Hi Louis,
thank you very much for the full response! It helped me a lot. For now we are
running a dhcp server on an other server for the network as a workaround. I
will now have a look in all the options and figure out what is the best.
Concerning the first option I have a question: In the guide it is mentioned
that you should not use the dhcp-Server of PF as a production server. Because
of this, it was never an option for us. Is it possible anyway?
Perhaps you can make a side note in the guide where routed networks are
discussed. So that this confusion will be avoided when someone else has the
problem too.
Kind regards
Christian
> On 26 Nov 2015, at 15:49, Louis Munro <lmu...@inverse.ca> wrote:
>
> Hi Christian,
> This is indeed a corner case that is not well handled.
>
> The original reason for that was that we assumed that you either use the
> PacketFence dhcpd for all or none of your networks.
> If it’s all, then we should be receiving the ACKs.
>
> If it’s none, then we needed to listen for DHCPREQUEST packets.
>
> We try to process the minimum number of packets required to do the job,
> because in a large network that job quickly becomes expensive.
>
> So in your case I can suggest a few ideas to fix it.
>
> 1. You could use the PacketFence dhcpd server on all your networks (if that
> is possible for you).
> 2. You could try using the UDP reflector
> (https://code.google.com/p/udp-reflector/
> <https://code.google.com/p/udp-reflector/>) to send a copy of the ACKs to
> PacketFence.
> 3. You could patch PacketFence to handle the DHCPREQUESTS in those networks.
> 4. Look into using OMAPI to have PacketFence query your dhcp server for the
> leases.
>
> I believe option 3 would be fastest to implement.
>
> You could try this patch:
>
> diff --git a/lib/pf/dhcp/processor.pm b/lib/pf/dhcp/processor.pm
> index 5b6f6a8..36ee6fe 100644
> --- a/lib/pf/dhcp/processor.pm
> +++ b/lib/pf/dhcp/processor.pm
> @@ -274,7 +274,7 @@ sub parse_dhcp_request {
>
> # We check if we are running without dhcpd
> # This means we don't see ACK so we need to act on requests
> - if((!$self->{running_w_dhcpd} &&
> !isenabled($Config{network}{force_listener_update_on_ack})) &&
> (defined($client_ip) && defined($client_mac))){
> + if((!isenabled($Config{network}{force_listener_update_on_ack})) &&
> (defined($client_ip) && defined($client_mac))){
> $self->handle_new_ip($client_mac, $client_ip, $lease_length);
> }
>
>
>
> Let us know if it helps.
> We’ll have to think of the best way of handling that particular case in the
> future.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca <mailto:lmu...@inverse.ca> :: www.inverse.ca
> <http://www.inverse.ca/>
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and
> PacketFence (www.packetfence.org <http://www.packetfence.org/>)
>
>> On Nov 25, 2015, at 18:10 , Christian Hanster <christian-hans...@gmx.de
>> <mailto:christian-hans...@gmx.de>> wrote:
>>
>> Hi Louis,
>>
>> It’s me again and I found the problem finally. It has to do with the
>> rewritten dhcplistener in the new release.
>>
>> The new listener configuration is checking, if there is a dhcp server
>> running on the interface. If this is the case then it will not work with
>> dhcp-request packages. In my special case the problem was that I had running
>> the dhcp server on the interface (inlinel2) but not for the inlinel3
>> network. So the listener was not processing the Request packages. It might
>> be a bug but I do not know how to fix it because the pfdhcplistener is
>> running on interface level. For me it worked when I switched off the
>> dhcp-server on the interface. Probably I will let the dhcp be done by an
>> other server in this network...
>>
>> The problem is in line 332ff. in file processor.pm (Tag 5.5.0):
>> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/dhcp/processor.pm
>>
>> <https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/dhcp/processor.pm>
>>
>> Thank you for your help!
>>
>> Kind regards
>> Christian
>>> On 25 Nov 2015, at 22:41, Christian Hanster <christian-hans...@gmx.de
>>> <mailto:christian-hans...@gmx.de>> wrote:
>>>
>>> Hi Louis,
>>>
>>> No there are no lines with DHCPACK or OFFER. This is, because there are no
>>> such packets coming (seen in Tcpdump). Our setup is the following: remote
>>> client — LAN— router (with dnsmasq and a relay to PF) =VPN-Tunnel=
>>> VPN-Server —LAN— PF-Server
>>>
>>> So PF is not offering any leases to the remote clients but gets information
>>> from the dnsmasq which is configured as a relay. PF is configured as
>>> inlinel3 for the remote clients.
>>>
>>> the networks.conf is therefore:
>>> [192.168.2.0]
>>> dns=192.168.2.254
>>> dhcp_start=192.168.2.10
>>> gateway=192.168.2.250
>>> domain-name=inlinel2.endoo.eu <http://inlinel2.endoo.eu/>
>>> nat_enabled=enabled
>>> named=enabled
>>> dhcp_max_lease_time=3600
>>> fake_mac_enabled=disabled
>>> dhcpd=enabled
>>> dhcp_end=192.168.2.246
>>> type=inlinel2
>>> netmask=255.255.255.0
>>> dhcp_default_lease_time=3600
>>>
>>> [10.1.13.0]
>>> next_hop=192.168.2.2
>>> domain-name=inlinel3.endoo.eu <http://inlinel3.endoo.eu/>
>>> name=inlinel3.endoo.eu <http://inlinel3.endoo.eu/>
>>> nat_enabled=1
>>> named=enabled
>>> dhcpd=disabled
>>> fake_mac_enabled=0
>>> type=inlinel3
>>> netmask=255.255.255.0
>>>
>>> The dhcp.conf:
>>> # dhcpd configuration
>>> # This file is manipulated on PacketFence's startup before being given to
>>> dhcpd
>>> authoritative;
>>> ddns-update-style none;
>>> ignore client-updates;
>>> log-facility local6;
>>>
>>> # OMAPI for IP <-> MAC lookup
>>> omapi-port 7911;
>>> key pf_omapi_key {
>>> algorithm HMAC-MD5;
>>> secret "ghkxVADMEeYe8ikHCjkyu7hQ2abIA/SbcH8Ep6a4FGs=";
>>> };
>>> omapi-key pf_omapi_key;
>>>
>>>
>>> failover peer "192.168.2.0/24" {
>>> secondary;
>>> address 192.168.2.250;
>>> port 647;
>>> peer address 192.168.2.251;
>>> peer port 647;
>>> max-response-delay 30;
>>> max-unacked-updates 10;
>>> load balance max seconds 3;
>>> }
>>>
>>>
>>> subnet 192.168.2.0 netmask 255.255.255.0 {
>>> option routers 192.168.2.250;
>>> option subnet-mask 255.255.255.0;
>>> option domain-name "inlinel2.endoo.eu <http://inlinel2.endoo.eu/>";
>>> option domain-name-servers 192.168.2.254;
>>> pool {
>>> failover peer "192.168.2.0/24";
>>> range 192.168.2.10 192.168.2.246;
>>> default-lease-time 3600;
>>> max-lease-time 3600;
>>> }
>>> }
>>>
>>>
>>> The dhcpd is only relevant for the local network at the server side but not
>>> for the remote clients. There are also no DHCP Server errors on the server.
>>>
>>> The point is, that it worked well with the old PF version.
>>> pfdhcplistener.log (old, when it worked):
>>> Nov 22 15:29:55 pfdhcplistener(11373) INFO: DHCPREQUEST from
>>> 00:25:4b:cd:f4:64 (10.1.13.78) (main::parse_dhcp_request)
>>> Nov 22 15:29:55 pfdhcplistener(11373) WARN: Unable to match MAC address to
>>> IP '10.1.13.78' (pf::iplog::ip2mac)
>>> Nov 22 15:29:55 pfdhcplistener(11373) INFO: 00:25:4b:cd:f4:64 requested an
>>> IP with the following informations: last_dhcp = 2015-11-22
>>> 15:29:55,computername = Christians-MBP,dhcp_fingerprint =
>>> 1,3,6,15,119,95,252,44,46,dhcp_vendor = (main::listen_dhcp)
>>>
>>> It does not seem to be that different…
>>>
>>> Kind regards
>>> Christian Hanster
>>>> On 25 Nov 2015, at 20:35, Louis Munro <lmu...@inverse.ca
>>>> <mailto:lmu...@inverse.ca>> wrote:
>>>>
>>>> Hi Christian,
>>>> Is this all that is in the pfdhcplistener log?
>>>> No lines with DHCPACK or DHCPOFFER?
>>>>
>>>> Which dhcp server is offering leases in the VLAN?
>>>> The PF dhcp service, or do you have another server providing that service?
>>>>
>>>> Are there any dhcpd errors in /var/log/messages?
>>>>
>>>> Please post your conf/network.conf and var/conf/dhcpd.conf files.
>>>>
>>>> Regards,
>>>> --
>>>> Louis Munro
>>>> lmu...@inverse.ca <mailto:lmu...@inverse.ca> :: www.inverse.ca
>>>> <http://www.inverse.ca/>
>>>> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
>>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>)
>>>> and PacketFence (www.packetfence.org <http://www.packetfence.org/>)
>>>>
>>>>> On Nov 25, 2015, at 13:37 , Christian Hanster <christian.hans...@me.com
>>>>> <mailto:christian.hans...@me.com>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> thanks for the response!
>>>>> So after some more testing I found out, that I have to restart the
>>>>> pfdhcplistener manually. Then it is recognising the traffic. I do not
>>>>> what is then different because the pfdhcplistener is running before too…
>>>>>
>>>>> Now the problem is, that PF recognises the new Mac-address but did not
>>>>> define an IP Adress. Output of pfdhcplistener:
>>>>> Nov 25 18:24:45 pfqueue(51123) INFO: [mac:[undef]] DHCPREQUEST from
>>>>> d4:33:a3:ed:f2:a5 (10.1.13.239) with lease of 7776000 seconds
>>>>> (pf::dhcp::processor::parse_dhcp_request)
>>>>> Nov 25 18:24:47 pfqueue(51123) INFO: [mac:d4:33:a3:ed:f2:a5]
>>>>> d4:33:a3:ed:f2:a5 requested an IP with the following informations:
>>>>> last_dhcp = 2015-11-25 18:24:45,computername =
>>>>> Christians-MBP,dhcp_fingerprint = 1,3,6,15,119,95,252,44,46,dhcp_vendor =
>>>>> (pf::dhcp::processor::process_packet)
>>>>>
>>>>> So now I see node entries, but the captive portal says that the node
>>>>> cannot be found in the database, because PF does not store a value for
>>>>> the IP-Adress in the DB when it detects it.
>>>>>> On 25 Nov 2015, at 18:09, Louis Munro <lmu...@inverse.ca
>>>>>> <mailto:lmu...@inverse.ca>> wrote:
>>>>>>
>>>>>>
>>>>>> An active/active or active/passive cluster?
>>>>>> Inline is not supported in active/active. Not everything can be
>>>>>> replicated.
>>>>> I run it as an active/active cluster. I followed the installation guide
>>>>> from the packtefence website, but have a replicated DB server on an other
>>>>> host. I did not know that inline is not supported. It was not stated
>>>>> anywhere in the guide… Is there an easy way to change it to
>>>>> active/passive?
>>>>>>
>>>>>> Are all PacketFence services running?
>>>>>> Especially pfqueue, redis_queue and obviously the pfdhcplistener?
>>>>> Services are all running but it is only listening for dhcp when I restart
>>>>> pfdhcplistener via “pfcmd service pfdhcplistener restart” manually.
>>>>>> Are dhcp requests being received on the interface?
>>>>>> What does this report?
>>>>>>
>>>>>> # tcpdump -tnl -i eth0 port bootpc or port bootps
>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>>>>> IP 10.1.13.1.67 > 192.168.2.254.67: BOOTP/DHCP, Request from
>>>>> d4:33:a3:ed:f2:a5, length 300
>>>>>
>>>>> I hope you can help me with it because I’m really clueless at the moment…
>>>>>
>>>>> Kind regards
>>>>> Christian Hanster
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> --
>>>>>> Louis Munro
>>>>>> lmu...@inverse.ca <mailto:lmu...@inverse.ca> :: www.inverse.ca
>>>>>> <http://www.inverse.ca/>
>>>>>> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
>>>>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>)
>>>>>> and PacketFence (www.packetfence.org <http://www.packetfence.org/>)
>>>>>> ------------------------------------------------------------------------------
>>>>>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>>>>>> Give your users amazing mobile app experiences with Intel(R) XDK.
>>>>>> Use one codebase in this all-in-one HTML5 development environment.
>>>>>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>>>>>> OSs.
>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
>>>>>>
>>>>>> <http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________>
>>>>>> PacketFence-users mailing list
>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>>>>> ------------------------------------------------------------------------------
>>>>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>>>>> Give your users amazing mobile app experiences with Intel(R) XDK.
>>>>> Use one codebase in this all-in-one HTML5 development environment.
>>>>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>>>>> OSs.
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
>>>>>
>>>>> <http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________>
>>>>> PacketFence-users mailing list
>>>>> PacketFence-users@lists.sourceforge.net
>>>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>>>> Give your users amazing mobile app experiences with Intel(R) XDK.
>>>> Use one codebase in this all-in-one HTML5 development environment.
>>>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>>>> OSs.
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
>>>>
>>>> <http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________>
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>>>
>>> ------------------------------------------------------------------------------
>>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>>> Give your users amazing mobile app experiences with Intel(R) XDK.
>>> Use one codebase in this all-in-one HTML5 development environment.
>>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>>> OSs.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
>>>
>>> <http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________>
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
>>
>> <http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________>
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140_______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
