> but I want PF to be the production server for DNS.
Currently, it is not really possible. Here’s the actual workflow for inline
clients:
- Users are receiving a production DNS server (a server past PacketFence.
Either on your upstream network or on the Internet) in the DHCP reply from the
server.
- If the user is unregistered in PacketFence, IPtables will do DNAT to redirect
DNS queries to the pfdns daemon which will blackhole DNS and reply with the
PacketFence ip address on that network.
- If the user is registered in PacketFence, DNS queries will go to the DNS
server that the user received…
To do what you want to do, we’d need to adjust couple of things.
- Make sure a valid DNS server is configured on the PacketFence server itself
(/etc/resolv.conf)
- Make pfdns to forward DNS queries to that server
Derek
--
Derek Wuelfrath
[email protected] :: www.inverse.ca
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On May 16, 2014, at 12:29 PM, Alex <[email protected]> wrote:
> Hi Fabrice, and Derek
>
> To answer Derek's question, yes I activated forwarding packets in the kernel:
> [Fri May 16 - 18:14:37 on pf-zen] root ~ cat
> /proc/sys/net/ipv4/ip_forward
> 1
>
>
> I'm sure it is simple, but I have issues finding some settings:
> in fact it´s simple, define your production server in the dhcp scope of the
> inline network (networks.conf)
> but I want PF to be the production server for DNS.
> Maybe I'll switch to the idea of using another equipment, but for now, that
> is why I'd like to use (to install in different type of environments).
>
> If I put this in networks.conf, it does not forward DNS
> 27 [1.1.1.0]
> 28 dns=1.1.1.1
> 29 dhcp_start=1.1.1.10
> 30 gateway=1.1.1.1
> 31 domain-name=inline.mydomain.com
> 32 named=enabled
> 33 dhcp_max_lease_time=86400
> 34 dhcpd=enabled
> 35 type=inline
> 36 netmask=255.255.255.0
> 37 dhcp_end=1.1.1.246
> 38 dhcp_default_lease_time=86400
>
> Also, I see in the 'inline' menu, that "Redirecting 53/udp (DNS) seems to
> have issues and is also not recommended."
> Is there some basic configuration I'm doing that I should not ?
>
> When you are unreg then the dns traffic is forwarded to 1.1.1.1 and you hit
> the captive portal
> When I'm unregistered, I go on the registration VLAN (2470) . Captive portal
> works.
> When I'm registered through the portal, depending on which user I use to log
> in, I'm then put on either prod LAN (no VLAN) or guest VLAN (2471).
>
> Well, the 2 previous lines used to work. Apparently, I broke something as it
> does not work anymore....
> When I pass a node from "registered" back to "unregistered", it does not go
> back to registration VLAN :(
> But if I change its role, from/to guest to/from default, VLAN change still
> occurs. So SNMP config is ok. Weird.
> Maybe it has something to do with the inline type of eth0.2471 VLAN for guest
> interface ?? I need to investigate this more.
>
> and have to register and when you are reg then packetfence allow you to pass
> through iptables (ipset -L) and the dns traffic hit the production dns server.
> Except problem above, when I have a registered user with guest role, I do
> have the right to go through iptables. But the DNS from the guest client is
> 1.1.1.1, and this should be nated to our 'no vlan' DNS server. And here I had
> no success making it work yet.
> For transparent proxy you can play with iptables.conf to add your own custom
> rules.
> I'd love to find an examples about syntax to respect to not mess with
> internal PF rules rewriting. Could not find examples yet.
> Should I just add a 'regular' iptables line in the conf/iptables.conf ?
> EG: to allow guest to nat only http(s) requets to our main gateway:
> iptables -A NAT -p tcp -m tcp -d 192.168.1.2 -i eth0.2471 --dport 80,443 -m
> state --state NEW ACCEPT
> iptables -A NAT DROP
>
>
>
>
> Alex
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
