Le 19-01-22 à 02 h 53, David Brustad via PacketFence-users a écrit :
Hello Guys,
PF Zen 8.3
Cisco WLC
Cisco Router Production DHCP
I'm having trouble using the SelectRole portal module.
VLANS look like:
192.168.1.x
192.168.2.x
192.168.3.x
192.168.4.x
192.168.5.x
and so on.
PF admin IP is 192.168.1.200
Registration Interface is 192.168.10.10
Isolation interface is 192.168.11.10
So what I would like to provide is a portal where after the user
registers their laptop or phone, they can hit the network logoff page,
and jump back on the portal to log back in on another vlan using the
SelectRole module.
So far, registration and isolation work fine, and I can see the
SelectRole module and select the role, and I get dropped into the VLAN
selected. The issue is, I lose the ability to hit the IP of the
administration page (192.168.1.200) from any of the other vlans if I
put a packetfence interface in that vlan.
It's normal.
Let's say eth0 is 192.168.1.200 eth1 is one of the vlan 192.168.1.x.
So when your device try to reach 192.168.1.200 it will use his default
gateway (192.168.1.1) and the gateway will route the packet to pf admin.
But since you have an interface in this vlan (eth1) then the system will
try to use this interface to reply.
But it's deny by the kernel ....
To permit this case you can try to add that in systcl.conf:
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
and run sysctl -p
On my network I was hoping to use the method of "interface in each
vlan" with dhcp-listener flagged to get the DHCP traffic for those
corresponding vlans. As soon as I drop an interface though in vlan 2
(192.168.2.10) and flagged dhcp-listener, 192.168.1.200 stops
responding to pings from vlan 2, but 192.168.2.10 becomes pingable
from within vlan 2.
You can do that but don't set the ip address on this interface because
it will add a local route. (dhcp-listener will just capture the traffic
on the interface).
The better approach is to keep the logoff page on the admin ip (add
daemon portal on this interface) and add dhcp-listener interface without
any ip.
The other solution if it's possible is to add the dhcp-forwarder on your
dhcp server to send the dhcp traffic to packetfence and get rid of the
dhcp-listener interfaces.
Regards
Fabrice
If I assign a portal to 192.168.2.10 it then is available within vlan
2, but how am I able to keep DNS clean when the fqdn of the portal
page changes within each different vlan? As it is now, it will
actually work, but when I land in vlan 2 the portal page is
192.168.2.10/status <http://192.168.2.10/status>, vlan 3
192.168.3.10/status <http://192.168.3.10/status> and so on.
To verify this behavior I have a laptop sitting in vlan 2
(192.168.2.15) pinging 192.168.1.200 and I can toggle the pings on and
off with the enable / disable toggle for the interface entry for
192.168.2.10
I guess the question is SelectRole compatible with dhcp-listener
interfaces, or must it work only with ip-helpers?
It was my understanding I should define a network interface for each
of the vlans packetfence should touch in some way, is that correct?
Has anyone else achieved this setup where you extensively use the
portal for users to bounce between vlans, and if so what am I missing
to wrap it all together?
Many thanks for any tips, and thanks again for the amazing software.
David
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
