Eugene,

I think a good old fashioned network diagram could be of help here.  I am
not sure which linux flavour your running, but I can see one problem that
might be confusing your forwarding/arp/iptables.

You have two IP addresses on the same subnet configured both on the raw
device (eth0) and a tagged trunk interface (eth0.1).  I don't think your
intent was to have packets on one of these interfaces coming and going on
the raw interface without tags (eth0) and the other being tagged (eth0.1),
especially if the interfaces are on the same subnet.  It just so happens
the default PVID on eth0 would be 1, making this sort of setup a bit more
confusing and maybe possibly sorta work strangely.

An alias for eth0 would be eth0:1 (note the ":" instead of ".").  This is
what you would use to put multiple IPs on the same subnet. i.e. eth0:1,
eth0:2 and eth0:3 are all on the same vlan, the native vlan for eth0.

eth0.1 is a trunked interface for VLAN1 on eth0.   If you had an 802.11q
trunk connected to your eth0 with tagged VLANS 10,11 and 12 they could have
interfaces on eth0.10, eth0.11 and eth0.12 respectively.  And if you wanted
multiple IPs on each subnet, you could have aliases even still, like
eth0.10:1 and eth0.10:2 on the VLAN10 subnet for example.

I only have experience with out-of-band setups with separate subnets for
management, registration and isolation.   My minds eye doesn't quite
understand your goals for the configuration for two interfaces on the same
subnet with an out-of-band wifi authenticating via captive portal.
Describing the packet flow /subnets for your client before authorization
and afterwards might help with some of the next steps once you nail down
the network topology.

cheers,
Ian

On Mon, Feb 19, 2018 at 3:29 AM, E.P. via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> And my further attempts to put two and two together and look back in time
> into this mailing list showed that Fabrice already answered this question
> before 😉
>
> Yes, I’d create an alias, e.g. eth0.1
>
> So, under Configuration-Networks-Interfaces I click  “ADD VLAN”  and then
> add VLAN 1, add a new IP address to belong to the same subnet and then
> select type “portal”
>
> New interface eth0.1 gets created with IP address 172.16.0.223, I can
> reach it via IP and my interfaces and networks look like this:
>
>
>
>
>
> What else am I doing to enable captive portal? I thought that it is
> enabled by default and I see httpd.portal is UP and running but I don’t see
> anything ports open on 172.16.0.223
>
> And iptables allow all HTTP and HTTPS for input-portal-if chain
>
>
>
> Eugene
>
>
>
>
>
> *From:* E.P. [mailto:ype...@gmail.com]
> *Sent:* Sunday, February 18, 2018 11:14 PM
> *To:* 'packetfence-users@lists.sourceforge.net' <packetfence-users@lists.
> sourceforge.net>
> *Cc:* 'Durand fabrice' <fdur...@inverse.ca>
> *Subject:* RE: [PacketFence-users] Access to PF captive portal is blocked
>
>
>
> I think it is slowly coming to me, Fabrice.
>
> My PF is pure for RADIUS enforcement and PF has only one IP address of
> management type.
>
> Now if I want WebAuth enforcement I would need to create one more
> interface of portal type
>
> The question is can I create this portal type interface in the same subnet
> as the management interface ?
>
> I would want to have them both in the same VLAN
>
>
>
> Eugene
>
>
>
> *From:* E.P. [mailto:ype...@gmail.com <ype...@gmail.com>]
> *Sent:* Sunday, February 18, 2018 7:20 PM
> *To:* 'packetfence-users@lists.sourceforge.net' <packetfence-users@lists.
> sourceforge.net>
> *Cc:* 'Durand fabrice' <fdur...@inverse.ca>
> *Subject:* RE: [PacketFence-users] Access to PF captive portal is blocked
>
>
>
> Here it is, Fabrice
>
> 10.0.254.3 is the WiFi client and 172.16.0.222 is PF.
>
> Tcpdump.pcap is attached and it is made right on PF
>
> The second capture is made on the laptop connected to guest WiFi.
>
> It contains pings to PF but all TCP SYN requests all are answered with RST.
>
>
>
> Eugene
>
>
>
> *From:* Durand fabrice via PacketFence-users [mailto:packetfence-users@
> lists.sourceforge.net <packetfence-users@lists.sourceforge.net>]
> *Sent:* Sunday, February 18, 2018 10:51 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice <fdur...@inverse.ca>
> *Subject:* Re: [PacketFence-users] Access to PF captive portal is blocked
>
>
>
> Hello Eugene,
>
> do you have the capture ?
>
> Regards
> Fabrice
>
> Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :
>
> Hi Fabrice,
>
> I dare sending it again believing my previous email fell into cracks.
>
> Can you please advise what could be wrong (see below)
>
>
>
> Eugene
>
>
>
>
>
> *From:* E.P. [mailto:ype...@gmail.com <ype...@gmail.com>]
> *Sent:* Wednesday, February 14, 2018 1:08 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Access to PF captive portal is blocked
>
>
>
> Hello folks,
>
> I really hope someone who ran into a similar problem will shed some light.
>
> Feeling bad we don’t hear anything from Fabrice or someone from inverse.
>
> I have an out-of-band deployment of PF and my WiFi client gets connected
> and redirected to PF
>
> I see redirects by capturing the traffic on PF by tcpdump.
>
> But… I see that PF sends TCP resets even for TCP SYN packet coming from
> the client.
>
> It seems to me it is just iptables firewall that blocks it.
>
> Why ? Where am I supposed to enter those IP addresses that are allowed to
> go through captive portal registration?
>
> I do allow PF IP address in the pre-authorization access list and my ping
> to FQDN of PF succeeds normally.
>
> It is only HTTP(s) doesn’t go through.
>
> Even manually entered URL in the client browser doesn’t open up any page,
> i.e. https://pf.blabla.com/captive-portal or https://172.16.0.222/captive-
> portal
>
>
>
> Eugene
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to