Sorry the image was in another format
2014-09-18 15:52 GMT-04:30 David Martinez <[email protected]>:
> Hi,
>
> I'm new in packetfence, I'm trying to install PF ver 4.4.0 on a new server
> with the inline enforcement configuration.
>
> the server has 2 physical interfaces eth0 y eth1.
>
> with eth0 I have 2 sub interfaces
>
> eth0.90 by dhcp ---> direct to internet ADSL modem.
>
> eth0.303 inline enforcement with the static ip 172.17.3.4 with DHCP and
> NAT configurated.
>
> with eth1 I have 1 sub interface
>
> eth1.99 with the static 172.16.XX.1 management interface.
>
> I make the deployment and everything is fine.
>
> I let PF take the control of the DNS service with the pfdns. So the DHCP
> service associated to the vlan 303.
>
> The infraestructure is witch a WLC 5508 with is configurated with a
> preshared key with WPA 2 PSk. which the devices attempting to connect to
> the network throught a preshared key and after the WLC redirect to the PF
> server at the moment to user the browser.
>
> The DHCP is working fine.
>
> The DNS works until the moment of registration on the portal captive.
> After that, the machine can't surf and neighter can resolve more DNS.
>
> My question is any espeficic configuration to this kind of enviroment that
> you can recommend me? I'm suspect the problem is with the iptables rules
> but Im not sure yet. Or maybe with the NAT config that should be over the
> Interface that goes direct to internet.
>
> I Have the same configuration on PF version 4.2.1 on production
> enviroment, and it works fine.
>
> Does anyone any standar configuration for this type of enviroment?
>
> Thanks in advance I send you logs.
>
>
>
>
> packetfence.log
>
> Sep 16 10:59:32 httpd.portal(27331) ERROR: Error while setting locale to
> en_US.utf8. Is the locale generated on your system?
> (captiveportal::PacketFence::Controller::Root::setupLanguage)
> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected
> to default
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected
> to authentication page
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Sep 16 10:59:41 httpd.portal(27537) ERROR: Error while setting locale to
> en_US.utf8. Is the locale generated on your system?
> (captiveportal::PacketFence::Controller::Root::setupLanguage)
> Sep 16 10:59:41 httpd.portal(27537) INFO: Authentication successful for
> test in source local (SQL) (pf::authentication::authenticate)
> Sep 16 10:59:42 httpd.portal(27537) INFO: person test modified to test
> (pf::person::person_modify)
> Sep 16 10:59:42 httpd.portal(27537) INFO: [00:18:de:bd:3d:33]
> re-evaluating access (manage_register called)
> (pf::enforcement::reevaluate_access)
> Sep 16 10:59:42 httpd.portal(27537) INFO: Instantiate a new iptables
> modification method. pf::ipset (pf::inline::get_technique)
> Sep 16 10:59:42 httpd.webservices(27344) INFO: Instantiate a new iptables
> modification method. pf::ipset (pf::inline::get_technique)
> Sep 16 10:59:42 httpd.webservices(27344) INFO: [00:18:de:bd:3d:33] stated
> changed, adapting firewall rules for proper enforcement
> (pf::inline::performInlineEnforcement)
>
> httpd.portal.access
>
>
> root@packetfence:/usr/local/pf/logs# tail -f httpd.portal.access
> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1"
> 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET
> /captive-portal?destination_url=http://www.gstatic.com/generate_204&;
> HTTP/1.1" 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1"
> 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET
> /captive-portal?destination_url=http://www.gstatic.com/generate_204&;
> HTTP/1.1" 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-"
> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-"
> 172.17.3.10 - - [16/Sep/2014:10:59:39 -0430] "-" 408 - "-" "-"
> 172.17.3.10 - - [16/Sep/2014:10:59:41 -0430] "POST /authenticate HTTP/1.1"
> 200 3232 "
> http://portal.sudeban.gob.ve/captive-portal?destination_url=http://www.gstatic.com/generate_204&";
> "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET
> /content/images/unlock.png HTTP/1.1" 200 1942 "
> http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0 (Windows NT 5.1)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/timerbar.js
> HTTP/1.1" 200 4193 "http://portal.sudeban.gob.ve/authenticate";
> "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/37.0.2062.120 Safari/537.36"
>
>
> httpd.portal.error
>
> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN)
> `127.0.0.1' does NOT match server name!?
> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN)
> `127.0.0.1' does NOT match server name!?
> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN)
> `127.0.0.1' does NOT match server name!?
> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN)
> `127.0.0.1' does NOT match server name!?
>
> pfdns.log
>
> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create TCP socket: La
> dirección ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line
> 90, <DATA> line 558.
> Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr',
> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)',
> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122
> (Carp::cluck)
> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create UDP socket: La
> dirección ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line
> 109, <DATA> line 558.
> Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr',
> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)',
> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122
> (Carp::cluck)
> Sep 16 10:43:27 pfdns(27411) FATAL: couldn't create nameserver object
> (main::)
> Sep 16 10:43:27 pfdns(27411) ERROR: couldn't create nameserver object
> (main::)
>
>
> root@packetfence:/usr/local/pf/logs# tail -f pfdhcplistener.log
> Sep 16 10:58:00 pfdhcplistener(27401) INFO: Unseen before node added:
> 00:18:de:bd:3d:33 (main::listen_dhcp)
> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPOFFER from 172.17.3.4
> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
> (main::parse_dhcp_offer)
> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPREQUEST from
> 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_request)
> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve
> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip)
> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve
> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip)
> Sep 16 10:58:01 pfdhcplistener(27401) ERROR: Unable to list iptables
> mangle table: (pf::ipset::get_mangle_mark_for_mac)
> Sep 16 10:58:01 pfdhcplistener(27401) INFO: 00:18:de:bd:3d:33 requested an
> IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP (Version 5.1, 5.2)).
> Modified node with last_dhcp = 2014-09-16 10:58:01,computername =
> sbo0011900,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
> (main::listen_dhcp)
> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPACK from 172.17.3.4
> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) for 86400
> seconds (main::parse_dhcp_ack)
> Sep 16 11:01:31 pfdhcplistener(27401) INFO: DHCPACK CIADDR from 172.17.3.4
> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
> (main::parse_dhcp_ack)
> Sep 16 11:02:36 pfdhcplistener(27401) INFO: DHCPACK CIADDR from 172.17.3.4
> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
> (main::parse_dhcp_ack)
>
>
> pfmon.log
>
> root@packetfence:/usr/local/pf/logs# tail -f pfmon.log
> Sep 16 11:26:28 pfmon(27416) INFO: running expire check (main::cleanup)
> Sep 16 11:26:28 pfmon(27416) INFO: checking registered nodes for
> expiration (main::cleanup)
> Sep 16 11:26:28 pfmon(27416) INFO: checking violations for expiration
> (main::cleanup)
> Sep 16 11:26:28 pfmon(27416) INFO: checking accounting data for potential
> bandwidth abuse (main::cleanup)
> Sep 16 11:26:28 pfmon(27416) INFO: getting violations triggers for
> accounting cleanup (pf::accounting::acct_maintenance)
> Sep 16 11:27:28 pfmon(27416) INFO: running expire check (main::cleanup)
> Sep 16 11:27:28 pfmon(27416) INFO: checking registered nodes for
> expiration (main::cleanup)
> Sep 16 11:27:28 pfmon(27416) INFO: checking violations for expiration
> (main::cleanup)
> Sep 16 11:27:28 pfmon(27416) INFO: checking accounting data for potential
> bandwidth abuse (main::cleanup)
> Sep 16 11:27:28 pfmon(27416) INFO: getting violations triggers for
> accounting cleanup (pf::accounting::acct_maintenance)
> Sep 16 11:28:28 pfmon(27416) INFO: running expire check (main::cleanup)
> Sep 16 11:28:28 pfmon(27416) INFO: checking registered nodes for
> expiration (main::cleanup)
> Sep 16 11:28:28 pfmon(27416) INFO: checking violations for expiration
> (main::cleanup)
> Sep 16 11:28:28 pfmon(27416) INFO: checking accounting data for potential
> bandwidth abuse (main::cleanup)
> Sep 16 11:28:28 pfmon(27416) INFO: getting violations triggers for
> accounting cleanup (pf::accounting::acct_maintenance)
>
------------------------------------------------------------------------------
Slashdot TV. Video for Nerds. Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
