Re: [PacketFence-users] Installation architecture

Derek Wuelfrath Fri, 19 Sep 2014 05:42:08 -0700

David,

Can you send us the pf.conf and networks.conf files.


Thanks

Cheers!
dw.

—
Derek Wuelfrath
[email protected] :: www.inverse.ca
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

On Sep 18, 2014, at 16:25, David Martinez <[email protected]> wrote:

> Sorry the image was in another format 
> 
> 2014-09-18 15:52 GMT-04:30 David Martinez <[email protected]>:
> Hi, 
> 
> I'm new in packetfence, I'm trying to install PF ver 4.4.0 on a new server 
> with the inline enforcement configuration.
> 
> the server has 2 physical interfaces eth0 y eth1. 
> 
> with eth0 I have 2 sub interfaces
> 
> eth0.90 by dhcp ---> direct to internet ADSL modem.
> 
> eth0.303 inline enforcement with the static ip 172.17.3.4 with DHCP and NAT 
> configurated.
> 
> with eth1 I have 1 sub interface 
> 
> eth1.99 with the static 172.16.XX.1 management interface.
> 
> I make the deployment and everything is fine.
> 
> I let PF take the control of the DNS service with the pfdns. So the DHCP 
> service associated to the vlan 303.
> 
> The infraestructure is witch a WLC 5508 with is configurated with a preshared 
> key with WPA 2 PSk. which the   devices  attempting to connect to the network 
> throught  a preshared key and after the WLC redirect to the PF server at the 
> moment to user the browser. 
> 
> The DHCP is working fine. 
> 
> The DNS works until the moment of registration on the portal captive. After 
> that, the machine can't surf and neighter can resolve more DNS.
> 
> My question is any espeficic configuration to this kind of enviroment that 
> you can recommend me? I'm suspect the problem is with the iptables rules but 
> Im not sure yet. Or maybe with the NAT config that should be over the 
> Interface that goes direct to internet. 
> 
> I Have the same configuration on PF version 4.2.1 on production enviroment, 
> and it works fine.
> 
> Does anyone any standar configuration for this type of enviroment?
> 
> Thanks in advance I send you logs. 
> 
> 
> 
> 
> packetfence.log
> 
> Sep 16 10:59:32 httpd.portal(27331) ERROR: Error while setting locale to 
> en_US.utf8. Is the locale generated on your system? 
> (captiveportal::PacketFence::Controller::Root::setupLanguage)
> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected to 
> default 
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected to 
> authentication page 
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Sep 16 10:59:41 httpd.portal(27537) ERROR: Error while setting locale to 
> en_US.utf8. Is the locale generated on your system? 
> (captiveportal::PacketFence::Controller::Root::setupLanguage)
> Sep 16 10:59:41 httpd.portal(27537) INFO: Authentication successful for test 
> in source local (SQL) (pf::authentication::authenticate)
> Sep 16 10:59:42 httpd.portal(27537) INFO: person test modified to test 
> (pf::person::person_modify)
> Sep 16 10:59:42 httpd.portal(27537) INFO: [00:18:de:bd:3d:33] re-evaluating 
> access (manage_register called) (pf::enforcement::reevaluate_access)
> Sep 16 10:59:42 httpd.portal(27537) INFO: Instantiate a new iptables 
> modification method. pf::ipset (pf::inline::get_technique)
> Sep 16 10:59:42 httpd.webservices(27344) INFO: Instantiate a new iptables 
> modification method. pf::ipset (pf::inline::get_technique)
> Sep 16 10:59:42 httpd.webservices(27344) INFO: [00:18:de:bd:3d:33] stated 
> changed, adapting firewall rules for proper enforcement 
> (pf::inline::performInlineEnforcement)
> 
> httpd.portal.access 
> 
> 
> root@packetfence:/usr/local/pf/logs# tail -f httpd.portal.access
> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1" 302 
> 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET 
> /captive-portal?destination_url=http://www.gstatic.com/generate_204&; 
> HTTP/1.1" 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1" 302 
> 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET 
> /captive-portal?destination_url=http://www.gstatic.com/generate_204&; 
> HTTP/1.1" 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-"
> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-"
> 172.17.3.10 - - [16/Sep/2014:10:59:39 -0430] "-" 408 - "-" "-"
> 172.17.3.10 - - [16/Sep/2014:10:59:41 -0430] "POST /authenticate HTTP/1.1" 
> 200 3232 
> "http://portal.sudeban.gob.ve/captive-portal?destination_url=http://www.gstatic.com/generate_204&";
>  "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/37.0.2062.120 Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/images/unlock.png 
> HTTP/1.1" 200 1942 "http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0 
> (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 
> Safari/537.36"
> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/timerbar.js 
> HTTP/1.1" 200 4193 "http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0 
> (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 
> Safari/537.36"
> 
> 
>  httpd.portal.error
> 
> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN) 
> `127.0.0.1' does NOT match server name!?
> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN) 
> `127.0.0.1' does NOT match server name!?
> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN) 
> `127.0.0.1' does NOT match server name!?
> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN) 
> `127.0.0.1' does NOT match server name!?
> 
>  pfdns.log
> 
> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create TCP socket: La dirección 
> ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line 90, <DATA> 
> line 558.
>       Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', 
> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)', 
> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122
>  (Carp::cluck)
> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create UDP socket: La dirección 
> ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line 109, <DATA> 
> line 558.
>       Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', 
> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)', 
> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122
>  (Carp::cluck)
> Sep 16 10:43:27 pfdns(27411) FATAL: couldn't create nameserver object
>  (main::)
> Sep 16 10:43:27 pfdns(27411) ERROR: couldn't create nameserver object
>  (main::)
> 
> 
> root@packetfence:/usr/local/pf/logs# tail -f  pfdhcplistener.log
> Sep 16 10:58:00 pfdhcplistener(27401) INFO: Unseen before node added: 
> 00:18:de:bd:3d:33 (main::listen_dhcp)
> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPOFFER from 172.17.3.4 
> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) 
> (main::parse_dhcp_offer)
> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPREQUEST from 
> 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_request)
> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve 
> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip)
> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve 
> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip)
> Sep 16 10:58:01 pfdhcplistener(27401) ERROR: Unable to list iptables mangle 
> table:  (pf::ipset::get_mangle_mark_for_mac)
> Sep 16 10:58:01 pfdhcplistener(27401) INFO: 00:18:de:bd:3d:33 requested an 
> IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP (Version 5.1, 5.2)). 
> Modified node with last_dhcp = 2014-09-16 10:58:01,computername = 
> sbo0011900,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 
> (main::listen_dhcp)
> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPACK from 172.17.3.4 
> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) for 86400 seconds 
> (main::parse_dhcp_ack)
> Sep 16 11:01:31 pfdhcplistener(27401) INFO: DHCPACK CIADDR from 172.17.3.4 
> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) 
> (main::parse_dhcp_ack)
> Sep 16 11:02:36 pfdhcplistener(27401) INFO: DHCPACK CIADDR from 172.17.3.4 
> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) 
> (main::parse_dhcp_ack)
> 
> 
> pfmon.log
> 
> root@packetfence:/usr/local/pf/logs# tail -f   pfmon.log
> Sep 16 11:26:28 pfmon(27416) INFO: running expire check (main::cleanup)
> Sep 16 11:26:28 pfmon(27416) INFO: checking registered nodes for expiration 
> (main::cleanup)
> Sep 16 11:26:28 pfmon(27416) INFO: checking violations for expiration 
> (main::cleanup)
> Sep 16 11:26:28 pfmon(27416) INFO: checking accounting data for potential 
> bandwidth abuse (main::cleanup)
> Sep 16 11:26:28 pfmon(27416) INFO: getting violations triggers for accounting 
> cleanup (pf::accounting::acct_maintenance)
> Sep 16 11:27:28 pfmon(27416) INFO: running expire check (main::cleanup)
> Sep 16 11:27:28 pfmon(27416) INFO: checking registered nodes for expiration 
> (main::cleanup)
> Sep 16 11:27:28 pfmon(27416) INFO: checking violations for expiration 
> (main::cleanup)
> Sep 16 11:27:28 pfmon(27416) INFO: checking accounting data for potential 
> bandwidth abuse (main::cleanup)
> Sep 16 11:27:28 pfmon(27416) INFO: getting violations triggers for accounting 
> cleanup (pf::accounting::acct_maintenance)
> Sep 16 11:28:28 pfmon(27416) INFO: running expire check (main::cleanup)
> Sep 16 11:28:28 pfmon(27416) INFO: checking registered nodes for expiration 
> (main::cleanup)
> Sep 16 11:28:28 pfmon(27416) INFO: checking violations for expiration 
> (main::cleanup)
> Sep 16 11:28:28 pfmon(27416) INFO: checking accounting data for potential 
> bandwidth abuse (main::cleanup)
> Sep 16 11:28:28 pfmon(27416) INFO: getting violations triggers for accounting 
> cleanup (pf::accounting::acct_maintenance)
> 
> <PACKETFENCE2.jpg>------------------------------------------------------------------------------
> Slashdot TV.  Video for Nerds.  Stuff that Matters.
> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Slashdot TV.  Video for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Installation architecture

Reply via email to