David,
Here are two things that I can see that can cause problem from your
configuration files.
1. The DNS being assigned to inline clients is the PacketFence IP address in
that same subnet. We usually recommend to use a production DNS server that the
use will be able to reach once registered. Otherwise, make sure the DNS are
correctly configured on the PacketFence OS itself (/etc/resolv.conf)
2. By default, in inline setup, PacketFence is trying to NAT inline clients on
the management interface which, in your case, is not the one that gives access
to the Internet… have a look at the following configuration parameter…
https://github.com/inverse-inc/packetfence/blob/stable/conf/documentation.conf#L825
Cheers!
dw.
—
Derek Wuelfrath
[email protected] :: www.inverse.ca
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On Sep 19, 2014, at 9:28, David Martinez <[email protected]> wrote:
> Hi thanks for your help.
>
> Here is the pf.conf and the network.conf, here is my architecture too.
> Thanks in advance.!
>
>
>
>
> 2014-09-19 8:09 GMT-04:30 Derek Wuelfrath <[email protected]>:
> David,
>
> Can you send us the pf.conf and networks.conf files.
>
> Thanks
>
> Cheers!
> dw.
>
> —
> Derek Wuelfrath
> [email protected] :: www.inverse.ca
> +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
> On Sep 18, 2014, at 16:25, David Martinez <[email protected]> wrote:
>
>> Sorry the image was in another format
>>
>> 2014-09-18 15:52 GMT-04:30 David Martinez <[email protected]>:
>> Hi,
>>
>> I'm new in packetfence, I'm trying to install PF ver 4.4.0 on a new server
>> with the inline enforcement configuration.
>>
>> the server has 2 physical interfaces eth0 y eth1.
>>
>> with eth0 I have 2 sub interfaces
>>
>> eth0.90 by dhcp ---> direct to internet ADSL modem.
>>
>> eth0.303 inline enforcement with the static ip 172.17.3.4 with DHCP and NAT
>> configurated.
>>
>> with eth1 I have 1 sub interface
>>
>> eth1.99 with the static 172.16.XX.1 management interface.
>>
>> I make the deployment and everything is fine.
>>
>> I let PF take the control of the DNS service with the pfdns. So the DHCP
>> service associated to the vlan 303.
>>
>> The infraestructure is witch a WLC 5508 with is configurated with a
>> preshared key with WPA 2 PSk. which the devices attempting to connect to
>> the network throught a preshared key and after the WLC redirect to the PF
>> server at the moment to user the browser.
>>
>> The DHCP is working fine.
>>
>> The DNS works until the moment of registration on the portal captive. After
>> that, the machine can't surf and neighter can resolve more DNS.
>>
>> My question is any espeficic configuration to this kind of enviroment that
>> you can recommend me? I'm suspect the problem is with the iptables rules but
>> Im not sure yet. Or maybe with the NAT config that should be over the
>> Interface that goes direct to internet.
>>
>> I Have the same configuration on PF version 4.2.1 on production enviroment,
>> and it works fine.
>>
>> Does anyone any standar configuration for this type of enviroment?
>>
>> Thanks in advance I send you logs.
>>
>>
>>
>>
>> packetfence.log
>>
>> Sep 16 10:59:32 httpd.portal(27331) ERROR: Error while setting locale to
>> en_US.utf8. Is the locale generated on your system?
>> (captiveportal::PacketFence::Controller::Root::setupLanguage)
>> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected to
>> default
>> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
>> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected to
>> authentication page
>> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
>> Sep 16 10:59:41 httpd.portal(27537) ERROR: Error while setting locale to
>> en_US.utf8. Is the locale generated on your system?
>> (captiveportal::PacketFence::Controller::Root::setupLanguage)
>> Sep 16 10:59:41 httpd.portal(27537) INFO: Authentication successful for test
>> in source local (SQL) (pf::authentication::authenticate)
>> Sep 16 10:59:42 httpd.portal(27537) INFO: person test modified to test
>> (pf::person::person_modify)
>> Sep 16 10:59:42 httpd.portal(27537) INFO: [00:18:de:bd:3d:33] re-evaluating
>> access (manage_register called) (pf::enforcement::reevaluate_access)
>> Sep 16 10:59:42 httpd.portal(27537) INFO: Instantiate a new iptables
>> modification method. pf::ipset (pf::inline::get_technique)
>> Sep 16 10:59:42 httpd.webservices(27344) INFO: Instantiate a new iptables
>> modification method. pf::ipset (pf::inline::get_technique)
>> Sep 16 10:59:42 httpd.webservices(27344) INFO: [00:18:de:bd:3d:33] stated
>> changed, adapting firewall rules for proper enforcement
>> (pf::inline::performInlineEnforcement)
>>
>> httpd.portal.access
>>
>>
>> root@packetfence:/usr/local/pf/logs# tail -f httpd.portal.access
>> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1"
>> 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like
>> Gecko) Chrome/37.0.2062.120 Safari/537.36"
>> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET
>> /captive-portal?destination_url=http://www.gstatic.com/generate_204&;
>> HTTP/1.1" 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36
>> (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
>> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204 HTTP/1.1"
>> 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like
>> Gecko) Chrome/37.0.2062.120 Safari/537.36"
>> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET
>> /captive-portal?destination_url=http://www.gstatic.com/generate_204&;
>> HTTP/1.1" 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36
>> (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
>> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-"
>> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-"
>> 172.17.3.10 - - [16/Sep/2014:10:59:39 -0430] "-" 408 - "-" "-"
>> 172.17.3.10 - - [16/Sep/2014:10:59:41 -0430] "POST /authenticate HTTP/1.1"
>> 200 3232
>> "http://portal.sudeban.gob.ve/captive-portal?destination_url=http://www.gstatic.com/generate_204&";
>> "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/37.0.2062.120 Safari/537.36"
>> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/images/unlock.png
>> HTTP/1.1" 200 1942 "http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0
>> (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120
>> Safari/537.36"
>> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/timerbar.js
>> HTTP/1.1" 200 4193 "http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0
>> (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120
>> Safari/537.36"
>>
>>
>> httpd.portal.error
>>
>> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN)
>> `127.0.0.1' does NOT match server name!?
>> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN)
>> `127.0.0.1' does NOT match server name!?
>> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN)
>> `127.0.0.1' does NOT match server name!?
>> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN)
>> `127.0.0.1' does NOT match server name!?
>>
>> pfdns.log
>>
>> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create TCP socket: La dirección
>> ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line 90, <DATA>
>> line 558.
>> Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr',
>> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)',
>> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122
>> (Carp::cluck)
>> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create UDP socket: La dirección
>> ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line 109, <DATA>
>> line 558.
>> Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr',
>> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)',
>> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122
>> (Carp::cluck)
>> Sep 16 10:43:27 pfdns(27411) FATAL: couldn't create nameserver object
>> (main::)
>> Sep 16 10:43:27 pfdns(27411) ERROR: couldn't create nameserver object
>> (main::)
>>
>>
>> root@packetfence:/usr/local/pf/logs# tail -f pfdhcplistener.log
>> Sep 16 10:58:00 pfdhcplistener(27401) INFO: Unseen before node added:
>> 00:18:de:bd:3d:33 (main::listen_dhcp)
>> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPOFFER from 172.17.3.4
>> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
>> (main::parse_dhcp_offer)
>> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPREQUEST from
>> 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_request)
>> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve
>> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip)
>> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve
>> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip)
>> Sep 16 10:58:01 pfdhcplistener(27401) ERROR: Unable to list iptables mangle
>> table: (pf::ipset::get_mangle_mark_for_mac)
>> Sep 16 10:58:01 pfdhcplistener(27401) INFO: 00:18:de:bd:3d:33 requested an
>> IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP (Version 5.1, 5.2)).
>> Modified node with last_dhcp = 2014-09-16 10:58:01,computername =
>> sbo0011900,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
>> (main::listen_dhcp)
>> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPACK from 172.17.3.4
>> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) for 86400
>> seconds (main::parse_dhcp_ack)
>> Sep 16 11:01:31 pfdhcplistener(27401) INFO: DHCPACK CIADDR from 172.17.3.4
>> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
>> (main::parse_dhcp_ack)
>> Sep 16 11:02:36 pfdhcplistener(27401) INFO: DHCPACK CIADDR from 172.17.3.4
>> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
>> (main::parse_dhcp_ack)
>>
>>
>> pfmon.log
>>
>> root@packetfence:/usr/local/pf/logs# tail -f pfmon.log
>> Sep 16 11:26:28 pfmon(27416) INFO: running expire check (main::cleanup)
>> Sep 16 11:26:28 pfmon(27416) INFO: checking registered nodes for expiration
>> (main::cleanup)
>> Sep 16 11:26:28 pfmon(27416) INFO: checking violations for expiration
>> (main::cleanup)
>> Sep 16 11:26:28 pfmon(27416) INFO: checking accounting data for potential
>> bandwidth abuse (main::cleanup)
>> Sep 16 11:26:28 pfmon(27416) INFO: getting violations triggers for
>> accounting cleanup (pf::accounting::acct_maintenance)
>> Sep 16 11:27:28 pfmon(27416) INFO: running expire check (main::cleanup)
>> Sep 16 11:27:28 pfmon(27416) INFO: checking registered nodes for expiration
>> (main::cleanup)
>> Sep 16 11:27:28 pfmon(27416) INFO: checking violations for expiration
>> (main::cleanup)
>> Sep 16 11:27:28 pfmon(27416) INFO: checking accounting data for potential
>> bandwidth abuse (main::cleanup)
>> Sep 16 11:27:28 pfmon(27416) INFO: getting violations triggers for
>> accounting cleanup (pf::accounting::acct_maintenance)
>> Sep 16 11:28:28 pfmon(27416) INFO: running expire check (main::cleanup)
>> Sep 16 11:28:28 pfmon(27416) INFO: checking registered nodes for expiration
>> (main::cleanup)
>> Sep 16 11:28:28 pfmon(27416) INFO: checking violations for expiration
>> (main::cleanup)
>> Sep 16 11:28:28 pfmon(27416) INFO: checking accounting data for potential
>> bandwidth abuse (main::cleanup)
>> Sep 16 11:28:28 pfmon(27416) INFO: getting violations triggers for
>> accounting cleanup (pf::accounting::acct_maintenance)
>>
>> <PACKETFENCE2.jpg>------------------------------------------------------------------------------
>> Slashdot TV. Video for Nerds. Stuff that Matters.
>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------------------------
> Slashdot TV. Video for Nerds. Stuff that Matters.
> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> <PACKETFENCE2.jpg><pf.conf><networks.conf>------------------------------------------------------------------------------
> Slashdot TV. Video for Nerds. Stuff that Matters.
> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
