Got it... thanks! Should I leave the system iptables service stopped, or
should I uninstall it?
The var/conf/iptables.conf file has lines:
-A POSTROUTING -s 192.168.220.0/24 -o eth0 -j SNAT --to 10.99.19.240
-A POSTROUTING -s 192.168.221.0/24 -o eth0 -j SNAT --to 10.99.19.240
which don't seem right. 192.168.220.0/24 and 192.168.221.0/24 are on eth1
and eth2 respectively and don't really need to be NATed. That what I was
trying to comment out. I don't know how from the template to comment these
out but leave:
-A POSTROUTING -s 169.254.0.0/16 -o eth0 -j SNAT --to-source 10.99.19.240
On Fri, Jun 15, 2018 at 10:12 AM, Fabrice Durand via PacketFence-users <
[email protected]> wrote:
> Hello Steven,
>
> var/conf/iptables.conf is a file generated from the template
> conf/iptables.conf
>
> If you want to restart iptables service you need to do the following
> (pfcmd service iptables restart) and not use the iptables service from the
> system.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-06-15 à 10:03, Steven Pfister via PacketFence-users a écrit :
>
> I just had something strange happen with iptables. I wanted to try a
> change in var/conf/iptables.conf, but "service iptables restart" wasn't
> available. So I did a "yum install iptables-services". Was that a mistake?
> The change I made to iptables.conf didn't work, so I changed it back. Now,
> with iptables started, I can't get to the web interface until I stop
> iptables.
>
> On Fri, Jun 15, 2018 at 9:45 AM, Fabrice Durand via PacketFence-users <
> [email protected]> wrote:
>
>> Ok so if the "ip netns exec dpsad ping 10.99.20.32" then you should be
>> able to join the server to the domain.
>>
>> Also take care to set the domain and the dns name in upper case.
>>
>>
>>
>> Le 2018-06-15 à 09:25, Steven Pfister via PacketFence-users a écrit :
>>
>> We had an extra nic in this server, but it's causing a lot of problems,
>> so we've just removed it altogether for now. The" ip netns exec dpsad ping"
>> command worked just fine.
>>
>> [root@PacketFence-ZEN ~]# ip route get 10.99.20.32
>> 10.99.20.32 dev eth0 src 10.99.19.240
>> cache
>>
>> [root@PacketFence-ZEN ~]# ip route
>> default via 10.99.20.1 dev eth0
>> 10.99.16.0/21 dev eth0 proto kernel scope link src 10.99.19.240
>> 169.254.0.0/30 dev dpsad-b proto kernel scope link src 169.254.0.2
>> 169.254.0.0/16 dev eth0 scope link metric 1002
>> 169.254.0.0/16 dev eth1 scope link metric 1003
>> 169.254.0.0/16 dev eth2 scope link metric 1004
>> 169.254.0.0/16 dev eth0.2 scope link metric 1005
>> 169.254.0.0/16 dev eth0.3 scope link metric 1006
>> 192.168.220.0/24 dev eth1 proto kernel scope link src 192.168.220.10
>> 192.168.221.0/24 dev eth2 proto kernel scope link src 192.168.221.10
>>
>>
>> On Fri, Jun 15, 2018 at 9:13 AM, Fabrice Durand via PacketFence-users <
>> [email protected]> wrote:
>>
>>> It looks that you have 2 ip on the interface eth0 and packetfence use
>>> the first one to nat the chroot traffic (10.99.19.240/21)
>>>
>>> You will probably need to remove the second one (10.99.21.1/21)
>>>
>>> Can you try the following (replace 10.0.0.1 by the AD ip address):
>>>
>>> ip netns exec dpsad ping 10.0.0.1
>>>
>>> and let me know if it works.
>>>
>>> Also can you do (and paste me the result):
>>>
>>> ip route get 10.0.0.1
>>>
>>> ip route
>>>
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2018-06-15 à 09:03, Steven Pfister via PacketFence-users a écrit :
>>>
>>> By the way, the server was rebooted last night after I left and the
>>> routing issues seem to have stopped. It still isn't able to join the domain
>>> though. We need to join the server to the domain in order to authentication
>>> against it, is that correct?
>>>
>>> On Thu, Jun 14, 2018 at 7:25 PM, Durand fabrice via PacketFence-users <
>>> [email protected]> wrote:
>>>
>>>> Hello Steven,
>>>>
>>>> 169.254.0.0 is a virtual interface to be able to link a virtual network
>>>> namespace used by the chroot where winbind is running.
>>>>
>>>> Can you post the result of:
>>>>
>>>> ip a
>>>>
>>>> and the content of /usr/local/pf/var/conf/iptables.conf
>>>>
>>>> Regards
>>>>
>>>> Fabrice
>>>>
>>>>
>>>>
>>>> Le 2018-06-14 à 17:39, Steven Pfister via PacketFence-users a écrit :
>>>>
>>>> We are in the middle of trying to join our AD server in order to
>>>> authenticate against it. After adding our domain, it's not able to join it.
>>>> It's added a virtual interface and some routing for the 169.254.0.0
>>>> network. I'm not sure what the routing table is supposed to look like. I'm
>>>> having trouble pinging addresses outside our network. Pinging addresses in
>>>> the same subnet as the server is working. Has anyone seen this issue?
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Steve Pfister
>>> Technology Services
>>> Dayton Public Schools
>>> 115 S Ludlow St
>>> Dayton OH 45402„1812
>>> 937„542„3149 office
>>> 937„542„3154 ( tel:9375423154 ) fax
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> --
>> Steve Pfister
>> Technology Services
>> Dayton Public Schools
>> 115 S Ludlow St
>> Dayton OH 45402„1812
>> 937„542„3149 office
>> 937„542„3154 ( tel:9375423154 ) fax
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Steve Pfister
> Technology Services
> Dayton Public Schools
> 115 S Ludlow St
> Dayton OH 45402„1812
> 937„542„3149 office
> 937„542„3154 ( tel:9375423154 ) fax
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Steve Pfister
Technology Services
Dayton Public Schools
115 S Ludlow St
Dayton OH 45402„1812
937„542„3149 office
937„542„3154 ( tel:9375423154 ) fax
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
