Hello Ian,

if you can do a pull request on github with this change then it will be
integrate to PacketFence for the next release.

And also thank for the support :-)


Regards

Fabrice



Le 2018-03-07 à 17:08, Ian MacDonald via PacketFence-users a écrit :
> Below is a quick addendum to the current Hostapd Quick Install Guide.  
>
> Hopefully it will help new users looking to leverage the flexibility
> of OpenWRT (aka LEDE) with the powerful captive portal functionality
> of Packetfence.  
>
> There is a great guide from Inverse, and this email just adds a few
> missing bits that will help keep hostapd related posts out of the
> list.  Instead invest that savings in some professional services from
> Inverse.  
>
> The Guide
> https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd-15-05_Quick_Install_Guide.html
> <https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd-15-05_Quick_Install_Guide.html>
>
> Hostapd 15.05 is dead and old.  At this time, 17.01.4 is current.  
>
> With hostapd, you have to pick a band (i.e 5G or 2.4G) as CoA only
> works with one radio.  
>
> Below are some additions to the guide that should be helpful based on
> a configuration with a packetfence server with an IP of 192.168.10.10
> on the management VLAN70, registration VLAN71, isolation VLAN72 and an
> out-of-band user/normal VLAN76 (PF server does nothing on VLAN76 and
> does not see it).  The hostapd AP running LEDE/OpenWRT 17.01.4 has an
> IP of 192.168.10.19 on the management VLAN70.
>
> Step 4.1:  Have your Internet connected to the WAN port of a default
> OpenWRT configuration for staging and connect to one of the LAN ports
> on 192.168.1.1.  If your network is 192.168.1.X, you might consider
> making a change you your local lan to make this type of access easier.  
>
> The actual steps to update the packages:
>
> #opkg update
> #opkg remove wpad-mini hostapd
> #opkg install hostapd-common wpad
>
> We typically dump a bunch of useful tools and stuff too; none of this
> is required
> # opkg install ipset screen iftop tcpdump curl mtr wget diffutils
> iperf3 iwinfo snmpd  kmod-gpio-button-hotplug 
>
> We like to bring all the packages up to the latest version as well
> (also not required)
> #opkg update
> #opkg list-upgradable | awk -F ' - ' '{print $1}' | xargs opkg upgrade
>
> Step 4.2:   
> Most people choose to run on 5G for increased bandwidth and control of
> range.  Usually this is wlan0, but on some hardware (i.e. WD N600) it
> will be wlan1.  You can use iwinfo to see which device is your 5G radio.
>
> Step 4.3: Attached script is a modified version of the 17.04.1 hostapd.sh
>
> Step 4.4: The example is not for the scenario where you just have an
> open SSID where you are providing access via WISPr/Captive Portal. It
> also has some issues; it is missing "wifi-iface" on the  PF-Open SSID,
> uses the 2.4G radio (which is often not wlan0), and has vlan_naming
> set to '0', where we find '1' is the preferred option.
>
> Below is an updated example with a single open SSID 'Public WiFi'. 
>
> Some notes on where yours might differ for the radio (wifi-device):
> 1) the 5G radio 'path' is specific to the device (in this case a
> TP-Link C2600)
> 2) The country 'CA' is Canada (that's where we are)
> 3) The channel is '149' ; Higher channels deliver more power on some
> devices. DFS channels like '100', when supported are typically very
> clear.  Checkout 'iw list' output for power and channel support.
>
> Some notes on where yours might differ for the interface (wifi-iface):
> 1) The 192.168.10.10 address should be your PF server on the
> management subnet. We like to leave the default 192.168.1.1 on the lan
> interface for local configuration and access, and so it is not used
> for any PF vlans (management/registration/isolation/normal). 
> 2) The vlan_tagged_interface 'eth0' should be the interface where your
> tagged/trunked vlans are connected for registration/isolation/normal
> that clients will be connecting to. Typically this is connected to the
> "Internet" port.  In some rare cases this eth1 is the "Internet" port,
> depending on the hardware. You need to know your hardware.
> 3) option network 'lan' should be removed, it is the default where
> wifi interfaces normally are bridged to the lan
> 4) vlan_naming '1' seems to produce less bridge naming warnings in our
> experience, though both '1' and '0' work. 
> 5) Note that radio1 (2.4G) is set with option disabled '1' - we are
> not using it
>
> config wifi-device 'radio0'
> option type 'mac80211'
> option hwmode '11a'
> option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
> option htmode 'VHT80'
> option disabled '0'
> option country 'CA'
> option channel '149'
>
> config wifi-iface 'default_radio0'
> option device 'radio0'
> option mode 'ap'
> option encryption 'none'
> option vlan_file '/etc/config/hostapd.vlan'
> option vlan_bridge 'br-vlan'
> option vlan_naming '1'
> option dynamic_vlan '2'
> option auth_port '1812'
> option auth_server '192.168.10.10'
> option auth_secret 's3cr3t'
> option acct_port '1813'
> option acct_server '192.168.10.10'
> option acct_secret 's3cr3t'
> option dae_port '3799'
> option dae_client '192.168.10.10'
> option dae_secret 's3cr3t'
> option nasid 'Lobby AP'
> option ssid 'Public WiFi'
> option vlan_tagged_interface 'eth0'
>
> config wifi-device 'radio1'
> option type 'mac80211'
> option channel '11'
> option hwmode '11g'
> option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
> option htmode 'HT20'
> option disabled '1'
>
> config wifi-iface 'default_radio1'
> option device 'radio1'
> option network 'lan'
> option mode 'ap'
> option ssid 'LEDE'
> option encryption 'none'
>
> 4.4b) Network and VLANs
> As always, the network configuration is up to you.  If you had your
> management VLAN on 70, registration on 71, isolation on 72 and
> user/normal on 76, on a TP-Link C2600 your network config would look
> something like this: 
>
> Some notes on where yours might differ: 
> 1) Your ula_prefix will be different (and should be on every device).
> If you are copying betwen devices, be sure to change this. 
> 2) We leave the lan alone, making it easy to connect directly via
> 192.168.1.1.  We disable NAT/MASQ though in the firewall (not here) so
> users can't jack in directly and bypass the wifi for Internet access.
> 3) VLANs must be named vlanXX to work with the vlan switching as set
> with vlan_ options in wireless - your VLANs will probably be different
> 4) Your DNS and Management Network IPs will likely be different
> 5) The ports in the switch_vlan config are hardware specific. You need
> to know your hardware and understand VLAN tagging and trunking.
>
> config interface 'loopback'
> option ifname 'lo'
> option proto 'static'
> option ipaddr '127.0.0.1'
> option netmask '255.0.0.0'
>
> config globals 'globals'
> option ula_prefix 'fdc4:80c6:e78f::/48'
>
> config interface 'lan'
> option type 'bridge'
> option ifname 'eth1'
> option proto 'static'
> option ipaddr '192.168.1.1'
> option netmask '255.255.255.0'
>
> config interface 'wan'
> option ifname 'eth0.70'
> option proto 'static'
> option ipaddr '192.168.10.19'
> option netmask '255.255.255.0'
> option gateway '192.168.10.1'
> list dns '8.8.8.8'
> list dns '8.8.4.4'
>
> config switch
> option name 'switch0'
> option reset '1'
> option enable_vlan '1'
>
> config switch_vlan
> option device 'switch0'
> option vlan '1'
> option ports '1 2 3 4 6'
>
> config interface 'vlan71'
> option type 'bridge'
> option ifname 'eth0.71'
>
> config interface 'vlan72'
> option type 'bridge'
> option ifname 'eth0.72'
>
> config interface 'vlan76'
> option type 'bridge'
> option ifname 'eth0.76'
>
> config switch_vlan 'pf_mgmt'
> option device 'switch0'
> option vlan '70'
> option ports '0t 5t'
>
> config switch_vlan 'pf_reg'
> option device 'switch0'
> option vlan '71'
> option ports '0t 5t'
>
> config switch_vlan 'pf_iso'
> option device 'switch0'
> option vlan '72'
> option ports '0t 5t'
>
> config switch_vlan 'pf_user'
> option device 'switch0'
> option vlan '76'
> option ports '0t 5t'
>
> 4.4c) Firewall Configuration.  If you don't let your device accept
> packets from the PF management server, you are going to have
> problems.  You may also set option masq '0' in your wan zone to
> disable Internet via the lan ports, restricting them for management as
> described earlier.
>
> The firewall rules are
>
> PF1/PF2 - Radius inbound from PF server
> PF3 - CoA inbound from PF server
> PF4/PF5/PF6 - ICMP/SSH/Web access from the Management subnet  ; you
> may also add SNMP for monitoring.
>
>
>
> config rule
> option name 'PF1'
> option src 'wan'
> option src_ip '192.168.10.10/32 <http://192.168.10.10/32>'
> option family 'ipv4'
> option proto 'udp'
> option dest_port '1813'
> option target 'ACCEPT'
>
> config rule
> option name 'PF2'
> option src 'wan'
> option src_ip '192.168.10.10/32 <http://192.168.10.10/32>'
> option family 'ipv4'
> option proto 'udp'
> option dest_port '1812'
> option target 'ACCEPT'
>
> config rule
> option name 'PF3'
> option src 'wan'
> option src_ip '192.168.10.10/32'
> option family 'ipv4'
> option proto 'udp'
> option dest_port '3799'
> option target 'ACCEPT'
>
> config rule
> option name 'PF4'
> option src 'wan'
> option src_ip '192.168.10.0/24'
> option family 'ipv4'
> option proto 'icmp'
> option target 'ACCEPT'
>
> config rule
> option name 'PF5'
> option src 'wan'
> option src_ip '192.168.10.0/24'
> option family 'ipv4'
> option proto 'tcp'
> option dest_port '22'
> option target 'ACCEPT'
>
> config rule
> option name 'PF6'
> option src 'wan'
> option src_ip '192.168.10.0/24'
> option family 'ipv4'
> option proto 'tcp'
> option dest_port '80'
> option target 'ACCEPT'
>
> 4.5: Hostapd has a 30s timer between Access-Requests, independant of
> CoA's, so we need to make sure Packetfence waits long enough after
> clients have joined the Registration VLAN before sending the CoA to
> bump them over to the Normal VLAN after activation in the portal.  So
> we add this to pf.conf.   
>
> [fencing]
> # 
> # fencing.wait_for_redirect
> #
> # How many seconds should the WebAPI sleep before actually triggering
> the VLAN change.
> # This is meant to give the device enough time to fetch the
> redirection page before 
> # switching VLAN.
> wait_for_redirect = 20
>
> 4.6:  "logread" and "logread -f" are very useful to see what is going
> on.   Issuing 'wifi' on the commandling reloads all the wireless
> related configuration - no nead to restart the device when changing
> wireless settings. 
>
> Use "swconfig dev switch0 help" to determine the highest supported
> VLAN by the switchchip.  Note that here the AR8337 chip in the C2600
> only lets us use VLANS 1-128.    So a registration VLAN129 is not
> going to work and probably drive you crazy.  Don't be confused by the
> fact that it says (0-4094) next to the vid .. that is generic text.   
> vlans:128 is the important device specific limitation.   Many devices
> only support 16.   It is not the number of vlans, but the highest index.
>
> # swconfig dev switch0 help
> switch0: gpio-0(Atheros AR8337), ports: 7 (cpu @ 0), vlans: 128
>      --switch
> Attribute 1 (int): enable_vlan (Enable VLAN mode)
> Attribute 2 (none): reset_mibs (Reset all MIB counters)
> Attribute 3 (int): enable_mirror_rx (Enable mirroring of RX packets)
> Attribute 4 (int): enable_mirror_tx (Enable mirroring of TX packets)
> Attribute 5 (int): mirror_monitor_port (Mirror monitor port)
> Attribute 6 (int): mirror_source_port (Mirror source port)
> Attribute 7 (int): arl_age_time (ARL age time (secs))
> Attribute 8 (string): arl_table (Get ARL table)
> Attribute 9 (none): flush_arl_table (Flush ARL table)
> Attribute 10 (int): igmp_snooping (Enable IGMP Snooping)
> Attribute 11 (int): igmp_v3 (Enable IGMPv3 support)
> Attribute 12 (none): apply (Activate changes in the hardware)
> Attribute 13 (none): reset (Reset the switch)
>      --vlan
> Attribute 1 (int): vid (VLAN ID (0-4094))
> Attribute 2 (ports): ports (VLAN port mapping)
>      --port
> Attribute 1 (none): reset_mib (Reset single port MIB counters)
> Attribute 2 (string): mib (Get port's MIB counters)
> Attribute 3 (int): enable_eee (Enable EEE PHY sleep mode)
> Attribute 4 (none): flush_arl_table (Flush port's ARL table entries)
> Attribute 5 (int): igmp_snooping (Enable port's IGMP Snooping)
> Attribute 6 (int): pvid (Primary VLAN ID)
> Attribute 7 (unknown): link (Get port link information)
>
>
> Also some devices (like Archer C7 v4) only have one ethernet port, so
> VLANs are used for lan and wan interface internally on the device.
> (i.e. WAN eth0.1 and LAN eth0.2).  These work great too, but will have
> a very different default network configuration. 
>
> Make sure your VLANs in the switch configuration Roles match your
> network configuration as seen by the AP. 
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to