Re: [PacketFence-users] Inline Routed Network - Traffic Dropped by IPtables

Tue, 15 Jan 2019 18:00:50 -0800 

Hello Ross,
you are true, by default packetfence use the management interface to route the traffic (in fact it enable masquerade on the mgmt interface and use the system route). 


First you need to add p2p2.1926 and p2p2.1927 as interfaceSNAT 
(https://mgmt_ip:1443/admin/configuration#configuration/networks/inline)



Next will be the more complicate and you need to use advanced routing 
but something like that should work:


[root@pf ~]# cat /etc/iproute2/rt_tables
#
# reserved values
#
255    local
254    main
253    default
0    unspec
#
# local
#
#1    inr.ruhep
# Create 2 new tables
101 bob
102 marley

#Define the first inline network in the table bob
/usr/sbin/ip route add 128.61.110.0/28 dev p2p2.654 table bob
#Define the outgoing network in the table bob
/usr/sbin/ip route add 143.215.253.104/30 dev p2p2.1926 table bob
#Add the default route
/usr/sbin/ip route add default via 143.215.253.106 table bob
# if the source address is in 128.61.110.0/28 then use the routing table bob
/usr/sbin/ip rule add from 128.61.110.0/28 table bob

#Define the first inline network in the table marley
/usr/sbin/ip route add 128.61.110.16/28 dev p2p2.655 table marlay
#Define the outgoing network in the table marley
/usr/sbin/ip route add 143.215.253.104/30 dev p2p1.1926 table marlay
#Add the default route
/usr/sbin/ip route add default via 143.215.253.109 table marley

# if the source address is in 128.61.110.16/28 then use the routing 
table marley

/usr/sbin/ip rule add from 128.61.110.16/28 table marley


Btw 143.215.253.109 and 143.215.253.106 need to know the route to reach 
128.61.110.0/28 and 128.61.110.16/28.


Let me know if it works.

Regards

Fabrice


Le 19-01-15 à 13 h 54, Lindsay, Ross M a écrit :


Hello Fabrice,


I’ve attached the requested files. Looking at the iptables 
configuration, am I reading this correctly that PacketFence is having 
iptables attempt to route the traffic out of em1 (the management 
interface)? If so, that’s probably my problem. Each of the two inline 
networks has a corresponding outside half via a point-to-point link to 
our campus core (p2p2.1926 and p2p2.1927 in the ip route output) which 
is where they need to go, rather than to em1.


Thanks!

Ross


*From: *Fabrice Durand via PacketFence-users 
<[email protected]>
*Reply-To: *"[email protected]" 
<[email protected]>

*Date: *Tuesday, January 15, 2019 at 11:27 AM

*To: *"[email protected]" 
<[email protected]>

*Cc: *Fabrice Durand <[email protected]>

*Subject: *Re: [PacketFence-users] Inline Routed Network - Traffic 
Dropped by IPtables


Hello Lindsay,


can you send the file /usr/local/pf/var/conf/iptables.conf and the 
result of the command "ip route"


Thanks

Regards

Fabrice

Le 19-01-14 à 10 h 03, Lindsay, Ross M via PacketFence-users a écrit :

    Greetings, All!

    We’re working on a pilot of PacketFence to replace a home-grown
    captive portal for two of the networks on our campus. Until we can
    migrate to VLAN enforcement, these two specific networks will be
    routed with PacketFence inline. There’s no NAT here – we’re using
    public address space. I believe we have everything configured
    properly, but traffic will not pass from a registered host on the
    inline network out to the internet. I’ve verified that the routing
    configuration (at the OS level, outside of PF) is correct – the
    devices behind PF can pass traffic just fine if I flush the
    iptables rules added by PF. I’ve also verified that the inline
    interface is not set to NAT in the web GUI. Is there anything else
    specific that I should check or that needs to be changed for this
    to work? We’re running 8.3.0 on CentOS 7 if that helps.

    Thank you!

    --Ross

    *Ross Lindsay* | /Systems/IT Architect Senior/

    Office of Information Technology - Network Engineering

    *Georgia*Institute of *Tech*nology
    Phone: (404) 385-7520 <tel:4043857520> | Skype:
    [email protected] <sip:[email protected]>
    Email: [email protected]
    <mailto:[email protected]>




    _______________________________________________

    PacketFence-users mailing list

    [email protected]  
<mailto:[email protected]>

    https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Fabrice Durand
[email protected]  <mailto:[email protected]>  ::  +1.514.447.4918 (x135) 
::www.inverse.ca  <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to