Hi
I'm evaluating Packetfence 8.1 (using the ZEN image) with dns-enforcement and
firewall-sso but the documentation on this is quite sparse. I'v tried with
every enforcement mechanism and the ones that seems to work somewhat in
combination with dns-enforcement are the "VLAN enforcement" and "WebAuth
enforcement".
Currently I'm running with the "WebAuth enforcement" since I dont need any
registration/isolation vlans but with either one i'v tried this (and lots of
other things):
On our firewall I have created a "guest" interface/vlan with 192.168.2.254/24
and "dns-enforcement" interface/vlan with 192.168.1.254/24
On packetfence I'v configured:
physical interface eth0 type management (192.168.0.1/24 gw: 192.168.0.254)
physical interface eth1 type dns-enforcement (192.168.1.1/24) with routed
network type dns-enforcement 192.168.2.0/24 with "router IP" as 192.168.1.254
and nameserver as 192.168.1.1)
I have configured a production nameserver in resolv.conf and name resolution
works in the PF console
I use a dhcp helper on the FW from subnet 192.168.2.0/24 to PF on 192.168.1.1
It does not seem to matter if I add 192.168.1.254 as "router IP" in the routed
network PF config, I need to add the route myself with route add -net
192.168.2.0/24 gw 192.168.1.254 (or with route-eth1 configfile).
With the route added the client gets an IP from the correct subnet and DNS
192.168.1.1 and when unregistered all dns-requests resolvs to 192.168.1.1 and
trying to reach a website responds with the portal, all good.
But when I register the client in the portal all dns requests (cached and new
ones) still responds with 192.168.1.1, not good. As far as I understand it I
should now get a proper resolution instead of DNS blackholing. Is there some
config I'm missing or have I completely misunderstood dns-enforcement?
Any help or pointers on where to read up on this would be greatly appreciated.
/anders
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
