Hi Christian,
We have a patch that would be a candidate for 5.5.1 and that would fix
it for good.
Please see it attached to this mail.
Let us know if it works and it will be added to the next release.
Thanks !
- Julien
On 11/26/2015 09:49 AM, Louis Munro wrote:
Hi Christian,
This is indeed a corner case that is not well handled.
The original reason for that was that we assumed that you either use
the PacketFence dhcpd for all or none of your networks.
If it’s all, then we should be receiving the ACKs.
If it’s none, then we needed to listen for DHCPREQUEST packets.
We try to process the minimum number of packets required to do the
job, because in a large network that job quickly becomes expensive.
So in your case I can suggest a few ideas to fix it.
1. You could use the PacketFence dhcpd server on all your networks (if
that is possible for you).
2. You could try using the UDP reflector
(https://code.google.com/p/udp-reflector/) to send a copy of the ACKs
to PacketFence.
3. You could patch PacketFence to handle the DHCPREQUESTS in those
networks.
4. Look into using OMAPI to have PacketFence query your dhcp server
for the leases.
I believe option 3 would be fastest to implement.
You could try this patch:
diff --git a/lib/pf/dhcp/processor.pm b/lib/pf/dhcp/processor.pm
index 5b6f6a8..36ee6fe 100644
--- a/lib/pf/dhcp/processor.pm
+++ b/lib/pf/dhcp/processor.pm
@@ -274,7 +274,7 @@ sub parse_dhcp_request {
# We check if we are running without dhcpd
# This means we don't see ACK so we need to act on requests
- if((!$self->{running_w_dhcpd} &&
!isenabled($Config{network}{force_listener_update_on_ack})) &&
(defined($client_ip) && defined($client_mac))){
+ if((!isenabled($Config{network}{force_listener_update_on_ack})) &&
(defined($client_ip) && defined($client_mac))){
$self->handle_new_ip($client_mac, $client_ip, $lease_length);
}
Let us know if it helps.
We’ll have to think of the best way of handling that particular case
in the future.
Regards,
--
Louis Munro
[email protected] <mailto:[email protected]> :: www.inverse.ca
<http://www.inverse.ca>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>)
and PacketFence (www.packetfence.org <http://www.packetfence.org>)
On Nov 25, 2015, at 18:10 , Christian Hanster
<[email protected] <mailto:[email protected]>> wrote:
Hi Louis,
It’s me again and I found the problem finally. It has to do with the
rewritten dhcplistener in the new release.
The new listener configuration is checking, if there is a dhcp server
running on the interface. If this is the case then it will not work
with dhcp-request packages. In my special case the problem was that I
had running the dhcp server on the interface (inlinel2) but not for
the inlinel3 network. So the listener was not processing the Request
packages. It might be a bug but I do not know how to fix it because
the pfdhcplistener is running on interface level. For me it worked
when I switched off the dhcp-server on the interface. Probably I will
let the dhcp be done by an other server in this network...
The problem is in line 332ff. in file processor.pm (Tag 5.5.0):
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/dhcp/processor.pm
Thank you for your help!
Kind regards
Christian
On 25 Nov 2015, at 22:41, Christian Hanster
<[email protected] <mailto:[email protected]>> wrote:
Hi Louis,
No there are no lines with DHCPACK or OFFER. This is, because there
are no such packets coming (seen in Tcpdump). Our setup is the
following: remote client — LAN— router (with dnsmasq and a relay to
PF) =VPN-Tunnel= VPN-Server —LAN— PF-Server
So PF is not offering any leases to the remote clients but gets
information from the dnsmasq which is configured as a relay. PF is
configured as inlinel3 for the remote clients.
the networks.conf is therefore:
[192.168.2.0]
dns=192.168.2.254
dhcp_start=192.168.2.10
gateway=192.168.2.250
domain-name=inlinel2.endoo.eu <http://inlinel2.endoo.eu/>
nat_enabled=enabled
named=enabled
dhcp_max_lease_time=3600
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.2.246
type=inlinel2
netmask=255.255.255.0
dhcp_default_lease_time=3600
[10.1.13.0]
next_hop=192.168.2.2
domain-name=inlinel3.endoo.eu <http://inlinel3.endoo.eu/>
name=inlinel3.endoo.eu <http://inlinel3.endoo.eu/>
nat_enabled=1
named=enabled
dhcpd=disabled
fake_mac_enabled=0
type=inlinel3
netmask=255.255.255.0
The dhcp.conf:
# dhcpd configuration
# This file is manipulated on PacketFence's startup before being
given to dhcpd
authoritative;
ddns-update-style none;
ignore client-updates;
log-facility local6;
# OMAPI for IP <-> MAC lookup
omapi-port 7911;
key pf_omapi_key {
algorithm HMAC-MD5;
secret "ghkxVADMEeYe8ikHCjkyu7hQ2abIA/SbcH8Ep6a4FGs=";
};
omapi-key pf_omapi_key;
failover peer "192.168.2.0/24" {
secondary;
address 192.168.2.250;
port 647;
peer address 192.168.2.251;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
}
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.250;
option subnet-mask 255.255.255.0;
option domain-name "inlinel2.endoo.eu <http://inlinel2.endoo.eu/>";
option domain-name-servers 192.168.2.254;
pool {
failover peer "192.168.2.0/24";
range 192.168.2.10 192.168.2.246;
default-lease-time 3600;
max-lease-time 3600;
}
}
The dhcpd is only relevant for the local network at the server side
but not for the remote clients. There are also no DHCP Server errors
on the server.
The point is, that it worked well with the old PF version.
pfdhcplistener.log (old, when it worked):
Nov 22 15:29:55 pfdhcplistener(11373) INFO: DHCPREQUEST from
00:25:4b:cd:f4:64 (10.1.13.78) (main::parse_dhcp_request)
Nov 22 15:29:55 pfdhcplistener(11373) WARN: Unable to match MAC
address to IP '10.1.13.78' (pf::iplog::ip2mac)
Nov 22 15:29:55 pfdhcplistener(11373) INFO: 00:25:4b:cd:f4:64
requested an IP with the following informations: last_dhcp =
2015-11-22 15:29:55,computername = Christians-MBP,dhcp_fingerprint =
1,3,6,15,119,95,252,44,46,dhcp_vendor = (main::listen_dhcp)
It does not seem to be that different…
Kind regards
Christian Hanster
On 25 Nov 2015, at 20:35, Louis Munro <[email protected]
<mailto:[email protected]>> wrote:
Hi Christian,
Is this all that is in the pfdhcplistener log?
No lines with DHCPACK or DHCPOFFER?
Which dhcp server is offering leases in the VLAN?
The PF dhcp service, or do you have another server providing that
service?
Are there any dhcpd errors in /var/log/messages?
Please post your conf/network.conf and var/conf/dhcpd.conf files.
Regards,
--
Louis Munro
[email protected] <mailto:[email protected]> :: www.inverse.ca
<http://www.inverse.ca/>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
<http://www.sogo.nu/>) and PacketFence (www.packetfence.org
<http://www.packetfence.org/>)
On Nov 25, 2015, at 13:37 , Christian Hanster
<[email protected] <mailto:[email protected]>> wrote:
Hi,
thanks for the response!
So after some more testing I found out, that I have to restart the
pfdhcplistener manually. Then it is recognising the traffic. I do
not what is then different because the pfdhcplistener is running
before too…
Now the problem is, that PF recognises the new Mac-address but did
not define an IP Adress. Output of pfdhcplistener:
Nov 25 18:24:45 pfqueue(51123) INFO: [mac:[undef]] DHCPREQUEST
from d4:33:a3:ed:f2:a5 (10.1.13.239) with lease of 7776000 seconds
(pf::dhcp::processor::parse_dhcp_request)
Nov 25 18:24:47 pfqueue(51123) INFO: [mac:d4:33:a3:ed:f2:a5]
d4:33:a3:ed:f2:a5 requested an IP with the following informations:
last_dhcp = 2015-11-25 18:24:45,computername =
Christians-MBP,dhcp_fingerprint =
1,3,6,15,119,95,252,44,46,dhcp_vendor =
(pf::dhcp::processor::process_packet)
So now I see node entries, but the captive portal says that the
node cannot be found in the database, because PF does not store a
value for the IP-Adress in the DB when it detects it.
On 25 Nov 2015, at 18:09, Louis Munro <[email protected]
<mailto:[email protected]>> wrote:
An active/active or active/passive cluster?
Inline is not supported in active/active. Not everything can be
replicated.
I run it as an active/active cluster. I followed the installation
guide from the packtefence website, but have a replicated DB
server on an other host. I did not know that inline is not
supported. It was not stated anywhere in the guide… Is there an
easy way to change it to active/passive?
Are all PacketFence services running?
Especially pfqueue, redis_queue and obviously the pfdhcplistener?
Services are all running but it is only listening for dhcp when I
restart pfdhcplistener via “pfcmd service pfdhcplistener restart”
manually.
Are dhcp requests being received on the interface?
What does this report?
# tcpdump -tnl -i eth0 port bootpc or port bootps
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
IP 10.1.13.1.67 > 192.168.2.254.67: BOOTP/DHCP, Request from
d4:33:a3:ed:f2:a5, length 300
I hope you can help me with it because I’m really clueless at the
moment…
Kind regards
Christian Hanster
Regards,
--
Louis Munro
[email protected] <mailto:[email protected]> :: www.inverse.ca
<http://www.inverse.ca/>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
<http://www.sogo.nu/>) and PacketFence (www.packetfence.org
<http://www.packetfence.org/>)
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for
multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for
multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for
multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for
multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for
multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Julien
diff --git a/lib/pf/api.pm b/lib/pf/api.pm
index 2a89e9f..2ac498a 100644
--- a/lib/pf/api.pm
+++ b/lib/pf/api.pm
@@ -1003,7 +1003,7 @@ The UDP payload must be base 64 encoded.
sub process_dhcp : Public {
my ($class, %postdata) = @_;
- my @require = qw(src_mac src_ip dest_mac dest_ip running_w_dhcpd is_inline_vlan interface interface_ip interface_vlan net_type udp_payload_b64);
+ my @require = qw(src_mac src_ip dest_mac dest_ip is_inline_vlan interface interface_ip interface_vlan net_type udp_payload_b64);
my @found = grep {exists $postdata{$_}} @require;
return unless validate_argv(\@require,\@found);
diff --git a/lib/pf/dhcp/processor.pm b/lib/pf/dhcp/processor.pm
index 5b6f6a8..e744574 100644
--- a/lib/pf/dhcp/processor.pm
+++ b/lib/pf/dhcp/processor.pm
@@ -79,9 +79,31 @@ sub new {
$self->{accessControl} = new pf::inline::custom();
}
$self->{api_client} = pf::client::getClient();
+ $self->_build_DHCP_networks();
return $self;
}
+=head2 _build_DHCP_networks
+
+Builds the list of networks on which PacketFence is the DHCP server
+
+=cut
+
+sub _build_DHCP_networks {
+ my ($self) = @_;
+
+ my @dhcp_networks;
+ foreach my $network (keys %ConfigNetworks) {
+ my %net = %{$ConfigNetworks{$network}};
+ my $network_obj = NetAddr::IP->new($network,$ConfigNetworks{$network}{netmask});
+ if(isenabled($net{dhcpd})){
+ push @dhcp_networks, $network_obj;
+ }
+ }
+
+ $self->{dhcp_networks} = \@dhcp_networks;
+}
+
=head2 _get_redis_client
Get the redis client
@@ -274,7 +296,7 @@ sub parse_dhcp_request {
# We check if we are running without dhcpd
# This means we don't see ACK so we need to act on requests
- if((!$self->{running_w_dhcpd} && !isenabled($Config{network}{force_listener_update_on_ack})) && (defined($client_ip) && defined($client_mac))){
+ if( (defined($client_ip) && defined($client_mac)) && (!$self->pf_is_dhcp($client_ip) && !isenabled($Config{network}{force_listener_update_on_ack})) ){
$self->handle_new_ip($client_mac, $client_ip, $lease_length);
}
@@ -288,6 +310,9 @@ sub parse_dhcp_request {
$self->{api_client}->notify('synchronize_locationlog',$self->{interface_ip},$self->{interface_ip},undef, $NO_PORT, $self->{interface_vlan}, $dhcp->{'chaddr'}, $NO_VOIP, $INLINE);
$self->{accessControl}->performInlineEnforcement($dhcp->{'chaddr'});
}
+ else {
+ $logger->debug("Not acting on DHCPREQUEST");
+ }
}
@@ -331,7 +356,7 @@ sub parse_dhcp_ack {
# We check if we are running with the DHCPd process.
# If yes, we are interested with the ACK
# Packet also has to be valid
- if(($self->{running_w_dhcpd} || isenabled($Config{network}{force_listener_update_on_ack})) && (defined($client_ip) && defined($client_mac))){
+ if( (defined($client_ip) && defined($client_mac)) && ($self->pf_is_dhcp($client_ip) || isenabled($Config{network}{force_listener_update_on_ack})) ){
$self->handle_new_ip($client_mac, $client_ip, $lease_length);
}
else {
@@ -340,6 +365,28 @@ sub parse_dhcp_ack {
}
+=head2 pf_is_dhcp
+
+Verifies if PacketFence is the DHCP server for the network the IP is in
+
+=cut
+
+sub pf_is_dhcp {
+ my ($self, $client_ip) = @_;
+
+ foreach my $network_obj (@{$self->{dhcp_networks}}) {
+ # We need to rebuild it everytime with the mask from the network as
+ # a DHCPREQUEST does not contain the subnet mask
+ my $net_addr = NetAddr::IP->new($client_ip,$network_obj->mask);
+ if($network_obj->contains($net_addr)){
+ $logger->info("The listener process is on the same server as the DHCP server.");
+ return $TRUE;
+ }
+ }
+ $logger->info("The listener process is NOT on the same server as the DHCP server.");
+ return $FALSE;
+}
+
=head2 handle_new_ip
Handle the tasks related to a device getting an IP address
diff --git a/sbin/pfdhcplistener b/sbin/pfdhcplistener
index be4a5f8..d026fe8 100755
--- a/sbin/pfdhcplistener
+++ b/sbin/pfdhcplistener
@@ -108,7 +108,6 @@ $PROGRAM_NAME = $0 = "${PROGRAM_NAME}_${interface}";
daemonize($PROGRAM_NAME) if ($daemonize);
my $net_addr = NetAddr::IP->new($Config{"interface $interface"}{'ip'},$Config{"interface $interface"}{'mask'});
-my $running_w_dhcpd = $FALSE;
# start dhcp monitor
if ( isenabled( $Config{'network'}{'dhcpdetector'} ) ) {
@@ -120,10 +119,6 @@ if ( isenabled( $Config{'network'}{'dhcpdetector'} ) ) {
foreach my $network (keys %ConfigNetworks) {
my %net = %{$ConfigNetworks{$network}};
my $network_obj = NetAddr::IP->new($network,$ConfigNetworks{$network}{netmask});
- if(isenabled($net{dhcpd}) && $network_obj->contains($net_addr)){
- $running_w_dhcpd = $TRUE;
- $logger->info("The listener process is on the same server as the DHCP server.");
- }
# are we listening on an inline interface ?
next if (!pf::config::is_network_type_inline($network));
@@ -197,7 +192,6 @@ sub process_pkt {
dest_mac => clean_mac($l2->{'dest_mac'}),
src_ip => $l3->{'src_ip'},
dest_ip => $l3->{'dest_ip'},
- running_w_dhcpd => $running_w_dhcpd,
is_inline_vlan => $is_inline_vlan,
interface => $interface,
interface_ip => $interface_ip,
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
