I still investigate , packet marking works correctly but traffic still exit by
eth0 :
root@packetfence:~# iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 99212 packets, 24M bytes)
pkts bytes target prot opt in out source destination
8142 461K MARK all -- * * 192.168.15.0/24 0.0.0.0/0
MARK set 0x1
Chain INPUT (policy ACCEPT 90924 packets, 23M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 7562 packets, 412K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 89915 packets, 23M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 97477 packets, 23M bytes)
pkts bytes target prot opt in out source destination
Chain postrouting-int-inline-if (0 references)
pkts bytes target prot opt in out source destination
Chain prerouting-int-inline-if (0 references)
pkts bytes target prot opt in out source destination
root@packetfence:~#
Regards.
Pierrick Prost
CNRS DR07
De : PROST pierrick
Envoyé : mercredi 8 juin 2016 12:17
À : [email protected]
Objet : [PacketFence-users] Forwarding Inline wifi trafic to a dedicated
interface
Hi everyone,
We try to forward trafic from guest wifi to a dedicated interface (not the
default management interface). It's a bit tricky :)
We have :
Eth0 : management interface
Eth1 : a dedicated interface for wifi traffic
Eth2.15 : guest wifi (inline interface on pf)
Eth2.16 : internal wifi (inline interface on pf)
Actually we did on our packetfence server :
· Active forwarding on kernel on sysctl => net.ipv4.ip_forward=1
· Create a routing rule => ip rule add from all fwmark 1 table wifi
Our /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 wifi
· Add a default route on table wifi => ip route add default dev eth0
table known
root@packetfence:~# ip route show table 1
default dev eth1 scope link
· Use mangle table to mark all packet from eth2.15 interface =>
iptables -t mangle -A PREROUTING -s 192.168.15.0/24 -j MARK --set-mark 1
root@packetfence:~# iptables -L --table mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- 192.168.15.0/24 anywhere MARK set 0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain postrouting-int-inline-if (0 references)
target prot opt source destination
Chain prerouting-int-inline-if (0 references)
target prot opt source destination
· Our default routing table looks like this
root@packetfence:~# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
default 192.168.120.1 0.0.0.0 UG 0 0 0 eth0
192.168.15.0 * 255.255.255.0 U 0 0 0 eth2.15
192.168.16.0 * 255.255.255.0 U 0 0 0 eth2.16
192.168.17.0 * 255.255.255.0 U 0 0 0 eth1
192.168.120.0 * 255.255.255.0 U 0 0 0 eth0
It should work no ? actually it not ...
Regards.
Pierrick Prost
CNRS DR07
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
