Hi.
I am using PF 5.0.0 (although I have had the same issue on 4.7.0 as well)
cat /proc/versionLinux version 2.6.32-504.12.2.el6.x86_64
([email protected]) (gcc version 4.4.7 20120313 (Red Hat
4.4.7-11) (GCC) ) #1 SMP Wed Mar 11 22:03:14 UTC 2015
cat /etc/redhat-releaseCentOS release 6.6 (Final)
I have three interfaces but eth0 is not managed by PF (as it's connected to a
private subnet). I am using PF in inline mode. When I connect a client to an
AP, I see the following in the pfdhcplistener logs, but the client is unable to
acquire an IP address.
Apr 22 19:05:24 pfdhcplistener(10757) WARN: pfdhcplistener for eth2 finished -
this is bad. Are you sure the interface you are trying to run the listener on
is configured in packetfence to do so? (main::)Apr 22 19:05:24
pfdhcplistener(10757) INFO: stopping pfdhcplistener for interface eth2
(main::END)Apr 22 19:05:59 pfdhcplistener(11063) INFO: pfdhcplistener_eth1
starting and writing 11066 to /usr/local/pf/var/run/pfdhcplistener_eth1.pid
(pf::services::util::createpid)Apr 22 19:05:59 pfdhcplistener(11063) WARN: DHCP
detector on an inline interface (main::)Apr 22 19:05:59 pfdhcplistener(11063)
INFO: Instantiate a new iptables modification method. pf::ipset
(pf::inline::get_technique)Apr 22 19:05:59 pfdhcplistener(11063) WARN: Unable
to open VLAN proc description for eth1: No such file or directory
(pf::util::get_vlan_from_int)Apr 22 19:05:59 pfdhcplistener(11063) INFO: DHCP
detector on eth1 enabled (main::)Apr 22 19:06:00 pfdhcplistener(11069) INFO:
pfdhcplistener_eth2 starting and writing 11072 to
/usr/local/pf/var/run/pfdhcplistener_eth2.pid
(pf::services::util::createpid)Apr 22 19:06:00 pfdhcplistener(11069) WARN:
Unable to open VLAN proc description for eth2: No such file or directory
(pf::util::get_vlan_from_int)Apr 22 19:06:00 pfdhcplistener(11069) INFO: DHCP
detector on eth2 enabled (main::)
Apr 22 19:06:44 pfdhcplistener(11063) INFO: DHCPREQUEST from 60:03:08:a5:84:3a
(10.252.7.120) with lease of 7776000 seconds (main::parse_dhcp_request)Apr 22
19:06:44 pfdhcplistener(11063) INFO: 60:03:08:a5:84:3a requested an IP. DHCP
Fingerprint: OS::202 (Mac OS X Lion). Modified node with last_dhcp = 2015-04-22
19:06:44,computername = Blocks-MBP,dhcp_fingerprint = 1,3,6,15,119,95,252,44,46
(main::listen_dhcp)
Here's my packetfence.log
Apr 22 19:05:28 pfcmd.pl(10934) INFO: Daemon memcached took 0.004 seconds to
start. (pf::services::manager::launchService)Apr 22 19:05:28 pfcmd.pl(10934)
INFO: generating /usr/local/pf/var/conf/ssl-certificates.conf
(pf::services::manager::httpd::generateConfig)Apr 22 19:05:28 pfcmd.pl(10934)
INFO: generating /usr/local/pf/var/conf/captive-portal-common.conf
(pf::services::manager::httpd::generateConfig)Apr 22 19:05:36 pfcmd.pl(10934)
INFO: Daemon httpd.admin took 7.498 seconds to start.
(pf::services::manager::launchService)Apr 22 19:05:46 pfcmd.pl(10934) INFO:
pf::services::manager, /usr/local/pf/lib/pf/services/manager.pm, 171
(pf::services::manager::dhcpd::generateConfig)Apr 22 19:05:46 pfcmd.pl(10934)
INFO: Daemon dhcpd took 0.025 seconds to start.
(pf::services::manager::launchService)Apr 22 19:05:47 pfcmd.pl(10934) INFO:
Daemon httpd.aaa took 1.547 seconds to start.
(pf::services::manager::launchService)Apr 22 19:05:52 pfcmd.pl(10934) INFO:
Daemon httpd.portal took 2.954 seconds to start.
(pf::services::manager::launchService)Apr 22 19:05:56 pfcmd.pl(10934) INFO:
Daemon httpd.webservices took 1.538 seconds to start.
(pf::services::manager::launchService)Apr 22 19:05:57 pfcmd.pl(10934) INFO:
Instantiate a new iptables modification method. pf::ipset
(pf::inline::get_technique)Apr 22 19:05:57 pfcmd.pl(10934) INFO: saving
existing iptables to /usr/local/pf/var/iptables.bak
(pf::iptables::iptables_save)Apr 22 19:05:58 pfcmd.pl(10934) WARN: We are using
IPSET (pf::ipset::iptables_generate)Apr 22 19:05:58 pfcmd.pl(10934) INFO:
flushing iptables (pf::ipset::iptables_flush_mangle)Apr 22 19:05:58
pfcmd.pl(10934) INFO: Adding DNS DNAT rules for unregistered and isolated
inline clients. (pf::iptables::generate_inline_rules)Apr 22 19:05:58
pfcmd.pl(10934) INFO: Adding NAT Masquarade statement (PAT)
(pf::iptables::generate_inline_rules)Apr 22 19:05:58 pfcmd.pl(10934) INFO:
Addind ROUTED statement (pf::iptables::generate_inline_rules)Apr 22 19:05:58
pfcmd.pl(10934) INFO: building firewall to accept registered users through
inline interface (pf::iptables::generate_inline_rules)Apr 22 19:05:58
pfcmd.pl(10934) INFO: restoring iptables from
/usr/local/pf/var/conf/iptables.conf (pf::iptables::iptables_restore)Apr 22
19:05:58 pfcmd.pl(10934) INFO: Daemon pfdhcplistener_eth1 took 0.004 seconds to
start. (pf::services::manager::launchService)Apr 22 19:05:59 pfcmd.pl(10934)
INFO: Daemon pfdhcplistener_eth2 took 0.004 seconds to start.
(pf::services::manager::launchService)Apr 22 19:06:00 pfcmd.pl(10934) INFO:
Daemon pfdns took 0.004 seconds to start.
(pf::services::manager::launchService)Apr 22 19:06:03 pfcmd.pl(10934) INFO:
Daemon pfmon took 1.513 seconds to start.
(pf::services::manager::launchService)Apr 22 19:06:03 pfcmd.pl(10934) INFO:
generating /usr/local/pf/var/conf/snmptrapd.conf
(pf::services::manager::snmptrapd::generateConfig)Apr 22 19:06:03
pfcmd.pl(10934) INFO: Daemon snmptrapd took 0.035 seconds to start.
(pf::services::manager::launchService)Apr 22 19:06:05 pfsetvlan(11098) INFO:
pfsetvlan starting and writing 11102 to /usr/local/pf/var/run/pfsetvlan.pid
(pf::services::util::createpid)Apr 22 19:06:05 pfsetvlan(11098) INFO: Process
started (main::)Apr 22 19:06:05 pfcmd.pl(10934) INFO: Daemon pfsetvlan took
1.434 seconds to start. (pf::services::manager::launchService)Apr 22 19:06:05
pfcmd.pl(10934) INFO: Daemon radiusd took 0.312 seconds to start.
(pf::services::manager::launchService)
This is sudoers information on 'pf'pf ALL=NOPASSWD: /sbin/iptables,
/usr/sbin/ipset, /sbin/ip, /sbin/vconfig, /sbin/route, /sbin/service,
/usr/bin/tee, /usr/local/pf/sbin/pfdhcplistener, /bin/kill, /usr/sbin/dhcpd,
/usr/sbin/radiusd, /usr/sbin/snort, /usr/bin/suricata,
/usr/sbin/conntrackDefaults:pf !requiretty
Here's the output for iptables mangle
Here's the output for iptables -t mangle (I am logged in as root, when I run
this command) iptables -t mangle -L -nvChain PREROUTING (policy ACCEPT 1167
packets, 449K bytes) pkts bytes target prot opt in out source
destination 344 49648 prerouting-int-inline-if all -- eth1 *
0.0.0.0/0 0.0.0.0/0Chain INPUT (policy ACCEPT 581 packets, 391K
bytes) pkts bytes target prot opt in out source
destinationChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target
prot opt in out source destinationChain OUTPUT (policy
ACCEPT 769 packets, 380K bytes) pkts bytes target prot opt in out
source destinationChain POSTROUTING (policy ACCEPT 769 packets,
380K bytes) pkts bytes target prot opt in out source
destinationChain prerouting-int-inline-if (1 references) pkts bytes target
prot opt in out source destination 344 49648 MARK
all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x3
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
match-set pfsession_Unreg_172.31.30.0 src,src MARK set 0x3 0 0 MARK
all -- * * 0.0.0.0/0 0.0.0.0/0
match-set pfsession_Reg_172.31.30.0 src,src MARK set 0x1 0 0 MARK
all -- * * 0.0.0.0/0 0.0.0.0/0 match-set
pfsession_Isol_172.31.30.0 src,src MARK set 0x2
Here's my pf.conf and networks.conf
cat
/usr/local/pf/conf/networks.conf[172.31.30.0]dns=8.8.8.8dhcp_start=172.31.30.10gateway=172.31.30.10domain-name=inlinel2.mydomain.comnat_enabled=enablednamed=enableddhcp_max_lease_time=86400fake_mac_enabled=disableddhcpd=enableddhcp_end=172.31.30.246type=inlinel2netmask=255.255.255.0dhcp_default_lease_time=86400
cat /usr/local/pf/conf/pf.conf[general]## general.domain## Domain name of
PacketFence system.domain=mydomain.com## general.hostname## Hostname of
PacketFence system. This is concatenated with the domain in Apache rewriting
rules and therefore must be resolvable by clients.hostname=guest
[trapping]## trapping.range## Comma-delimited list of address ranges/CIDR
blocks that Snort/Suricata will monitor/detect/trap on. Gateway, network, and#
broadcast addresses are ignored.range=10.0.0.0/8
[alerting]## alerting.emailaddr## Email address to which notifications of rogue
DHCP servers, violations with an action of "email", or any other#
PacketFence-related message goes [email protected]
[database]## database.pass## Password for the mysql database used by
PacketFence.pass=PASSWORD## database.db## Name of the mysql database used by
PacketFence.db=pf
[interface
eth1]enforcement=inlinel2ip=172.31.30.11type=internalvip=172.31.30.10mask=255.255.255.0
[interface eth2]ip=172.30.10.200type=managementmask=255.255.255.0
I also have keepalived installed for the vrrp VIP. Here's my keepalived.conf
cat /etc/keepalived/keepalived.conf! Configuration File for
keepalivedglobal_defs { notification_email { [email protected] }
notification_email_from [email protected] smtp_server 127.0.0.1
smtp_connect_timeout 30 router_id machine01}
vrrp_instance VI_3 { state MASTER interface eth1
smtp_alert virtual_router_id 12 priority 101 advert_int 1
authentication { auth_type PASS auth_pass
PASSWORD # use 8 chars & something better } virtual_ipaddress {
172.31.30.10 dev eth1 }}
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
