Completed the pull request,

https://github.com/inverse-inc/packetfence/pull/3008

cheers,
Ian

On Wed, Mar 7, 2018 at 5:15 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> if you can do a pull request on github with this change then it will be
> integrate to PacketFence for the next release.
>
> And also thank for the support :-)
>
> Le 2018-03-07 à 17:08, Ian MacDonald via PacketFence-users a écrit :
>
> Below is a quick addendum to the current Hostapd Quick Install Guide.
>
> Hopefully it will help new users looking to leverage the flexibility of
> OpenWRT (aka LEDE) with the powerful captive portal functionality of
> Packetfence.
>
> There is a great guide from Inverse, and this email just adds a few
> missing bits that will help keep hostapd related posts out of the list.
> Instead invest that savings in some professional services from Inverse.
>
> The Guide
> https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd-15-
> 05_Quick_Install_Guide.html
>
> Hostapd 15.05 is dead and old.  At this time, 17.01.4 is current.
>
> With hostapd, you have to pick a band (i.e 5G or 2.4G) as CoA only works
> with one radio.
>
> Below are some additions to the guide that should be helpful based on a
> configuration with a packetfence server with an IP of 192.168.10.10 on the
> management VLAN70, registration VLAN71, isolation VLAN72 and an out-of-band
> user/normal VLAN76 (PF server does nothing on VLAN76 and does not see it).
> The hostapd AP running LEDE/OpenWRT 17.01.4 has an IP of 192.168.10.19 on
> the management VLAN70.
>
> Step 4.1:  Have your Internet connected to the WAN port of a default
> OpenWRT configuration for staging and connect to one of the LAN ports on
> 192.168.1.1.  If your network is 192.168.1.X, you might consider making a
> change you your local lan to make this type of access easier.
>
> The actual steps to update the packages:
>
> #opkg update
> #opkg remove wpad-mini hostapd
> #opkg install hostapd-common wpad
>
> We typically dump a bunch of useful tools and stuff too; none of this is
> required
> # opkg install ipset screen iftop tcpdump curl mtr wget diffutils iperf3
> iwinfo snmpd  kmod-gpio-button-hotplug
>
> We like to bring all the packages up to the latest version as well (also
> not required)
> #opkg update
> #opkg list-upgradable | awk -F ' - ' '{print $1}' | xargs opkg upgrade
>
> Step 4.2:
> Most people choose to run on 5G for increased bandwidth and control of
> range.  Usually this is wlan0, but on some hardware (i.e. WD N600) it will
> be wlan1.  You can use iwinfo to see which device is your 5G radio.
>
> Step 4.3: Attached script is a modified version of the 17.04.1 hostapd.sh
>
> Step 4.4: The example is not for the scenario where you just have an open
> SSID where you are providing access via WISPr/Captive Portal. It also has
> some issues; it is missing "wifi-iface" on the  PF-Open SSID, uses the 2.4G
> radio (which is often not wlan0), and has vlan_naming set to '0', where we
> find '1' is the preferred option.
>
> Below is an updated example with a single open SSID 'Public WiFi'.
>
> Some notes on where yours might differ for the radio (wifi-device):
> 1) the 5G radio 'path' is specific to the device (in this case a TP-Link
> C2600)
> 2) The country 'CA' is Canada (that's where we are)
> 3) The channel is '149' ; Higher channels deliver more power on some
> devices. DFS channels like '100', when supported are typically very clear.  
> Checkout
> 'iw list' output for power and channel support.
>
> Some notes on where yours might differ for the interface (wifi-iface):
> 1) The 192.168.10.10 address should be your PF server on the management
> subnet. We like to leave the default 192.168.1.1 on the lan interface for
> local configuration and access, and so it is not used for any PF vlans
> (management/registration/isolation/normal).
> 2) The vlan_tagged_interface 'eth0' should be the interface where your
> tagged/trunked vlans are connected for registration/isolation/normal that
> clients will be connecting to. Typically this is connected to the
> "Internet" port.  In some rare cases this eth1 is the "Internet" port,
> depending on the hardware. You need to know your hardware.
> 3) option network 'lan' should be removed, it is the default where wifi
> interfaces normally are bridged to the lan
> 4) vlan_naming '1' seems to produce less bridge naming warnings in our
> experience, though both '1' and '0' work.
> 5) Note that radio1 (2.4G) is set with option disabled '1' - we are not
> using it
>
> config wifi-device 'radio0'
> option type 'mac80211'
> option hwmode '11a'
> option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
> option htmode 'VHT80'
> option disabled '0'
> option country 'CA'
> option channel '149'
>
> config wifi-iface 'default_radio0'
> option device 'radio0'
> option mode 'ap'
> option encryption 'none'
> option vlan_file '/etc/config/hostapd.vlan'
> option vlan_bridge 'br-vlan'
> option vlan_naming '1'
> option dynamic_vlan '2'
> option auth_port '1812'
> option auth_server '192.168.10.10'
> option auth_secret 's3cr3t'
> option acct_port '1813'
> option acct_server '192.168.10.10'
> option acct_secret 's3cr3t'
> option dae_port '3799'
> option dae_client '192.168.10.10'
> option dae_secret 's3cr3t'
> option nasid 'Lobby AP'
> option ssid 'Public WiFi'
> option vlan_tagged_interface 'eth0'
>
> config wifi-device 'radio1'
> option type 'mac80211'
> option channel '11'
> option hwmode '11g'
> option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
> option htmode 'HT20'
> option disabled '1'
>
> config wifi-iface 'default_radio1'
> option device 'radio1'
> option network 'lan'
> option mode 'ap'
> option ssid 'LEDE'
> option encryption 'none'
>
> 4.4b) Network and VLANs
> As always, the network configuration is up to you.  If you had your
> management VLAN on 70, registration on 71, isolation on 72 and user/normal
> on 76, on a TP-Link C2600 your network config would look something like
> this:
>
> Some notes on where yours might differ:
> 1) Your ula_prefix will be different (and should be on every device). If
> you are copying betwen devices, be sure to change this.
> 2) We leave the lan alone, making it easy to connect directly via
> 192.168.1.1.  We disable NAT/MASQ though in the firewall (not here) so
> users can't jack in directly and bypass the wifi for Internet access.
> 3) VLANs must be named vlanXX to work with the vlan switching as set with
> vlan_ options in wireless - your VLANs will probably be different
> 4) Your DNS and Management Network IPs will likely be different
> 5) The ports in the switch_vlan config are hardware specific. You need to
> know your hardware and understand VLAN tagging and trunking.
>
> config interface 'loopback'
> option ifname 'lo'
> option proto 'static'
> option ipaddr '127.0.0.1'
> option netmask '255.0.0.0'
>
> config globals 'globals'
> option ula_prefix 'fdc4:80c6:e78f::/48'
>
> config interface 'lan'
> option type 'bridge'
> option ifname 'eth1'
> option proto 'static'
> option ipaddr '192.168.1.1'
> option netmask '255.255.255.0'
>
> config interface 'wan'
> option ifname 'eth0.70'
> option proto 'static'
> option ipaddr '192.168.10.19'
> option netmask '255.255.255.0'
> option gateway '192.168.10.1'
> list dns '8.8.8.8'
> list dns '8.8.4.4'
>
> config switch
> option name 'switch0'
> option reset '1'
> option enable_vlan '1'
>
> config switch_vlan
> option device 'switch0'
> option vlan '1'
> option ports '1 2 3 4 6'
>
> config interface 'vlan71'
> option type 'bridge'
> option ifname 'eth0.71'
>
> config interface 'vlan72'
> option type 'bridge'
> option ifname 'eth0.72'
>
> config interface 'vlan76'
> option type 'bridge'
> option ifname 'eth0.76'
>
> config switch_vlan 'pf_mgmt'
> option device 'switch0'
> option vlan '70'
> option ports '0t 5t'
>
> config switch_vlan 'pf_reg'
> option device 'switch0'
> option vlan '71'
> option ports '0t 5t'
>
> config switch_vlan 'pf_iso'
> option device 'switch0'
> option vlan '72'
> option ports '0t 5t'
>
> config switch_vlan 'pf_user'
> option device 'switch0'
> option vlan '76'
> option ports '0t 5t'
>
> 4.4c) Firewall Configuration.  If you don't let your device accept packets
> from the PF management server, you are going to have problems.  You may
> also set  option masq '0' in your wan zone to disable Internet via the
> lan ports, restricting them for management as described earlier.
>
> The firewall rules are
>
> PF1/PF2 - Radius inbound from PF server
> PF3 - CoA inbound from PF server
> PF4/PF5/PF6 - ICMP/SSH/Web access from the Management subnet  ; you may
> also add SNMP for monitoring.
>
>
>
> config rule
> option name 'PF1'
> option src 'wan'
> option src_ip '192.168.10.10/32'
> option family 'ipv4'
> option proto 'udp'
> option dest_port '1813'
> option target 'ACCEPT'
>
> config rule
> option name 'PF2'
> option src 'wan'
> option src_ip '192.168.10.10/32'
> option family 'ipv4'
> option proto 'udp'
> option dest_port '1812'
> option target 'ACCEPT'
>
> config rule
> option name 'PF3'
> option src 'wan'
> option src_ip '192.168.10.10/32'
> option family 'ipv4'
> option proto 'udp'
> option dest_port '3799'
> option target 'ACCEPT'
>
> config rule
> option name 'PF4'
> option src 'wan'
> option src_ip '192.168.10.0/24'
> option family 'ipv4'
> option proto 'icmp'
> option target 'ACCEPT'
>
> config rule
> option name 'PF5'
> option src 'wan'
> option src_ip '192.168.10.0/24'
> option family 'ipv4'
> option proto 'tcp'
> option dest_port '22'
> option target 'ACCEPT'
>
> config rule
> option name 'PF6'
> option src 'wan'
> option src_ip '192.168.10.0/24'
> option family 'ipv4'
> option proto 'tcp'
> option dest_port '80'
> option target 'ACCEPT'
>
> 4.5: Hostapd has a 30s timer between Access-Requests, independant of
> CoA's, so we need to make sure Packetfence waits long enough after clients
> have joined the Registration VLAN before sending the CoA to bump them over
> to the Normal VLAN after activation in the portal.  So we add this to
> pf.conf.
>
> [fencing]
> #
> # fencing.wait_for_redirect
> #
> # How many seconds should the WebAPI sleep before actually triggering the
> VLAN change.
> # This is meant to give the device enough time to fetch the redirection
> page before
> # switching VLAN.
> wait_for_redirect = 20
>
> 4.6:  "logread" and "logread -f" are very useful to see what is going on.
>  Issuing 'wifi' on the commandling reloads all the wireless related
> configuration - no nead to restart the device when changing wireless
> settings.
>
> Use "swconfig dev switch0 help" to determine the highest supported VLAN by
> the switchchip.  Note that here the AR8337 chip in the C2600 only lets us
> use VLANS 1-128.    So a registration VLAN129 is not going to work and
> probably drive you crazy.  Don't be confused by the fact that it says
> (0-4094) next to the vid .. that is generic text.    vlans:128 is the
> important device specific limitation.   Many devices only support 16.   It
> is not the number of vlans, but the highest index.
>
> # swconfig dev switch0 help
> switch0: gpio-0(Atheros AR8337), ports: 7 (cpu @ 0), vlans: 128
>      --switch
> Attribute 1 (int): enable_vlan (Enable VLAN mode)
> Attribute 2 (none): reset_mibs (Reset all MIB counters)
> Attribute 3 (int): enable_mirror_rx (Enable mirroring of RX packets)
> Attribute 4 (int): enable_mirror_tx (Enable mirroring of TX packets)
> Attribute 5 (int): mirror_monitor_port (Mirror monitor port)
> Attribute 6 (int): mirror_source_port (Mirror source port)
> Attribute 7 (int): arl_age_time (ARL age time (secs))
> Attribute 8 (string): arl_table (Get ARL table)
> Attribute 9 (none): flush_arl_table (Flush ARL table)
> Attribute 10 (int): igmp_snooping (Enable IGMP Snooping)
> Attribute 11 (int): igmp_v3 (Enable IGMPv3 support)
> Attribute 12 (none): apply (Activate changes in the hardware)
> Attribute 13 (none): reset (Reset the switch)
>      --vlan
> Attribute 1 (int): vid (VLAN ID (0-4094))
> Attribute 2 (ports): ports (VLAN port mapping)
>      --port
> Attribute 1 (none): reset_mib (Reset single port MIB counters)
> Attribute 2 (string): mib (Get port's MIB counters)
> Attribute 3 (int): enable_eee (Enable EEE PHY sleep mode)
> Attribute 4 (none): flush_arl_table (Flush port's ARL table entries)
> Attribute 5 (int): igmp_snooping (Enable port's IGMP Snooping)
> Attribute 6 (int): pvid (Primary VLAN ID)
> Attribute 7 (unknown): link (Get port link information)
>
>
> Also some devices (like Archer C7 v4) only have one ethernet port, so
> VLANs are used for lan and wan interface internally on the device. (i.e.
> WAN eth0.1 and LAN eth0.2).  These work great too, but will have a very
> different default network configuration.
>
> Make sure your VLANs in the switch configuration Roles match your network
> configuration as seen by the AP.
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to