Hi thanks for your help. Here is the pf.conf and the network.conf, here is my architecture too. Thanks in advance.!
2014-09-19 8:09 GMT-04:30 Derek Wuelfrath <[email protected]>: > David, > > Can you send us the pf.conf and networks.conf files. > > Thanks > > Cheers! > dw. > > — > Derek Wuelfrath > [email protected] :: www.inverse.ca > +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence ( > www.packetfence.org) > > On Sep 18, 2014, at 16:25, David Martinez <[email protected]> wrote: > > Sorry the image was in another format > > 2014-09-18 15:52 GMT-04:30 David Martinez <[email protected]>: > >> Hi, >> >> I'm new in packetfence, I'm trying to install PF ver 4.4.0 on a new >> server with the inline enforcement configuration. >> >> the server has 2 physical interfaces eth0 y eth1. >> >> with eth0 I have 2 sub interfaces >> >> eth0.90 by dhcp ---> direct to internet ADSL modem. >> >> eth0.303 inline enforcement with the static ip 172.17.3.4 with DHCP and >> NAT configurated. >> >> with eth1 I have 1 sub interface >> >> eth1.99 with the static 172.16.XX.1 management interface. >> >> I make the deployment and everything is fine. >> >> I let PF take the control of the DNS service with the pfdns. So the DHCP >> service associated to the vlan 303. >> >> The infraestructure is witch a WLC 5508 with is configurated with a >> preshared key with WPA 2 PSk. which the devices attempting to connect to >> the network throught a preshared key and after the WLC redirect to the PF >> server at the moment to user the browser. >> >> The DHCP is working fine. >> >> The DNS works until the moment of registration on the portal captive. >> After that, the machine can't surf and neighter can resolve more DNS. >> >> My question is any espeficic configuration to this kind of enviroment >> that you can recommend me? I'm suspect the problem is with the iptables >> rules but Im not sure yet. Or maybe with the NAT config that should be over >> the Interface that goes direct to internet. >> >> I Have the same configuration on PF version 4.2.1 on production >> enviroment, and it works fine. >> >> Does anyone any standar configuration for this type of enviroment? >> >> Thanks in advance I send you logs. >> >> >> >> >> packetfence.log >> >> Sep 16 10:59:32 httpd.portal(27331) ERROR: Error while setting locale to >> en_US.utf8. Is the locale generated on your system? >> (captiveportal::PacketFence::Controller::Root::setupLanguage) >> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected >> to default >> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister) >> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected >> to authentication page >> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister) >> Sep 16 10:59:41 httpd.portal(27537) ERROR: Error while setting locale to >> en_US.utf8. Is the locale generated on your system? >> (captiveportal::PacketFence::Controller::Root::setupLanguage) >> Sep 16 10:59:41 httpd.portal(27537) INFO: Authentication successful for >> test in source local (SQL) (pf::authentication::authenticate) >> Sep 16 10:59:42 httpd.portal(27537) INFO: person test modified to test >> (pf::person::person_modify) >> Sep 16 10:59:42 httpd.portal(27537) INFO: [00:18:de:bd:3d:33] >> re-evaluating access (manage_register called) >> (pf::enforcement::reevaluate_access) >> Sep 16 10:59:42 httpd.portal(27537) INFO: Instantiate a new iptables >> modification method. pf::ipset (pf::inline::get_technique) >> Sep 16 10:59:42 httpd.webservices(27344) INFO: Instantiate a new iptables >> modification method. pf::ipset (pf::inline::get_technique) >> Sep 16 10:59:42 httpd.webservices(27344) INFO: [00:18:de:bd:3d:33] stated >> changed, adapting firewall rules for proper enforcement >> (pf::inline::performInlineEnforcement) >> >> httpd.portal.access >> >> >> root@packetfence:/usr/local/pf/logs# tail -f httpd.portal.access >> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1" >> 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like >> Gecko) Chrome/37.0.2062.120 Safari/537.36" >> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET >> /captive-portal?destination_url=http://www.gstatic.com/generate_204&; >> HTTP/1.1" >> 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like >> Gecko) Chrome/37.0.2062.120 Safari/537.36" >> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1" >> 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like >> Gecko) Chrome/37.0.2062.120 Safari/537.36" >> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET >> /captive-portal?destination_url=http://www.gstatic.com/generate_204&; >> HTTP/1.1" >> 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like >> Gecko) Chrome/37.0.2062.120 Safari/537.36" >> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-" >> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-" >> 172.17.3.10 - - [16/Sep/2014:10:59:39 -0430] "-" 408 - "-" "-" >> 172.17.3.10 - - [16/Sep/2014:10:59:41 -0430] "POST /authenticate >> HTTP/1.1" 200 3232 " >> http://portal.sudeban.gob.ve/captive-portal?destination_url=http://www.gstatic.com/generate_204&"; >> "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) >> Chrome/37.0.2062.120 Safari/537.36" >> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET >> /content/images/unlock.png HTTP/1.1" 200 1942 " >> http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0 (Windows NT 5.1) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36" >> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/timerbar.js >> HTTP/1.1" 200 4193 "http://portal.sudeban.gob.ve/authenticate"; >> "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) >> Chrome/37.0.2062.120 Safari/537.36" >> >> >> httpd.portal.error >> >> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN) >> `127.0.0.1' does NOT match server name!? >> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN) >> `127.0.0.1' does NOT match server name!? >> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN) >> `127.0.0.1' does NOT match server name!? >> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN) >> `127.0.0.1' does NOT match server name!? >> >> pfdns.log >> >> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create TCP socket: La >> dirección ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line >> 90, <DATA> line 558. >> Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', >> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)', >> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122 >> (Carp::cluck) >> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create UDP socket: La >> dirección ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line >> 109, <DATA> line 558. >> Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr', >> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)', >> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122 >> (Carp::cluck) >> Sep 16 10:43:27 pfdns(27411) FATAL: couldn't create nameserver object >> (main::) >> Sep 16 10:43:27 pfdns(27411) ERROR: couldn't create nameserver object >> (main::) >> >> >> root@packetfence:/usr/local/pf/logs# tail -f pfdhcplistener.log >> Sep 16 10:58:00 pfdhcplistener(27401) INFO: Unseen before node added: >> 00:18:de:bd:3d:33 (main::listen_dhcp) >> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPOFFER from 172.17.3.4 >> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) >> (main::parse_dhcp_offer) >> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPREQUEST from >> 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_request) >> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve >> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip) >> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve >> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip) >> Sep 16 10:58:01 pfdhcplistener(27401) ERROR: Unable to list iptables >> mangle table: (pf::ipset::get_mangle_mark_for_mac) >> Sep 16 10:58:01 pfdhcplistener(27401) INFO: 00:18:de:bd:3d:33 requested >> an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP (Version 5.1, 5.2)). >> Modified node with last_dhcp = 2014-09-16 10:58:01,computername = >> sbo0011900,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 >> (main::listen_dhcp) >> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPACK from 172.17.3.4 >> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) for 86400 >> seconds (main::parse_dhcp_ack) >> Sep 16 11:01:31 pfdhcplistener(27401) INFO: DHCPACK CIADDR from >> 172.17.3.4 (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) >> (main::parse_dhcp_ack) >> Sep 16 11:02:36 pfdhcplistener(27401) INFO: DHCPACK CIADDR from >> 172.17.3.4 (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) >> (main::parse_dhcp_ack) >> >> >> pfmon.log >> >> root@packetfence:/usr/local/pf/logs# tail -f pfmon.log >> Sep 16 11:26:28 pfmon(27416) INFO: running expire check (main::cleanup) >> Sep 16 11:26:28 pfmon(27416) INFO: checking registered nodes for >> expiration (main::cleanup) >> Sep 16 11:26:28 pfmon(27416) INFO: checking violations for expiration >> (main::cleanup) >> Sep 16 11:26:28 pfmon(27416) INFO: checking accounting data for potential >> bandwidth abuse (main::cleanup) >> Sep 16 11:26:28 pfmon(27416) INFO: getting violations triggers for >> accounting cleanup (pf::accounting::acct_maintenance) >> Sep 16 11:27:28 pfmon(27416) INFO: running expire check (main::cleanup) >> Sep 16 11:27:28 pfmon(27416) INFO: checking registered nodes for >> expiration (main::cleanup) >> Sep 16 11:27:28 pfmon(27416) INFO: checking violations for expiration >> (main::cleanup) >> Sep 16 11:27:28 pfmon(27416) INFO: checking accounting data for potential >> bandwidth abuse (main::cleanup) >> Sep 16 11:27:28 pfmon(27416) INFO: getting violations triggers for >> accounting cleanup (pf::accounting::acct_maintenance) >> Sep 16 11:28:28 pfmon(27416) INFO: running expire check (main::cleanup) >> Sep 16 11:28:28 pfmon(27416) INFO: checking registered nodes for >> expiration (main::cleanup) >> Sep 16 11:28:28 pfmon(27416) INFO: checking violations for expiration >> (main::cleanup) >> Sep 16 11:28:28 pfmon(27416) INFO: checking accounting data for potential >> bandwidth abuse (main::cleanup) >> Sep 16 11:28:28 pfmon(27416) INFO: getting violations triggers for >> accounting cleanup (pf::accounting::acct_maintenance) >> > > <PACKETFENCE2.jpg> > ------------------------------------------------------------------------------ > Slashdot TV. Video for Nerds. Stuff that Matters. > > http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > Slashdot TV. Video for Nerds. Stuff that Matters. > > http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
pf.conf
Description: Binary data
networks.conf
Description: Binary data
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
