Turns out all I needed to do was add p2p1.1926/1927 to the SNAT Interfaces list. I already had the appropriate routing config (almost exactly what you had suggested, actually) in place. I updated the config, restarted iptables, and now it’s working perfectly!
For the benefit of anyone else who runs into this, here’s what we ended up doing to make those routes persist through a reboot. All files created in /etc/sysconfig/network-scripts and are run after ifup by an integrated “ifup-routes” script in /etc/sysconfig/network-scripts. route-p2p1.1926: default via 143.215.253.105 dev p2p1.1926 table pf-test1 route-p2p1.1927: default via 143.215.253.109 dev p2p1.1927 table pf-test2 route-p2p2.654: 128.61.110.0/28 dev p2p2.654 table pf-test1 route-p2p2.655: 128.61.110.16/28 dev p2p2.655 table pf-test2 rule-p2p1.1926: from 128.61.110.0/28 lookup pf-test1 from 143.215.253.104/30 lookup pf-test1 rule-p2p1.1927: from 128.61.110.16/28 lookup pf-test2 from 143.215.253.108/30 lookup pf-test2 Also, /etc/iproute2/rt_tables. Add these lines to the bottom: 201 pf-test1 202 pf-test2 To your comment about making sure the other half of the point-to-point links know how to get to the subnets, we had that defined as a static route on our routing gear pointing to the appropriate addresses on the PacketFence box. Those are then routed out to the rest of our campus network through OSPF. Thank you again for your help, Fabrice! --Ross From: Durand fabrice <[email protected]> Date: Tuesday, January 15, 2019 at 8:58 PM To: "Lindsay, Ross M" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [PacketFence-users] Inline Routed Network - Traffic Dropped by IPtables Hello Ross, you are true, by default packetfence use the management interface to route the traffic (in fact it enable masquerade on the mgmt interface and use the system route). First you need to add p2p2.1926 and p2p2.1927 as interfaceSNAT (https://mgmt_ip:1443/admin/configuration#configuration/networks/inline) Next will be the more complicate and you need to use advanced routing but something like that should work: [root@pf ~]# cat /etc/iproute2/rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep # Create 2 new tables 101 bob 102 marley #Define the first inline network in the table bob /usr/sbin/ip route add 128.61.110.0/28 dev p2p2.654 table bob #Define the outgoing network in the table bob /usr/sbin/ip route add 143.215.253.104/30 dev p2p2.1926 table bob #Add the default route /usr/sbin/ip route add default via 143.215.253.106 table bob # if the source address is in 128.61.110.0/28 then use the routing table bob /usr/sbin/ip rule add from 128.61.110.0/28 table bob #Define the first inline network in the table marley /usr/sbin/ip route add 128.61.110.16/28 dev p2p2.655 table marlay #Define the outgoing network in the table marley /usr/sbin/ip route add 143.215.253.104/30 dev p2p1.1926 table marlay #Add the default route /usr/sbin/ip route add default via 143.215.253.109 table marley # if the source address is in 128.61.110.16/28 then use the routing table marley /usr/sbin/ip rule add from 128.61.110.16/28 table marley Btw 143.215.253.109 and 143.215.253.106 need to know the route to reach 128.61.110.0/28 and 128.61.110.16/28. Let me know if it works. Regards Fabrice Le 19-01-15 à 13 h 54, Lindsay, Ross M a écrit : Hello Fabrice, I’ve attached the requested files. Looking at the iptables configuration, am I reading this correctly that PacketFence is having iptables attempt to route the traffic out of em1 (the management interface)? If so, that’s probably my problem. Each of the two inline networks has a corresponding outside half via a point-to-point link to our campus core (p2p2.1926 and p2p2.1927 in the ip route output) which is where they need to go, rather than to em1. Thanks! Ross From: Fabrice Durand via PacketFence-users <[email protected]><mailto:[email protected]> Reply-To: "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Date: Tuesday, January 15, 2019 at 11:27 AM To: "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Cc: Fabrice Durand <[email protected]><mailto:[email protected]> Subject: Re: [PacketFence-users] Inline Routed Network - Traffic Dropped by IPtables Hello Lindsay, can you send the file /usr/local/pf/var/conf/iptables.conf and the result of the command "ip route" Thanks Regards Fabrice Le 19-01-14 à 10 h 03, Lindsay, Ross M via PacketFence-users a écrit : Greetings, All! We’re working on a pilot of PacketFence to replace a home-grown captive portal for two of the networks on our campus. Until we can migrate to VLAN enforcement, these two specific networks will be routed with PacketFence inline. There’s no NAT here – we’re using public address space. I believe we have everything configured properly, but traffic will not pass from a registered host on the inline network out to the internet. I’ve verified that the routing configuration (at the OS level, outside of PF) is correct – the devices behind PF can pass traffic just fine if I flush the iptables rules added by PF. I’ve also verified that the inline interface is not set to NAT in the web GUI. Is there anything else specific that I should check or that needs to be changed for this to work? We’re running 8.3.0 on CentOS 7 if that helps. Thank you! --Ross Ross Lindsay | Systems/IT Architect Senior Office of Information Technology - Network Engineering Georgia Institute of Technology Phone: (404) 385-7520<tel:4043857520> | Skype: [email protected]<sip:[email protected]> Email: [email protected]<mailto:[email protected]> _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
