Sure...
[root@PacketFence-ZEN logs]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:50:56:80:83:dc brd ff:ff:ff:ff:ff:ff
inet 10.99.19.240/21 brd 10.99.23.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.99.21.1/21 brd 10.99.23.255 scope global secondary dynamic eth0
valid_lft 55677sec preferred_lft 55677sec
inet6 fe80::250:56ff:fe80:83dc/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:50:56:80:7a:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.220.10/24 brd 192.168.220.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe80:7a9a/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:50:56:80:b1:c3 brd ff:ff:ff:ff:ff:ff
inet 192.168.221.10/24 brd 192.168.221.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe80:b1c3/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen
1000
link/ether 00:50:56:80:c1:fe brd ff:ff:ff:ff:ff:ff
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP qlen 1000
link/ether 00:50:56:80:83:dc brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:56ff:fe80:83dc/64 scope link
valid_lft forever preferred_lft forever
7: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP qlen 1000
link/ether 00:50:56:80:83:dc brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:56ff:fe80:83dc/64 scope link
valid_lft forever preferred_lft forever
12: dpsad-b@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP qlen 1000
link/ether 6a:95:c1:37:83:9b brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 169.254.0.2/30 brd 169.254.0.3 scope global dpsad-b
valid_lft forever preferred_lft forever
inet6 fe80::6895:c1ff:fe37:839b/64 scope link
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------
[root@PacketFence-ZEN pf]# more var/conf/iptables.conf
# This file is generated from a template at /usr/local/pf/conf/iptables.conf
# Any changes made to this file will be lost on restart
# iptables template
# This file is manipulated on PacketFence's startup before being given to
iptabl
es
*filter
### INPUT ###
:INPUT DROP [0:0]
# accept loopback stuff
-A INPUT --in-interface lo --jump ACCEPT
# accept anything related
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept Ping (easier troubleshooting)
-A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
:input-management-if - [0:0]
# SSH
-A input-management-if --match state --state NEW --match tcp --protocol tcp
--dp
ort 22 --jump ACCEPT
# HTTP and HTTPS for the portal
-A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
# Web Admin
-A input-management-if --protocol tcp --match tcp --dport 1443 --jump ACCEPT
# Webservices
-A input-management-if --protocol tcp --match tcp --dport 9090 --jump ACCEPT
# AAA
-A input-management-if --protocol tcp --match tcp --dport 7070 --jump ACCEPT
# Unified API
-A input-management-if --protocol tcp --match tcp --dport 9999 --jump ACCEPT
# httpd.portal modstatus
-A input-management-if --protocol tcp --match tcp --dport 1444 --jump ACCEPT
# httpd.collector
-A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT
# haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for
hapro
xy-portal, 1026 for haproxy-db
#-A input-management-if --protocol tcp --match tcp --dport 1025 --jump
ACCEPT
#-A input-management-if --protocol tcp --match tcp --dport 1026 --jump
ACCEPT
# Netdata
-A input-management-if --protocol tcp --match tcp --dport 19999 --jump
ACCEPT
# RADIUS
-A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
-A input-management-if --protocol udp --match udp --dport 1815 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
# RADIUS (eduroam virtual-server)
# eduroam integration is not configured
# SNMP Traps
-A input-management-if --protocol udp --match udp --dport 162 --jump ACCEPT
# DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
-A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
# OpenVAS Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT
# Nessus Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 8834 --jump ACCEPT
# PacketFence-PKI
# -A input-management-if --protocol tcp --match tcp --dport 9393 --jump
ACCEPT
# -A input-management-if --protocol tcp --match tcp --dport 9292 --jump
ACCEPT
# Fingerbank collector (replication + API)
-A input-management-if --protocol udp --match udp --dport 1192 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 4723 --jump ACCEPT
# VRRP
-A input-management-if -d 224.0.0.0/8 -j ACCEPT
-A input-management-if -p vrrp -j ACCEPT
# Mysql
-A input-management-if --protocol tcp --match tcp --dport 3306 --jump ACCEPT
# Syslog
-A input-management-if --protocol udp --match udp --dport 514 --jump ACCEPT
# ETCD
-A input-management-if --protocol tcp --match tcp --dport 2380 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 2379 --jump ACCEPT
# GO DHCP API
-A input-management-if --protocol tcp --match tcp --dport 22222 --jump
ACCEPT
:input-portal-if - [0:0]
-A input-portal-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
:input-radius-if - [0:0]
-A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
# eduroam integration is not configured
:input-internal-vlan-if - [0:0]
# DNS
-A input-internal-vlan-if --protocol tcp --match tcp --dport 53 --jump
ACCEPT
-A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump
ACCEPT
# HTTP (captive-portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump
ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump
ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 647 --jump
ACCEPT
# HTTP (parking portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 --jump
ACCEPT
:input-internal-isol_vlan-if - [0:0]
# DNS
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53
--jump ACC
EPT
-A input-internal-isol_vlan-if --protocol udp --match udp --dport 53
--jump ACC
EPT
# DHCP
-A input-internal-isol_vlan-if --protocol udp --match udp --dport 67
--jump ACC
EPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67
--jump ACC
EPT
# HTTP (captive-portal)
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80
--jump ACC
EPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443
--jump ACC
EPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647
--jump ACC
EPT
# HTTP (parking portal)
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252
--jump AC
CEPT
:input-internal-inline-if - [0:0]
# DNS
-A input-internal-inline-if --protocol tcp --match tcp --dport 53 --jump
ACCEPT
-A input-internal-inline-if --protocol udp --match udp --dport 53 --jump
ACCEPT
# HTTP (captive-portal)
# prevent registered users from reaching it
# TODO: Must work in dispatcher and Catalyst to redirect registered client
out o
f the portal
#-A input-internal-inline-if --protocol tcp --match tcp --dport 80 --match
mark
--mark 0x1 --jump DROP
#-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match
mark
--mark 0x1 --jump DROP
# allow everyone else behind inline interface (not registered, isolated,
etc.)
-A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump
ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump
ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 647 --jump
ACCEPT
:input-highavailability-if - [0:0]
#SSH
-A input-highavailability-if --match state --state NEW --match tcp
--protocol tc
p --dport 22 --jump ACCEPT
#Galera cluster
-A input-highavailability-if --protocol tcp --match tcp --dport 4444 --jump
ACCE
PT
-A input-highavailability-if --protocol tcp --match tcp --dport 4567 --jump
ACCE
PT
-A input-highavailability-if --protocol tcp --match tcp --dport 4568 --jump
ACCE
PT
#PacketFence MariaDB Quorum server
-A input-highavailability-if --protocol tcp --match tcp --dport 7890 --jump
ACCE
PT
-A input-highavailability-if --protocol tcp --match tcp --dport 7891 --jump
ACCE
PT
# Corosync
-A input-highavailability-if --protocol udp --match udp --dport 5405 --jump
ACCE
PT
-A input-highavailability-if --protocol udp --match udp --dport 5407 --jump
ACCE
PT
#DRBD
-A input-highavailability-if --protocol tcp --match tcp --dport 7788 --jump
ACCE
PT
# Heartbeat
-A input-highavailability-if --protocol udp --match udp --dport 694 --jump
ACCEP
T
#PCS
-A input-highavailability-if --protocol tcp --match tcp --dport 2224 --jump
ACCE
PT
-A input-highavailability-if --protocol tcp --match tcp --dport 3121 --jump
ACCE
PT
-A input-highavailability-if --protocol tcp --match tcp --dport 21064
--jump ACC
EPT
### FORWARD ###
:FORWARD DROP [0:0]
:forward-internal-vlan-if - [0:0]
-A forward-internal-vlan-if -m set --match-set pfsession_passthrough
dst,dst --j
ump ACCEPT
-A forward-internal-vlan-if -m set --match-set pfsession_passthrough
src,src --j
ump ACCEPT
:forward-internal-isolvlan-if - [0:0]
-A forward-internal-isolvlan-if -m set --match-set
pfsession_isol_passthrough ds
t,dst --jump ACCEPT
-A forward-internal-isolvlan-if -m set --match-set
pfsession_isol_passthrough sr
c,src --jump ACCEPT
:forward-internal-inline-if - [0:0]
:OUTPUT ACCEPT [0:0]
# These will redirect to the proper chains based on conf/pf.conf's
configuration
-A INPUT --in-interface eth1 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface eth1 -p vrrp -j ACCEPT
# DHCP Sync
-A INPUT --in-interface eth1 --protocol udp --match udp --dport 67 -j ACCEPT
-A INPUT --in-interface eth1 -d 192.168.220.10 --jump input-internal-vlan-if
-A INPUT --in-interface eth1 -d 255.255.255.255 --jump
input-internal-vlan-if
-A FORWARD --in-interface eth1 --jump forward-internal-vlan-if
-A FORWARD --out-interface eth1 --jump forward-internal-vlan-if
-A INPUT --in-interface eth2 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface eth2 -p vrrp -j ACCEPT
# DHCP Sync
-A INPUT --in-interface eth2 --protocol udp --match udp --dport 67 -j ACCEPT
-A INPUT --in-interface eth2 -d 192.168.221.10 --jump input-internal-vlan-if
-A INPUT --in-interface eth2 -d 255.255.255.255 --jump
input-internal-vlan-if
-A FORWARD --in-interface eth2 --jump forward-internal-vlan-if
-A FORWARD --out-interface eth2 --jump forward-internal-vlan-if
-A INPUT --in-interface eth0 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface eth0 -p vrrp -j ACCEPT
-A INPUT --in-interface eth0 --jump input-portal-if
-A INPUT --in-interface eth1 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface eth1 -p vrrp -j ACCEPT
-A INPUT --in-interface eth1 --jump input-radius-if
-A INPUT --in-interface eth2 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface eth2 -p vrrp -j ACCEPT
-A INPUT --in-interface eth2 --jump input-radius-if
-A INPUT --in-interface eth0 -d 224.0.0.0/8 -j ACCEPT
-A INPUT --in-interface eth0 -p vrrp -j ACCEPT
-A INPUT --in-interface eth0 --jump input-radius-if
-A INPUT --in-interface eth0 --jump input-management-if
-A FORWARD -o dpsad-b -j ACCEPT
-A FORWARD -i dpsad-b -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:postrouting-int-inline-if - [0:0]
# These will redirect to the proper chains based on conf/pf.conf's
configuration
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
:postrouting-inline-routed - [0:0]
:postrouting-int-inline-if - [0:0]
:prerouting-int-vlan-if - [0:0]
-A prerouting-int-vlan-if --protocol udp --destination-port 53 -s
192.168.220.0/
255.255.255.0 --jump DNAT --to 192.168.220.10
-A prerouting-int-vlan-if --protocol tcp --destination-port 53 -s
192.168.220.0/
255.255.255.0 --jump DNAT --to 192.168.220.10
-A prerouting-int-vlan-if --protocol udp --destination-port 53 -s
192.168.221.0/
255.255.255.0 --jump DNAT --to 192.168.221.10
-A prerouting-int-vlan-if --protocol tcp --destination-port 53 -s
192.168.221.0/
255.255.255.0 --jump DNAT --to 192.168.221.10
-A PREROUTING -p tcp --dport 80 -m set --match-set parking src -j REDIRECT
--to-
port 5252
-A PREROUTING -p tcp --dport 443 -m set --match-set parking src -j REDIRECT
--to
-port 5252
:OUTPUT ACCEPT [0:0]
# These will redirect to the proper chains based on conf/pf.conf's
configuration
-A PREROUTING --in-interface eth1 --jump prerouting-int-vlan-if
-A PREROUTING --in-interface eth2 --jump prerouting-int-vlan-if
:POSTROUTING ACCEPT [0:0]
#
# Chain to enable routing instead of NAT
#
#
# NAT out (PAT actually)
#
# If you want to do your own thing regarding NAT like for example:
# - allowing through instead of doing NAT (make sure you have the proper
return
route)
# - traffic out on some interface other than management
# - overloading on multiple IP addresses
# Comment the next two lines and do it here on the POSTROUTING chain.
# Make sure to adjust the FORWARD rules also to allow traffic back-in.
-A POSTROUTING -s 192.168.220.0/24 -o eth0 -j SNAT --to 10.99.19.240
-A POSTROUTING -s 192.168.221.0/24 -o eth0 -j SNAT --to 10.99.19.240
#
# Routing for the hidden domain network
#
-A POSTROUTING -s 169.254.0.0/16 -o eth0 -j SNAT --to-source 10.99.19.240
COMMIT
On Thu, Jun 14, 2018 at 7:25 PM, Durand fabrice via PacketFence-users <
[email protected]> wrote:
> Hello Steven,
>
> 169.254.0.0 is a virtual interface to be able to link a virtual network
> namespace used by the chroot where winbind is running.
>
> Can you post the result of:
>
> ip a
>
> and the content of /usr/local/pf/var/conf/iptables.conf
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-06-14 à 17:39, Steven Pfister via PacketFence-users a écrit :
>
> We are in the middle of trying to join our AD server in order to
> authenticate against it. After adding our domain, it's not able to join it.
> It's added a virtual interface and some routing for the 169.254.0.0
> network. I'm not sure what the routing table is supposed to look like. I'm
> having trouble pinging addresses outside our network. Pinging addresses in
> the same subnet as the server is working. Has anyone seen this issue?
>
> Thanks!
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Steve Pfister
Technology Services
Dayton Public Schools
115 S Ludlow St
Dayton OH 45402„1812
937„542„3149 office
937„542„3154 ( tel:9375423154 ) fax
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
