Hi, I'm new in packetfence, I'm trying to install PF ver 4.4.0 on a new server with the inline enforcement configuration.
the server has 2 physical interfaces eth0 y eth1. with eth0 I have 2 sub interfaces eth0.90 by dhcp ---> direct to internet ADSL modem. eth0.303 inline enforcement with the static ip 172.17.3.4 with DHCP and NAT configurated. with eth1 I have 1 sub interface eth1.99 with the static 172.16.XX.1 management interface. I make the deployment and everything is fine. I let PF take the control of the DNS service with the pfdns. So the DHCP service associated to the vlan 303. The infraestructure is witch a WLC 5508 with is configurated with a preshared key with WPA 2 PSk. which the devices attempting to connect to the network throught a preshared key and after the WLC redirect to the PF server at the moment to user the browser. The DHCP is working fine. The DNS works until the moment of registration on the portal captive. After that, the machine can't surf and neighter can resolve more DNS. My question is any espeficic configuration to this kind of enviroment that you can recommend me? I'm suspect the problem is with the iptables rules but Im not sure yet. Or maybe with the NAT config that should be over the Interface that goes direct to internet. I Have the same configuration on PF version 4.2.1 on production enviroment, and it works fine. Does anyone any standar configuration for this type of enviroment? Thanks in advance I send you logs. packetfence.log Sep 16 10:59:32 httpd.portal(27331) ERROR: Error while setting locale to en_US.utf8. Is the locale generated on your system? (captiveportal::PacketFence::Controller::Root::setupLanguage) Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected to default (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister) Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected to authentication page (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister) Sep 16 10:59:41 httpd.portal(27537) ERROR: Error while setting locale to en_US.utf8. Is the locale generated on your system? (captiveportal::PacketFence::Controller::Root::setupLanguage) Sep 16 10:59:41 httpd.portal(27537) INFO: Authentication successful for test in source local (SQL) (pf::authentication::authenticate) Sep 16 10:59:42 httpd.portal(27537) INFO: person test modified to test (pf::person::person_modify) Sep 16 10:59:42 httpd.portal(27537) INFO: [00:18:de:bd:3d:33] re-evaluating access (manage_register called) (pf::enforcement::reevaluate_access) Sep 16 10:59:42 httpd.portal(27537) INFO: Instantiate a new iptables modification method. pf::ipset (pf::inline::get_technique) Sep 16 10:59:42 httpd.webservices(27344) INFO: Instantiate a new iptables modification method. pf::ipset (pf::inline::get_technique) Sep 16 10:59:42 httpd.webservices(27344) INFO: [00:18:de:bd:3d:33] stated changed, adapting firewall rules for proper enforcement (pf::inline::performInlineEnforcement) httpd.portal.access root@packetfence:/usr/local/pf/logs# tail -f httpd.portal.access 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1" 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36" 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /captive-portal?destination_url=http://www.gstatic.com/generate_204&; HTTP/1.1" 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36" 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1" 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36" 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /captive-portal?destination_url=http://www.gstatic.com/generate_204&; HTTP/1.1" 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36" 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-" 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-" 172.17.3.10 - - [16/Sep/2014:10:59:39 -0430] "-" 408 - "-" "-" 172.17.3.10 - - [16/Sep/2014:10:59:41 -0430] "POST /authenticate HTTP/1.1" 200 3232 " http://portal.sudeban.gob.ve/captive-portal?destination_url=http://www.gstatic.com/generate_204&"; "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36" 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/images/unlock.png HTTP/1.1" 200 1942 " http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36" 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/timerbar.js HTTP/1.1" 200 4193 "http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36" httpd.portal.error [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN) `127.0.0.1' does NOT match server name!? [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN) `127.0.0.1' does NOT match server name!? [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN) `127.0.0.1' does NOT match server name!? [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN) `127.0.0.1' does NOT match server name!? pfdns.log Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create TCP socket: La dirección ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line 90, <DATA> line 558. Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)', 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122 (Carp::cluck) Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create UDP socket: La dirección ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line 109, <DATA> line 558. Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)', 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122 (Carp::cluck) Sep 16 10:43:27 pfdns(27411) FATAL: couldn't create nameserver object (main::) Sep 16 10:43:27 pfdns(27411) ERROR: couldn't create nameserver object (main::) root@packetfence:/usr/local/pf/logs# tail -f pfdhcplistener.log Sep 16 10:58:00 pfdhcplistener(27401) INFO: Unseen before node added: 00:18:de:bd:3d:33 (main::listen_dhcp) Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPOFFER from 172.17.3.4 (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_offer) Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPREQUEST from 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_request) Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip) Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip) Sep 16 10:58:01 pfdhcplistener(27401) ERROR: Unable to list iptables mangle table: (pf::ipset::get_mangle_mark_for_mac) Sep 16 10:58:01 pfdhcplistener(27401) INFO: 00:18:de:bd:3d:33 requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP (Version 5.1, 5.2)). Modified node with last_dhcp = 2014-09-16 10:58:01,computername = sbo0011900,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPACK from 172.17.3.4 (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) for 86400 seconds (main::parse_dhcp_ack) Sep 16 11:01:31 pfdhcplistener(27401) INFO: DHCPACK CIADDR from 172.17.3.4 (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_ack) Sep 16 11:02:36 pfdhcplistener(27401) INFO: DHCPACK CIADDR from 172.17.3.4 (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_ack) pfmon.log root@packetfence:/usr/local/pf/logs# tail -f pfmon.log Sep 16 11:26:28 pfmon(27416) INFO: running expire check (main::cleanup) Sep 16 11:26:28 pfmon(27416) INFO: checking registered nodes for expiration (main::cleanup) Sep 16 11:26:28 pfmon(27416) INFO: checking violations for expiration (main::cleanup) Sep 16 11:26:28 pfmon(27416) INFO: checking accounting data for potential bandwidth abuse (main::cleanup) Sep 16 11:26:28 pfmon(27416) INFO: getting violations triggers for accounting cleanup (pf::accounting::acct_maintenance) Sep 16 11:27:28 pfmon(27416) INFO: running expire check (main::cleanup) Sep 16 11:27:28 pfmon(27416) INFO: checking registered nodes for expiration (main::cleanup) Sep 16 11:27:28 pfmon(27416) INFO: checking violations for expiration (main::cleanup) Sep 16 11:27:28 pfmon(27416) INFO: checking accounting data for potential bandwidth abuse (main::cleanup) Sep 16 11:27:28 pfmon(27416) INFO: getting violations triggers for accounting cleanup (pf::accounting::acct_maintenance) Sep 16 11:28:28 pfmon(27416) INFO: running expire check (main::cleanup) Sep 16 11:28:28 pfmon(27416) INFO: checking registered nodes for expiration (main::cleanup) Sep 16 11:28:28 pfmon(27416) INFO: checking violations for expiration (main::cleanup) Sep 16 11:28:28 pfmon(27416) INFO: checking accounting data for potential bandwidth abuse (main::cleanup) Sep 16 11:28:28 pfmon(27416) INFO: getting violations triggers for accounting cleanup (pf::accounting::acct_maintenance)
PACKETFENCE
Description: Binary data
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
