Hi Fabrice, and Derek
To answer Derek's question, yes I activated forwarding packets in the
kernel:
[Fri May 16 - 18:14:37 on pf-zen] root ~ cat
/proc/sys/net/ipv4/ip_forward
1
I'm sure it is simple, but I have issues finding some settings:
* in fact it´s simple, define your production server in the dhcp scope
of the inline network (networks.conf)
o but I want PF to be the production server for DNS.
Maybe I'll switch to the idea of using another equipment, but
for now, that is why I'd like to use (to install in different
type of environments).
If I put this in networks.conf, it does not forward DNS
27 [1.1.1.0]
28 dns=1.1.1.1
29 dhcp_start=1.1.1.10
30 gateway=1.1.1.1
31 domain-name=inline.mydomain.com
32 named=enabled
33 dhcp_max_lease_time=86400
34 dhcpd=enabled
35 type=inline
36 netmask=255.255.255.0
37 dhcp_end=1.1.1.246
38 dhcp_default_lease_time=86400
Also, I see in the 'inline' menu, that "Redirecting 53/udp (DNS)
seems to have issues and is also not recommended."
Is there some basic configuration I'm doing that I should not ?
* When you are unreg then the dns traffic is forwarded to 1.1.1.1 and
you hit the captive portal
o When I'm unregistered, I go on the registration VLAN (2470) .
Captive portal works.
When I'm registered through the portal, depending on which user
I use to log in, I'm then put on either prod LAN (no VLAN) or
guest VLAN (2471).
Well, the 2 previous lines used to work. Apparently, I broke
something as it does not work anymore....
When I pass a node from "registered" back to "unregistered", it
does not go back to registration VLAN :(
But if I change its role, from/to guest to/from default, VLAN
change still occurs. So SNMP config is ok. Weird.
Maybe it has something to do with the inline type of eth0.2471
VLAN for guest interface ?? I need to investigate this more.
* and have to register and when you are reg then packetfence allow you
to pass through iptables (ipset -L) and the dns traffic hit the
production dns server.
o Except problem above, when I have a registered user with guest
role, I do have the right to go through iptables. But the DNS
from the guest client is 1.1.1.1, and this should be nated to
our 'no vlan' DNS server. And here I had no success making it
work yet.
* For transparent proxy you can play with iptables.conf to add your
own custom rules.
o I'd love to find an examples about syntax to respect to not mess
with internal PF rules rewriting. Could not find examples yet.
Should I just add a 'regular' iptables line in the
conf/iptables.conf ?
EG: to allow guest to nat only http(s) requets to our main
gateway:
iptables -A NAT -p tcp -m tcp -d 192.168.1.2 -i eth0.2471
--dport 80,443 -m state --state NEW ACCEPT
iptables -A NAT DROP
Alex
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
