So if i have PF setup for VLAN enforcement and inline mode, and i set the VLAN to be the same as the inline interface so it handles the nat, would it still know that connection is authorized? Or can I not have the VLAN that the registered user fall on be same as the inline interface?
On May 13, 2014, at 9:16 AM, Patrick Okui <[email protected]> wrote: > On 13-May-2014 15:25:18 (+0300), Alan Jones wrote: >> I currently have PF setup using VLAN enforcement. Is there a way in >> packet fence to track the “allowed” or “normal” vlan and NAT the >> connections? I’m basically looking to track connections for DMCA >> reasons, but don’t want to use Inline mode. > > If PF is NATing the connections then by definition it's inline. There's > no other way to NAT for something where the packets don't go via the NAT > device. > > If you mean the trapping function say by snort or suricata then that's > done by having a span port on a switch close to your egress/NAT device > (some vendors call it port mirror) and plugging into it another > interface on your PF box and setting that as 'monitor' in the interface > type. > > In this case it's best if the PF box sees the un-natted connections so > it can trace it back to actual registrations. > > Beyond that you'd need to describe what exactly you want to track - you > may find you need other tools like netflow and friends. > > -- > patrick > ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
