New PacketFence user here. I am trying to configure PacketFence for
hybrid mode. I am trying to configure the inline side first. I have
successfully been able to get a client to get a dhcp address, redirect
to the registration page, login via LDAP, but then get stuck at: Unable
to detect network connectivity. Restarting the client or PacketFence
services does not help.
i think I have a networking issue on packetfence. I have eth0 - where
all of my management, inline, and other vlans are defined. Eth1 is also
installed, and this is intended to be the outgoing/WAN interface for
Inline configuration. I never see a reference in the PF configs for
this interface though. I assigned it an IP via the PF GUI, and its
pingable (outside the Inline L2 network). So, that part at least
worked. I had tried putting all interfaces on eth0, and SNAT using the
management IP address, that yielded no success either. Currently all
vlans are defined on eth0, with eth1 configured/intended on being the
outside/WAN/SNAT interface for INLINE enforcement. I will post the pf
and network conf here to see if that helps. I am ready to provide any
more information if there are any ideas. thanks.
So the flow of traffic should look like VLAN400 (10.99.0.2) eth0
------> Vlan1 (10.1.99.253) eth1
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=some.edu
#
# general.dnsservers
#
# Comma-delimited list of DNS servers. Passthroughs are created to
allow queries to these servers from even "trapped" nodes.
dnsservers=10.1.1.19
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers. Passthroughs are created to
allow DHCP transactions from even "trapped" nodes.
dhcpservers=10.1.1.19,10.1.1.29
[network]
#
# network.interfaceSNAT
# Choose interface(s) where you want to enable snat for passthrough (by
default it's the management interface)
interfaceSNAT=10.1.99.253
[trapping]
#
# trapping.range
#
# Comma-delimited list of address ranges/CIDR blocks that PacketFence
will monitor/detect/trap on. Gateway, network, and
# broadcast addresses are ignored.
range=10.0.0.0/16
[registration]
#
# registration.device_registration
#
# Enable or Disable the ability to register a gaming device using the
specific portal page designed to do it
device_registration=enabled
#
# registration.device_registration_role
#
# The role to assign to gaming devices. If none is specified, the role
of the registrant is used.
device_registration_role=default
[guests_self_registration]
#
# guests_self_registration.guest_pid
#
# What field should we assign to the pid of the guest? Defaults to
email.
guest_pid=phone
[alerting]
#
# alerting.emailaddr
#
# Email address to which notifications of rogue DHCP servers,
violations with an action of "email", or any other
# PacketFence-related message goes to.
[email protected]
#
# alerting.smtpserver
#
# Server through which to send messages to the above emailaddr. The
default is localhost - be sure you're running an SMTP
# host locally if you don't change it!
[email protected]
#
# alerting.subjectprefix
#
#Subject prefix for email notifications of rogue DHCP servers,
violations with an action of "email", or any other
#PacketFence-related message.
subjectprefix=PF ALERT
[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence.
pass=secret_pass
[inline]
#
# inline.interfaceSNAT
# Choose the interface(s) you want to use to enable snat (by default
it´s the management interface)
interfaceSNAT=10.1.99.253
[servicewatch]
#
# servicewatch.restart
#
# Should pfcmd service pf watch restart PF if services are not running?
# You must make sure to call the watch command. Installing it in the
cron is the
# recommended approach:
# */5 * * * * /usr/local/pf/bin/pfcmd service pf watch
restart=enabled
[captive_portal]
#
# captive_portal.network_detection_ip
#
# This IP is used as the webserver who hosts the
common/network-access-detection.gif which is used to detect if network
# access was enabled.
# It cannot be a domain name since it is used in registration or
quarantine where DNS is blackholed.
# It is recommended that you allow your users to reach your packetfence
server and put your LAN's PacketFence IP.
# By default we will make this reach PacketFence's website as an easy
solution.
#
network_detection_ip=10.1.144.45
#
# captive_portal.secure_redirect
#
# If secure_redirect is enabled, the captive portal uses HTTPS when
redirecting
# captured clients. This is the default behavior.
secure_redirect=disabled
[interface eth0]
ip=10.1.144.45
type=management
mask=255.255.0.0
[interface eth0.400]
enforcement=inlinel2
ip=10.99.0.2
type=internal
mask=255.255.224.0
[interface eth0.401]
enforcement=vlan
ip=10.99.128.1
type=internal
mask=255.255.224.0
[interface eth0.402]
enforcement=vlan
ip=10.99.224.1
type=internal
mask=255.255.224.0
networks
[10.99.0.0]
dns=10.1.1.19
dhcp_start=10.99.0.10
gateway=10.99.0.2
domain-name=inlinel2.some.edu
named=enabled
dhcp_max_lease_time=86400
dhcpd=enabled
fake_mac_enabled=disabled
dhcp_end=10.99.31.246
type=inlinel2
netmask=255.255.224.0
dhcp_default_lease_time=86400
[10.99.128.0]
dns=10.99.128.1
dhcp_start=10.99.128.10
gateway=10.99.128.1
domain-name=vlan-registration.some.edu
named=enabled
dhcp_max_lease_time=30
dhcpd=disabled
fake_mac_enabled=disabled
dhcp_end=10.99.159.246
type=vlan-registration
netmask=255.255.224.0
dhcp_default_lease_time=30
[10.99.224.0]
dns=10.99.224.1
dhcp_start=10.99.224.10
gateway=10.99.224.1
domain-name=vlan-isolation.some.edu
named=enabled
dhcp_max_lease_time=30
dhcpd=disabled
fake_mac_enabled=disabled
dhcp_end=10.99.255.246
type=vlan-isolation
netmask=255.255.224.0
dhcp_default_lease_time=30
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
