configuration on the OpenVAS server > openvas_configid=daba56c8-73ec-11df-a475-002264764cea > # > # scan.openvas_reportformatid > # > # ID of the .NBE report format on the OpenVAS server > openvas_reportformatid=9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 > > [database] > # > # database.pass > # > # Password for the mysql database used by PacketFence. > pass=5Zs4LecTxvkXhp > > [inline] > # > # inline.should_reauth_on_vlan_change > # Should have to reauthenticate the node if it change vlan > should_reauth_on_vlan_change=enabled > # > # inline.interfaceSNAT > # Choose the interface(s) you want to use to enable snat (by default it´s > the management interface) > interfaceSNAT=eth1 > > [captive_portal] > # > # captive_portal.network_detection_ip > # > # This IP is used as the webserver who hosts the > common/network-access-detection.gif which is used to detect if network > # access was enabled. > # It cannot be a domain name since it is used in registration or > quarantine where DNS is blackholed. > # It is recommended that you allow your users to reach your packetfence > server and put your LAN's PacketFence IP. > # By default we will make this reach PacketFence's website as an easy > solution. > # > network_detection_ip=192.168.16.254 > > [provisioning] > # > # provisioning.autoconfig > # > # Enable or disable the XML mobile config generation for wireless on > iPhones, iPods, and iPads > autoconfig=enabled > > [interface eth1] > enforcement=inline > ip=192.168.10.254 > type=internal > mask=255.255.255.0 > > [interface eth2] > type=monitor > > [interface eth0] > ip=192.168.16.254 > type=management > mask=255.255.255.0 > enforcement= > > [interface eth0.3] > mask=255.255.255.0 > type=dhcp-listener > gateway=192.168.15.250 > ip=192.168.15.252 > snmptrapd_binary=/usr/sbin/snmptrapd > # services.radiusd > # > # Should radiusd be managed by PacketFence? > radiusd=enabled > # > # services.snort_binary > # > # Location of the snort binary. Only necessary to change if you are not > running the RPMed version. > snort_binary=/usr/sbin/snort > # > # services.suricata_binary > # > # Location of the suricata binary. > suricata_binary=/usr/bin/suricata > # > # services.httpd_binary > # > # Location of the apache binary. Only necessary to change if you are not > running the RPMed version. > httpd_binary=/usr/sbin/httpd > # > # services.dhcpd_binary > # > # Location of the dhcpd binary. Only necessary to change if you are not > running the RPMed version. > dhcpd_binary=/usr/sbin/dhcpd > # > # services.named_binary > # > # Location of the named binary. Only necessary to change if you are not > running the RPMed version. > named_binary=/usr/sbin/named > > Networks.conf > > [172.16.0.0] > dns=192.168.16.77 > dhcp_start=172.16.0.10 > gateway=172.16.0.254 > named=enabled > dhcp_max_lease_time=86400 > dhcpd=enabled > type=vlan_registration > netmask=255.255.252.0 > dhcp_end=172.16.0.246 > dhcp_default_lease_time=86400 > domain-name=vlan_registration.cmcrc.com > > [192.168.30.0] > dns=192.168.16.77 > dhcp_start=192.168.30.10 > gateway=192.168.30.254 > named=enabled > dhcp_max_lease_time=86400 > dhcpd=enabled > type=vlan_isolation > netmask=255.255.255.0 > dhcp_end=192.168.30.246 > dhcp_default_lease_time=86400 > domain-name=vlan_isolation.cmcrc.com > > [192.168.10.0] > dns=192.168.16.77 > dhcp_start=192.168.10.10 > gateway=192.168.10.254 > domain-name=inline.cmcrc.com > named=enabled > dhcp_max_lease_time=86400 > dhcpd=enabled > type=inline > netmask=255.255.255.0 > dhcp_end=192.168.10.246 > dhcp_default_lease_time=86400 > > Switches.conf which I understand in my situation is not required. > > # > # Copyright 2006-2008 Inverse inc. > # > # See the enclosed file COPYING for license information (GPL). > # If you did not receive this file, see > # http://www.fsf.org/licensing/licenses/gpl.html > > [default] > vlans = 1,2,3,4,5 > normalVlan = 1 > registrationVlan = 2 > isolationVlan = 3 > macDetectionVlan = 4 > voiceVlan = 5 > inlineVlan = 6 > inlineTrigger = > normalRole = normal > registrationRole = registration > isolationRole = isolation > macDetectionRole = macDetection > voiceRole = voice > inlineRole = inline > VoIPEnabled = no > > mode = testing > macSearchesMaxNb = 30 > macSearchesSleepInterval = 2 > uplink = dynamic > > # > # Command Line Interface > # > # cliTransport could be: Telnet, SSH or Serial > cliTransport = Telnet > cliUser = > cliPwd = > cliEnablePwd = > > # > # SNMP section > # > > # PacketFence -> Switch > SNMPVersion = 1 > SNMPCommunityRead = public > SNMPCommunityWrite = private > #SNMPEngineID = 0000000000000 > #SNMPUserNameRead = readUser > #SNMPAuthProtocolRead = MD5 > #SNMPAuthPasswordRead = authpwdread > #SNMPPrivProtocolRead = DES > #SNMPPrivPasswordRead = privpwdread > #SNMPUserNameWrite = writeUser > #SNMPAuthProtocolWrite = MD5 > #SNMPAuthPasswordWrite = authpwdwrite > #SNMPPrivProtocolWrite = DES > #SNMPPrivPasswordWrite = privpwdwrite > > # Switch -> PacketFence > SNMPVersionTrap = 1 > SNMPCommunityTrap = public > #SNMPAuthProtocolTrap = MD5 > #SNMPAuthPasswordTrap = authpwdread > #SNMPPrivProtocolTrap = DES > #SNMPPrivPasswordTrap = privpwdread > > # > # Web Services Interface > # > # wsTransport could be: http or https > wsTransport = http > wsUser = > wsPwd = > # > # RADIUS NAS Client config > # > # RADIUS shared secret with switch > radiusSecret= > > [192.168.0.1] > type = Cisco::Catalyst_2900XL > mode = production > uplink = 23,24 > #SNMPVersion = 3 > #SNMPEngineID = 0000000000000 > #SNMPUserNameRead = readUser > #SNMPAuthProtocolRead = MD5 > #SNMPAuthPasswordRead = authpwdread > #SNMPPrivProtocolRead = DES > #SNMPPrivPasswordRead = privpwdread > #SNMPUserNameWrite = writeUser > #SNMPAuthProtocolWrite = MD5 > #SNMPAuthPasswordWrite = authpwdwrite > #SNMPPrivProtocolWrite = DES > #SNMPPrivPasswordWrite = privpwdwrite > #SNMPVersionTrap = 3 > #SNMPUserNameTrap = readUser > #SNMPAuthProtocolTrap = MD5 > #SNMPAuthPasswordTrap = authpwdread > #SNMPPrivProtocolTrap = DES > #SNMPPrivPasswordTrap = privpwdread > > > Any help gratefully received! > > > Alastair Ferguson > IT Manager > Capital Markets CRC Limited (CMCRC) > Telephone: +61 2 8088 4222 > Mobile: +61 424 235 159 > Fax: +61 2 8088 4201 > www.cmcrc.com > > > > Capital Markets CRC Ltd - Confidential Communication > The information contained in this e-mail is confidential. It is intended > for the addressee only. If you receive this e-mail by mistake please > promptly inform us by reply e-mail and then delete the e-mail and destroy > any printed copy. You must not disclose or use in any way the > information in the e-mail. There is no warranty that this e-mail is error > or virus free. It may be a private communication, and if so, does > not represent the views of the CMCRC and its associates. If it is a > private communication, care should be taken in opening it to ensure that > undue offence is not given. > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. A cloud service to automate IT design, transition and operations > 2. Dashboards that offer high-level views of enterprise services > 3. A single system of record for all IT processes > http://p.sf.net/sfu/servicenow-d2d-j > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
<<image.png>>
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
