Hello,
Thank you for your answer.
Sorry for the mistakes about the IP addresses. I have made some change
since the first mail.
Here is the network topology:
INLINE NETWORK:
- gw1 eth0 192.168.30.253
- saturn eth0 192.168.30.11
- packetfence eth1 192.168.30.67
MANAGMENT NETWORK:
- packetfence eth0 192.168.10.67
- mercure eth0 192.168.10.15
Here is the ipset output:
user@debian:~$ sudo ipset -L
Name: portal_deny
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536 timeout 300
Size in memory: 16504
References: 2
Members:
Name: PF-iL2_ID1_192.168.30.0
Type: bitmap:ip
Header: range 192.168.30.0-192.168.30.255
Size in memory: 152
References: 2
Members:
Name: PF-iL2_ID2_192.168.30.0
Type: bitmap:ip
Header: range 192.168.30.0-192.168.30.255
Size in memory: 152
References: 2
Members:
192.168.30.11
Name: PF-iL2_ID3_192.168.30.0
Type: bitmap:ip
Header: range 192.168.30.0-192.168.30.255
Size in memory: 152
References: 2
Members:
192.168.30.11
Name: pfsession_Unreg_192.168.30.0
Type: bitmap:ip,mac
Header: range 192.168.30.0-192.168.30.255
Size in memory: 4208
References: 1
Members:
Name: pfsession_Reg_192.168.30.0
Type: bitmap:ip,mac
Header: range 192.168.30.0-192.168.30.255
Size in memory: 4208
References: 1
Members:
192.168.30.11,B4:99:BA:57:43:76
Name: pfsession_Isol_192.168.30.0
Type: bitmap:ip,mac
Header: range 192.168.30.0-192.168.30.255
Size in memory: 4208
References: 1
Members:
On saturn the default gateway is packetfence (192.168.30.67).
Should packetfence change the default gateway on saturn ?
2015-12-21 16:58 GMT+01:00 Fabrice DURAND <[email protected]>:
> Hello,
>
> first check ipset -L if you see your device in the reg set.
>
> Also in your capture the ip address is 192.168.30.11 not 192.168.10.11
> and "The default gateway on the registered device is packetfence
> (192.168.30.67)." 192.168.30.67 ?!
>
> Regards
> Fabrice
>
> Le 2015-12-21 10:42, Mathieu Fourcroy a écrit :
> > Hello,
> >
> > Thank you for your answer. pfdns is runing. In fact, I have solved the
> > issue by modifying the hostname (packetfence) in the captive portal
> > settings, it was not matching username (user) runing packetfence on
> > the machine. So now I can see the registration page but the
> > demouser/demouser username/password is not working. I manually
> > register the computer in the packetfence web UI but when I try to
> > access a website (let's say www.packetfence.com
> > <http://www.packetfence.com>) then nothing happens.
> >
> > If I tcpdump on the inline interface of the packetfence machine while
> > trying to access a website on the registered computer (192.168.10.11):
> >
> > 15:05:49.864959 IP 192.168.30.11.47679 > 104.25.160.20.80: Flags [S],
> > seq 3801662405, win 29200, options [mss 1460,sackOK,TS val 1580628 ecr
> > 0,nop,wscale 7], length 0
> > 15:05:50.114961 IP 192.168.30.11.47680 > 104.25.160.20.80: Flags [S],
> > seq 855267102, win 29200, options [mss 1460,sackOK,TS val 1580690 ecr
> > 0,nop,wscale 7], length 0
> > 15:05:50.863602 IP 192.168.30.11.47679 > 104.25.160.20.80: Flags [S],
> > seq 3801662405, win 29200, options [mss 1460,sackOK,TS val 1580878 ecr
> > 0,nop,wscale 7], length 0
> > 15:05:51.111583 IP 192.168.30.11.47680 > 104.25.160.20.80: Flags [S],
> > seq 855267102, win 29200, options [mss 1460,sackOK,TS val 1580940 ecr
> > 0,nop,wscale 7], length 0
> > 15:05:52.867584 IP 192.168.30.11.47679 > 104.25.160.20.80: Flags [S],
> > seq 3801662405, win 29200, options [mss 1460,sackOK,TS val 1581379 ecr
> > 0,nop,wscale 7], length 0
> > 15:05:53.115568 IP 192.168.30.11.47680 > 104.25.160.20.80: Flags [S],
> > seq 855267102, win 29200, options [mss 1460,sackOK,TS val 1581441 ecr
> > 0,nop,wscale 7], length 0
> > 15:05:56.871534 IP 192.168.30.11.47679 > 104.25.160.20.80: Flags [S],
> > seq 3801662405, win 29200, options [mss 1460,sackOK,TS val 1582380 ecr
> > 0,nop,wscale 7], length 0
> > 15:05:57.127536 IP 192.168.30.11.47680 > 104.25.160.20.80: Flags [S],
> > seq 855267102, win 29200, options [mss 1460,sackOK,TS val 1582444 ecr
> > 0,nop,wscale 7], length 0
> > 15:06:00.663503 IP 192.168.30.11.57658 > 91.109.29.120.443: Flags [S],
> > seq 392423075, win 29200, options [mss 1460,sackOK,TS val 1583328 ecr
> > 0,nop,wscale 7], length 0
> > 15:06:04.887596 IP 192.168.30.11.47679 > 104.25.160.20.80: Flags [S],
> > seq 3801662405, win 29200, options [mss 1460,sackOK,TS val 1584384 ecr
> > 0,nop,wscale 7], length 0
> > 15:06:05.143599 IP 192.168.30.11.47680 > 104.25.160.20.80: Flags [S],
> > seq 855267102, win 29200, options [mss 1460,sackOK,TS val 1584448 ecr
> > 0,nop,wscale 7], length 0
> > 15:06:05.671642 ARP, Request who-has 192.168.30.67 tell 192.168.30.11,
> > length 46
> > 15:06:05.671655 ARP, Reply 192.168.30.67 is-at 80:3f:5d:09:64:9b,
> > length 28
> > 15:06:20.919680 IP 192.168.30.11.47679 > 104.25.160.20.80: Flags [S],
> > seq 3801662405, win 29200, options [mss 1460,sackOK,TS val 1588392 ecr
> > 0,nop,wscale 7], length 0
> > 15:06:21.175617 IP 192.168.30.11.47680 > 104.25.160.20.80: Flags [S],
> > seq 855267102, win 29200, options [mss 1460,sackOK,TS val 1588456 ecr
> > 0,nop,wscale 7], length 0
> > 15:06:53.015537 IP 192.168.30.11.47679 > 104.25.160.20.80: Flags [S],
> > seq 3801662405, win 29200, options [mss 1460,sackOK,TS val 1596416 ecr
> > 0,nop,wscale 7], length 0
> > 15:06:53.271520 IP 192.168.30.11.47680 > 104.25.160.20.80: Flags [S],
> > seq 855267102, win 29200, options [mss 1460,sackOK,TS val 1596480 ecr
> > 0,nop,wscale 7], length 0
> > 15:06:58.023654 ARP, Request who-has 192.168.30.67 tell 192.168.30.11,
> > length 46
> > 15:06:58.023673 ARP, Reply 192.168.30.67 is-at 80:3f:5d:09:64:9b,
> > length 28
> > 15:07:05.505654 IP 192.168.30.11.49385 > 195.154.74.39.23232: Flags
> > [S], seq 777144145, win 29200, options [mss 1460,sackOK,TS val 1599538
> > ecr 0,nop,wscale 7], length 0
> > 15:07:06.503611 IP 192.168.30.11.49385 > 195.154.74.39.23232: Flags
> > [S], seq 777144145, win 29200, options [mss 1460,sackOK,TS val 1599788
> > ecr 0,nop,wscale 7], length 0
> > 15:07:08.507574 IP 192.168.30.11.49385 > 195.154.74.39.23232: Flags
> > [S], seq 777144145, win 29200, options [mss 1460,sackOK,TS val 1600289
> > ecr 0,nop,wscale 7], length 0
> > [...]
> >
> > The default gateway on the registered device is packetfence
> > (192.168.30.67).
> > The resolv.conf looks like:
> >
> > domain inline2.mydomain.com <http://inline2.mydomain.com>
> > search inline2.mydomain.com <http://inline2.mydomain.com>
> > nameserver 192.168.30.253 <= my router
> >
> > Where am I wrong ?
> >
> > 2015-12-21 14:55 GMT+01:00 Fabrice DURAND <[email protected]
> > <mailto:[email protected]>>:
> >
> > Hello Mathieu,
> >
> > can you check if pfdns is running ? , if no then restart it (pfcmd
> > service pfdns restart)
> >
> >
> > Regards
> > Fabrice
> >
> > Le 2015-12-21 04:26, Mathieu Fourcroy a écrit :
> > > Hello,
> > >
> > > I'm new to packetfence software and to NAC softwares. Packetfence
> > > looks like a very great open source NAC and I am trying to set it
> up
> > > using inline enforcement mode.
> > >
> > > I set up the two networks:
> > > - managment: 192.168.30.0/24 <http://192.168.30.0/24>
> > <http://192.168.30.0/24>
> > > - inline: 192.168.10.0/24 <http://192.168.10.0/24>
> > <http://192.168.10.0/24>
> > >
> > > I have a machine on the manament network so I have step through the
> > > configurator and then I connect another machine in the inline
> > network.
> > > The computer successfully get an IP address from the Packetfence's
> > > DHCP: 192.168.10.10.
> > > I can ping the Packetfence machine (192.168.10.67) but when I try
> to
> > > access an HTTP website I am not redirected to the captive portal.
> > > If I try to browse to 192.168.10.67 I am redirected to
> > >
> >
> https://packetfence.pf.com/captive-portal?destination_url=http://192.168.10.67/&;
> > > but the address is unreachable.
> > >
> > > On the Packetfence machine, the captive portal settings are:
> > > IP: 192.168.10.67
> > > IMG path: /common/network-access-detection.gif
> > >
> > > The rest is leave as default.
> > >
> > > Thank you in advance for your help.
> > >
> > >
> > >
> >
>
> ------------------------------------------------------------------------------
> > >
> > >
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > [email protected]
> > <mailto:[email protected]>
> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> > --
> > Fabrice Durand
> > [email protected] <mailto:[email protected]> :: +1.514.447.4918
> > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
> > <http://www.inverse.ca>
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> > PacketFence (http://packetfence.org)
> >
> >
> >
>
> ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
