Re: [PacketFence-users] pfsetvlan OK not internet client

[ismael flavio silva]

Hello

I try to create this network

production network -> network with internet
guest network -> network with internet

isolated network -> customer problems (vulnerabilities)

for this I have

192.168.100.5 -> management (not dhcp)
192.168.20.1 -> register (dhcp)
192.168.30.1 -> isolated (dhcp)
182.168.200.1 -> guest (dhcp)
192.168.50.1 -> laboratory (dhcp)

communication with the Cisco 2950 switch ok

vlan's in cisco

vlan 2 -> register
vlan 3 -> isolated
vlan 4 -> macdectition
vlan 200 -> guest
vlan 50 -> laboratory

it assigns the correct vlan, but do not have internet

I have 2 adapter's

eth0 -> PF
WLAN -> connected to the Internet

PS: I'm not using port-security

The log is possible to see in assigning the client to vlan 50 (correct vlan), 
but no internet, any idea?

packetfence log:

Oct 09 20:19:26 pfsetvlan(3) INFO: setting 192.168.100.254 port 20 to MAC 
detection VLAN (main::handleTrap)
Oct 09 20:19:26 pfsetvlan(3) INFO: Should set 192.168.100.254 ifIndex 20 to 
VLAN 4 but it is already in this VLAN -> Do nothing (pf::Switch::setVlan)
Oct 09 20:19:26 pfsetvlan(3) INFO: MAC learnt traps are configured on this 
switch port. Stopping UP trap handling here (main::handleTrap)
Oct 09 20:19:26 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)
Oct 09 20:19:28 pfsetvlan(5) INFO: nb of items in queue: 1; nb of threads 
running: 0 (main::startTrapHandlers)
Oct 09 20:19:28 pfsetvlan(5) INFO: learnt trap received on 192.168.100.254 
ifIndex 20 for 00:0b:6a:78:5c:12 in VLAN 4 (main::handleTrap)
Oct 09 20:19:28 pfsetvlan(5) INFO: Will try to check on this node's previous 
switch if secured entry needs to be removed. Old Switch IP: 192.168.100.254 
(main::do_port_security)
Oct 09 20:19:28 pfsetvlan(5) INFO: MAC not found on node's previous switch 
secure table or switch inaccessible. (main::do_port_security)
Oct 09 20:19:29 pfsetvlan(5) INFO: Learnt trap received for 00:0b:6a:78:5c:12. 
Old MAC 50:b7:c3:8d:8e:1e already connected to the port according to 
locationlog ! (main::handleTrap)
Oct 09 20:19:29 pfsetvlan(5) INFO: [00:0b:6a:78:5c:12] Can't find provisioner 
(pf::vlan::getNormalVlan)
Oct 09 20:19:29 pfsetvlan(5) INFO: Found 'Device' entry with ID '26' in schema 
'Upstream' (fingerbank::Base::CRUD::read)
Oct 09 20:19:29 pfsetvlan(5) INFO: Device ID '26' have at least 1 parent. 
Building parent(s) list (fingerbank::Model::Device::read)
Oct 09 20:19:29 pfsetvlan(5) INFO: Found 'Device' entry with ID '1' in schema 
'Upstream' (fingerbank::Base::CRUD::read)
Oct 09 20:19:29 pfsetvlan(5) INFO: Device 'Microsoft Windows XP (Version 5.1, 
5.2)' is a Windows based device (fingerbank::Query::isWindows)
Oct 09 20:19:29 pfsetvlan(5) INFO: [00:0b:6a:78:5c:12] Can't find scan engine 
(pf::vlan::getNormalVlan)
Oct 09 20:19:29 pfsetvlan(5) INFO: [00:0b:6a:78:5c:12] Username was NOT defined 
or unable to match a role - returning node based role 'Laboratorio_PI' 
(pf::vlan::getNormalVlan)
Oct 09 20:19:29 pfsetvlan(5) INFO: [00:0b:6a:78:5c:12] PID: "tiago", Status: 
reg Returned VLAN: 50, Role: Laboratorio_PI (pf::vlan::fetchVlanForNode)
Oct 09 20:19:29 pfsetvlan(5) INFO: setting VLAN at 192.168.100.254 ifIndex 20 
from 4 to 50 (pf::Switch::setVlan)
Oct 09 20:19:29 pfsetvlan(5) INFO: finished (main::cleanupAfterThread)
Oct 09 20:19:32 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads 
running: 0 (main::startTrapHandlers)
Oct 09 20:19:32 pfsetvlan(1) INFO: learnt trap received on 192.168.100.254 
ifIndex 20 for 00:0b:6a:78:5c:12 in VLAN 50 (main::handleTrap)
Oct 09 20:19:32 pfsetvlan(1) INFO: Memory configuration is not valid anymore 
for key config::Pf in local cached_hash (pfconfig::cached::is_valid)
Oct 09 20:19:33 pfsetvlan(1) INFO: Memory configuration is not valid anymore 
for key interfaces::internal_nets in local cached_hash 
(pfconfig::cached::is_valid)
Oct 09 20:19:33 pfsetvlan(1) INFO: [00:0b:6a:78:5c:12] Can't find provisioner 
(pf::vlan::getNormalVlan)
Oct 09 20:19:33 pfsetvlan(1) INFO: Found 'Device' entry with ID '26' in schema 
'Upstream' (fingerbank::Base::CRUD::read)
Oct 09 20:19:33 pfsetvlan(1) INFO: Device ID '26' have at least 1 parent. 
Building parent(s) list (fingerbank::Model::Device::read)
Oct 09 20:19:33 pfsetvlan(1) INFO: Found 'Device' entry with ID '1' in schema 
'Upstream' (fingerbank::Base::CRUD::read)
Oct 09 20:19:33 pfsetvlan(1) INFO: Device 'Microsoft Windows XP (Version 5.1, 
5.2)' is a Windows based device (fingerbank::Query::isWindows)
Oct 09 20:19:33 pfsetvlan(1) INFO: [00:0b:6a:78:5c:12] Can't find scan engine 
(pf::vlan::getNormalVlan)
Oct 09 20:19:33 pfsetvlan(1) INFO: [00:0b:6a:78:5c:12] Username was NOT defined 
or unable to match a role - returning node based role 'Laboratorio_PI' 
(pf::vlan::getNormalVlan)
Oct 09 20:19:33 pfsetvlan(1) INFO: [00:0b:6a:78:5c:12] PID: "tiago", Status: 
reg Returned VLAN: 50, Role: Laboratorio_PI (pf::vlan::fetchVlanForNode)
Oct 09 20:19:33 pfsetvlan(1) INFO: locationlog is already up2date. Do nothing 
(main::handleTrap)
Oct 09 20:19:33 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)


Enviado do Correio para Windows 10



De: ismael flavio silva
Enviado: 9 de outubro de 2015 17:38
Para: packetfence-users@lists.sourceforge.net
Assunto: Re: [PacketFence-users] pfsetvlan problem


Hello,

problem on cisco

as is the 2950 so this puts the trunk vlan above the 1002, otherwise you must 
manually add. I added the vlan 200. work :)

I want to add the internet to this vlan (producao)
PF uses the eth0
I have a wlan0 plate with internet

thanks

Enviado do Correio para Windows 10



De: Fabrice DURAND
Enviado: 9 de outubro de 2015 16:41
Para: packetfence-users@lists.sourceforge.net
Assunto: Re: [PacketFence-users] pfsetvlan problem


Hello,

Le 2015-10-09 11:24, ismael flavio silva a écrit :
>
> Hello,
>
>  
>
> I am using vlan enforcement
>
>  
>
> - OS: Centos 6.7
>
> - PF 5.3.1 (is not ZEN)
>
> - Cisco equipment in 2950
>
>  
>
> the idea was to connect a PC to cisco and connect to internet, case it
> is registered on packetfence, or isolate, case present vulnerabilities.
>
>  
>
> part of the problem solved.
>
>  
>
> create a new vlan registration, added the switch.conf (new vlan), and
> added to the vlan on cisco
>
>  
>
> in packetfence.log it changes the vlan 4 (macdetetction) to vlan 2
> (registration), after the registration he goes to vlan 200 (vlan
> production), this far ok :)
>
That is perfect !
>
>  
>
> problem:
>
>  
>
> he does not give, dhcp (vlan production)
>
>  
>
This is normal, on your production network (vlan 200) your dhcp/dns must
work, this is not the job of packetfence (it allow your device to go on
the prod network, that is all).

Now on the vlan 200 you have to configure your own dhcp and dns and
gateway ...


Regards
Fabrice

> checked
>
>  
>
> network.conf ok
>
> pf.conf ok
>
> ifcfg-eth0.200 ok
>
>  
>
> Thanks
>
>  
>
>  
>
>  
>
>  
>
> Enviado do Correio <http://go.microsoft.com/fwlink/?LinkId=550986>
> para Windows 10
>
>  
>
>  
>
>
> *De: *Fabrice DURAND
> *Enviado: *9 de outubro de 2015 14:00
> *Para: *packetfence-users@lists.sourceforge.net
> *Assunto: *Re: [PacketFence-users] pfsetvlan problem
>
>  
>
>  
>
> Hello,
>
> what are you trying to do ?
> What switch are you using ?
> Are you using inline ,out of band or web-auth ?
>
> You are not clear in your questions, it just like "it doesn't work,
> help me !"
>
> Start your configuration simple, and forget nessus for now and follow
> this guide :
> http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Out-of-Band_Deployment_Quick_Guide_ZEN-5.4.0.pdf
>
> Regards
> Fabrice
>
> Le 2015-10-08 21:47, ismael flavio silva a écrit :
>
>     hello
>
>      
>
>     It was a bad configuration on switch
>
>      
>
>     check in the community :)
>
>      
>
>     i have two problems:
>
>      
>
>     1ª
>
>     PF start vlan 4 macDetetction -> vlan 2 registrtion (registration
>     ok) -> vlan 4 again :(
>
>      
>
>     its should go to vlan 1 (normal vlan), but vlan 1 it is vlan
>     management this vlan not used DHCP... hum
>
>      
>
>     I have to create a new vlan to have internet?
>
>      
>
>     2ª
>
>     I can not isolate a xp wndows with nessus
>
>      
>
>     thanks
>
>      
>
>     Enviado do Correio <http://go.microsoft.com/fwlink/?LinkId=550986>
>     para Windows 10
>
>      
>
>      
>
>
>     *De: *ismael flavio silva
>     *Enviado: *9 de outubro de 2015 01:21
>     *Para: *ismael flavio silva
>     *Assunto: *RE: [PacketFence-users] pfsetvlan problem
>
>      
>
>      
>
>     Hello,
>
>      
>
>     I already solve :)
>
>      
>
>     I wanted to isolate a windows xp, but he can not isolate
>
>      
>
>     I created a scan with Nessus, but does nothing L
>
>      
>
>     thanks
>
>      
>
>     Enviado do Correio <http://go.microsoft.com/fwlink/?LinkId=550986>
>     para Windows 10
>
>      
>
>      
>
>
>     *De: *ismael flavio silva
>     *Enviado: *9 de outubro de 2015 01:17
>     *Para: *packetfence-users@lists.sourceforge.net
>     <mailto:packetfence-users@lists.sourceforge.net>
>     *Assunto: *[PacketFence-users] pfsetvlan problem
>
>      
>
>      
>
>     Hello
>
>      
>
>     I used vlan enforcement
>
>      
>
>     presents this error: (packetfence.log)
>
>      
>
>     pfsetvlan(3) WARN: Can´t determine Uplinks for the switch
>     (192.168.100.254) -> do nothing (pf::vlan::doWeActOnThisTrap)
>
>     pfsetvlan(3) INFO: doWeActiOnThisTrap returns false. Stop up
>     handling (main::handleTrap)
>
>     pfsetvlan(3) INFO: finished (main::cleanupAfterThread)
>
>      
>
>     researched and appears to be snmptrapd.conf but exist different
>     three against the system!
>
>      
>
>     look
>
>      
>
>     /usr/local/pf/var/conf/snmtrapd.conf
>
>     /usr/local/pf/conf/snmtrapd.conf
>
>     /etc/snmp/snmtrapd.conf
>
>      
>
>     how to solve the problema?
>
>      
>
>     Thanks
>
>      
>
>      
>
>      
>
>     Enviado do Correio <http://go.microsoft.com/fwlink/?LinkId=550986>
>     para Windows 10
>
>      
>
>      
>
>      
>
>      
>
>
>
>
>     
>------------------------------------------------------------------------------
>
>
>
>
>     _______________________________________________
>
>     PacketFence-users mailing list
>
>     PacketFence-users@lists.sourceforge.net
>     <mailto:PacketFence-users@lists.sourceforge.net>
>
>     https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) ::  
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org) 
>
>  
>
>  
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 





------------------------------------------------------------------------------

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users