Hi Derek,
I made the respectives changes that you recommended me and there were still
problems on the forward process to internet from the captive portal. But
your recommendations were good because I didn't know that the DNS must be
the production one.
I was reading on internet and cheking the iptables.conf and I saw that
there were no NAT from internet to my interface INLINE. So I Added the Line
to the iptables.conf
-A POSTROUTING -s 172.1X.Y.0/24 -o eth0.QQ -j MASQUERADE
In this case My source Interface for NAT is the one tha is associated to
the network 172.1X.Y.0/24, My outside (that connects to internet )
interface is the eth0.QQ,
And It Works! but. I want to know if this is a good practice if the ir any
issue of security at the moment configure the iptable with MASQUERADE.
is there is a better way to make the configuration safer?
I know you told me in the point number 2. That you told me to configure in
the pf.conf the parameter SNAT.
[inline.interfaceSNAT]
which in the pf.conf is written like this
for example.
interfaceSNAT=eth1,eth0
In my case lets supose that the interface associated to my inline network
172.1X.Y.0/24 is eth1.PP and the outside interface is eth0.QQ.
in the parameter of the [inline.interfaceSNAT] how I should write the
configuration
interfaceSNAT=eth1.PP,eth0.QQ?
Does this parameter makes the same effect on the iptables.conf as the line
-A POSTROUTING -s 172.1X.Y.0/24 -o eth0.QQ -j MASQUERADE ???
Thanks in advance.
David Martinez
2014-09-22 8:42 GMT-04:30 Derek Wuelfrath <[email protected]>:
> David,
>
> Here are two things that I can see that can cause problem from your
> configuration files.
>
> 1. The DNS being assigned to inline clients is the PacketFence IP address
> in that same subnet. We usually recommend to use a production DNS server
> that the use will be able to reach once registered. Otherwise, make sure
> the DNS are correctly configured on the PacketFence OS itself
> (/etc/resolv.conf)
>
> 2. By default, in inline setup, PacketFence is trying to NAT inline
> clients on the management interface which, in your case, is not the one
> that gives access to the Internet… have a look at the following
> configuration parameter…
> https://github.com/inverse-inc/packetfence/blob/stable/conf/documentation.conf#L825
>
> Cheers!
> dw.
>
> —
> Derek Wuelfrath
> [email protected] :: www.inverse.ca
> +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Sep 19, 2014, at 9:28, David Martinez <[email protected]> wrote:
>
> Hi thanks for your help.
>
> Here is the pf.conf and the network.conf, here is my architecture too.
> Thanks in advance.!
>
>
>
>
> 2014-09-19 8:09 GMT-04:30 Derek Wuelfrath <[email protected]>:
>
>> David,
>>
>> Can you send us the pf.conf and networks.conf files.
>>
>> Thanks
>>
>> Cheers!
>> dw.
>>
>> —
>> Derek Wuelfrath
>> [email protected] :: www.inverse.ca
>> +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On Sep 18, 2014, at 16:25, David Martinez <[email protected]> wrote:
>>
>> Sorry the image was in another format
>>
>> 2014-09-18 15:52 GMT-04:30 David Martinez <[email protected]>:
>>
>>> Hi,
>>>
>>> I'm new in packetfence, I'm trying to install PF ver 4.4.0 on a new
>>> server with the inline enforcement configuration.
>>>
>>> the server has 2 physical interfaces eth0 y eth1.
>>>
>>> with eth0 I have 2 sub interfaces
>>>
>>> eth0.90 by dhcp ---> direct to internet ADSL modem.
>>>
>>> eth0.303 inline enforcement with the static ip 172.17.3.4 with DHCP and
>>> NAT configurated.
>>>
>>> with eth1 I have 1 sub interface
>>>
>>> eth1.99 with the static 172.16.XX.1 management interface.
>>>
>>> I make the deployment and everything is fine.
>>>
>>> I let PF take the control of the DNS service with the pfdns. So the DHCP
>>> service associated to the vlan 303.
>>>
>>> The infraestructure is witch a WLC 5508 with is configurated with a
>>> preshared key with WPA 2 PSk. which the devices attempting to connect to
>>> the network throught a preshared key and after the WLC redirect to the PF
>>> server at the moment to user the browser.
>>>
>>> The DHCP is working fine.
>>>
>>> The DNS works until the moment of registration on the portal captive.
>>> After that, the machine can't surf and neighter can resolve more DNS.
>>>
>>> My question is any espeficic configuration to this kind of enviroment
>>> that you can recommend me? I'm suspect the problem is with the iptables
>>> rules but Im not sure yet. Or maybe with the NAT config that should be over
>>> the Interface that goes direct to internet.
>>>
>>> I Have the same configuration on PF version 4.2.1 on production
>>> enviroment, and it works fine.
>>>
>>> Does anyone any standar configuration for this type of enviroment?
>>>
>>> Thanks in advance I send you logs.
>>>
>>>
>>>
>>>
>>> packetfence.log
>>>
>>> Sep 16 10:59:32 httpd.portal(27331) ERROR: Error while setting locale to
>>> en_US.utf8. Is the locale generated on your system?
>>> (captiveportal::PacketFence::Controller::Root::setupLanguage)
>>> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected
>>> to default
>>> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
>>> Sep 16 10:59:32 httpd.portal(27331) INFO: [00:18:de:bd:3d:33] redirected
>>> to authentication page
>>> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
>>> Sep 16 10:59:41 httpd.portal(27537) ERROR: Error while setting locale to
>>> en_US.utf8. Is the locale generated on your system?
>>> (captiveportal::PacketFence::Controller::Root::setupLanguage)
>>> Sep 16 10:59:41 httpd.portal(27537) INFO: Authentication successful for
>>> test in source local (SQL) (pf::authentication::authenticate)
>>> Sep 16 10:59:42 httpd.portal(27537) INFO: person test modified to test
>>> (pf::person::person_modify)
>>> Sep 16 10:59:42 httpd.portal(27537) INFO: [00:18:de:bd:3d:33]
>>> re-evaluating access (manage_register called)
>>> (pf::enforcement::reevaluate_access)
>>> Sep 16 10:59:42 httpd.portal(27537) INFO: Instantiate a new iptables
>>> modification method. pf::ipset (pf::inline::get_technique)
>>> Sep 16 10:59:42 httpd.webservices(27344) INFO: Instantiate a new
>>> iptables modification method. pf::ipset (pf::inline::get_technique)
>>> Sep 16 10:59:42 httpd.webservices(27344) INFO: [00:18:de:bd:3d:33]
>>> stated changed, adapting firewall rules for proper enforcement
>>> (pf::inline::performInlineEnforcement)
>>>
>>> httpd.portal.access
>>>
>>>
>>> root@packetfence:/usr/local/pf/logs# tail -f httpd.portal.access
>>> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204
>>> HTTP/1.1" 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36
>>> (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET
>>> /captive-portal?destination_url=http://www.gstatic.com/generate_204&;
>>> HTTP/1.1"
>>> 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like
>>> Gecko) Chrome/37.0.2062.120 Safari/537.36"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET /generate_204
>>> HTTP/1.1" 302 916 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36
>>> (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:32 -0430] "GET
>>> /captive-portal?destination_url=http://www.gstatic.com/generate_204&;
>>> HTTP/1.1"
>>> 200 8294 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like
>>> Gecko) Chrome/37.0.2062.120 Safari/537.36"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:38 -0430] "-" 408 - "-" "-"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:39 -0430] "-" 408 - "-" "-"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:41 -0430] "POST /authenticate
>>> HTTP/1.1" 200 3232 "
>>> http://portal.sudeban.gob.ve/captive-portal?destination_url=http://www.gstatic.com/generate_204&";
>>> "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
>>> Chrome/37.0.2062.120 Safari/537.36"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET
>>> /content/images/unlock.png HTTP/1.1" 200 1942 "
>>> http://portal.sudeban.gob.ve/authenticate"; "Mozilla/5.0 (Windows NT
>>> 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120
>>> Safari/537.36"
>>> 172.17.3.10 - - [16/Sep/2014:10:59:42 -0430] "GET /content/timerbar.js
>>> HTTP/1.1" 200 4193 "http://portal.sudeban.gob.ve/authenticate";
>>> "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
>>> Chrome/37.0.2062.120 Safari/537.36"
>>>
>>>
>>> httpd.portal.error
>>>
>>> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN)
>>> `127.0.0.1' does NOT match server name!?
>>> [Tue Sep 16 10:43:18 2014] [warn] RSA server certificate CommonName (CN)
>>> `127.0.0.1' does NOT match server name!?
>>> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN)
>>> `127.0.0.1' does NOT match server name!?
>>> [Tue Sep 16 10:43:21 2014] [warn] RSA server certificate CommonName (CN)
>>> `127.0.0.1' does NOT match server name!?
>>>
>>> pfdns.log
>>>
>>> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create TCP socket: La
>>> dirección ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line
>>> 90, <DATA> line 558.
>>> Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr',
>>> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)',
>>> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122
>>> (Carp::cluck)
>>> Sep 16 10:43:27 pfdns(27411) ERROR: Couldn't create UDP socket: La
>>> dirección ya se está usando at /usr/lib/perl5/Net/DNS/Nameserver.pm line
>>> 109, <DATA> line 558.
>>> Net::DNS::Nameserver::new('Net::DNS::Nameserver', 'LocalAddr',
>>> 'ARRAY(0x47fd0f0)', 'LocalPort', 53, 'ReplyHandler', 'CODE(0x49db0d0)',
>>> 'Verbose', 0, ...) called at /usr/local/pf/sbin/pfdns line 122
>>> (Carp::cluck)
>>> Sep 16 10:43:27 pfdns(27411) FATAL: couldn't create nameserver object
>>> (main::)
>>> Sep 16 10:43:27 pfdns(27411) ERROR: couldn't create nameserver object
>>> (main::)
>>>
>>>
>>> root@packetfence:/usr/local/pf/logs# tail -f pfdhcplistener.log
>>> Sep 16 10:58:00 pfdhcplistener(27401) INFO: Unseen before node added:
>>> 00:18:de:bd:3d:33 (main::listen_dhcp)
>>> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPOFFER from 172.17.3.4
>>> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
>>> (main::parse_dhcp_offer)
>>> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPREQUEST from
>>> 00:18:de:bd:3d:33 (172.17.3.10) (main::parse_dhcp_request)
>>> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve
>>> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip)
>>> Sep 16 10:58:01 pfdhcplistener(27401) WARN: unable to resolve
>>> 00:18:de:bd:3d:33 to ip (pf::iplog::mac2ip)
>>> Sep 16 10:58:01 pfdhcplistener(27401) ERROR: Unable to list iptables
>>> mangle table: (pf::ipset::get_mangle_mark_for_mac)
>>> Sep 16 10:58:01 pfdhcplistener(27401) INFO: 00:18:de:bd:3d:33 requested
>>> an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP (Version 5.1, 5.2)).
>>> Modified node with last_dhcp = 2014-09-16 10:58:01,computername =
>>> sbo0011900,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
>>> (main::listen_dhcp)
>>> Sep 16 10:58:01 pfdhcplistener(27401) INFO: DHCPACK from 172.17.3.4
>>> (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10) for 86400
>>> seconds (main::parse_dhcp_ack)
>>> Sep 16 11:01:31 pfdhcplistener(27401) INFO: DHCPACK CIADDR from
>>> 172.17.3.4 (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
>>> (main::parse_dhcp_ack)
>>> Sep 16 11:02:36 pfdhcplistener(27401) INFO: DHCPACK CIADDR from
>>> 172.17.3.4 (00:e0:52:e0:e7:b8) to host 00:18:de:bd:3d:33 (172.17.3.10)
>>> (main::parse_dhcp_ack)
>>>
>>>
>>> pfmon.log
>>>
>>> root@packetfence:/usr/local/pf/logs# tail -f pfmon.log
>>> Sep 16 11:26:28 pfmon(27416) INFO: running expire check (main::cleanup)
>>> Sep 16 11:26:28 pfmon(27416) INFO: checking registered nodes for
>>> expiration (main::cleanup)
>>> Sep 16 11:26:28 pfmon(27416) INFO: checking violations for expiration
>>> (main::cleanup)
>>> Sep 16 11:26:28 pfmon(27416) INFO: checking accounting data for
>>> potential bandwidth abuse (main::cleanup)
>>> Sep 16 11:26:28 pfmon(27416) INFO: getting violations triggers for
>>> accounting cleanup (pf::accounting::acct_maintenance)
>>> Sep 16 11:27:28 pfmon(27416) INFO: running expire check (main::cleanup)
>>> Sep 16 11:27:28 pfmon(27416) INFO: checking registered nodes for
>>> expiration (main::cleanup)
>>> Sep 16 11:27:28 pfmon(27416) INFO: checking violations for expiration
>>> (main::cleanup)
>>> Sep 16 11:27:28 pfmon(27416) INFO: checking accounting data for
>>> potential bandwidth abuse (main::cleanup)
>>> Sep 16 11:27:28 pfmon(27416) INFO: getting violations triggers for
>>> accounting cleanup (pf::accounting::acct_maintenance)
>>> Sep 16 11:28:28 pfmon(27416) INFO: running expire check (main::cleanup)
>>> Sep 16 11:28:28 pfmon(27416) INFO: checking registered nodes for
>>> expiration (main::cleanup)
>>> Sep 16 11:28:28 pfmon(27416) INFO: checking violations for expiration
>>> (main::cleanup)
>>> Sep 16 11:28:28 pfmon(27416) INFO: checking accounting data for
>>> potential bandwidth abuse (main::cleanup)
>>> Sep 16 11:28:28 pfmon(27416) INFO: getting violations triggers for
>>> accounting cleanup (pf::accounting::acct_maintenance)
>>>
>>
>> <PACKETFENCE2.jpg>
>> ------------------------------------------------------------------------------
>> Slashdot TV. Video for Nerds. Stuff that Matters.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Slashdot TV. Video for Nerds. Stuff that Matters.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
> <PACKETFENCE2.jpg><pf.conf><networks.conf>
> ------------------------------------------------------------------------------
> Slashdot TV. Video for Nerds. Stuff that Matters.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
