Hello Cristian,
you don't have to allow the portal ip for the registration and isolation
vlan.
Can you share your pf.conf and networks.conf and
/usr/local/pf/var/conf/pfdns.conf
Regards
Fabrice
Le 2018-05-02 à 12:25, Cristian Mammoli via PacketFence-users a écrit :
Ok, then I have a problem:
I created a dns record for nac.apra.it on my corporate dns server that
points to the portal interface (nac.apra.it is
general.hostname+general.domain in pf.conf)
But even from an unregistered device pfdns resolves with this ip
address instead of replying with its own ip in the registration o
isolation vlan
I had to add an iptables rule to allow reaching the portal interface
ip address from the isolation and registration vlan.
Of course the dns server passed to the clients in those vlan is
packetfence (default configuration)
I tried deleting the portal interface and remove the A record from my
corporate DNS server but them pfdns answers with NXDOMAIN when queried
from an unregistered device.
In 7.4 this configuration worked (I erroneously thought that the
portal interface was required but probably it wasn't used at all)
This is my pfdns.conf:
Display all 147 possibilities? (y or n)
[root@srvpf addons]# cat /usr/local/pf/conf/pfdns.conf
.:54 {
[% domain %]
proxy . /etc/resolv.conf
}
# all other domains are subject to interception
:53 {
pfdns {
}
# Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]
# Default to system resolv.conf file
proxy . /etc/resolv.conf
log stdout
errors
}
resolv.conf contains my corp dns servers
Regards
C.
Il 30/04/2018 14:59, Fabrice Durand via PacketFence-users ha scritto:
Hello Cristian,
pfdns is suppose to resolv the portal fqdn if the device is unreg or if
there is a violation.
Also if there is a passthrough that match the portal fqdn name then it
will forward the request to another server.
Portal interface is just an interface with the portal on it, it
generally use for web auth.
Regards
Fabrice
Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit :
Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and
registration vlan? I'm using 8.0
ATM for me isn't working:
My pf.conf is:
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the
domain in Apache rewriting rules and therefore must be resolvable by
clients.
hostname=nac
But the requests for "nac.apra.it" are forwarded upstream.
Btw, whats the network interface type "portal" for? Are the client
supposed to reach this interface for the portal? Is it mandatory?
Thanks
C.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
*Cristian Mammoli*
System Administrator
T. +39 0731 719822
www.apra.it <http://www.apra.it>
ApraSpa
linksocial
*Avviso sulla tutela di informazioni riservate.* Questo messaggio è
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e
gli eventuali allegati, potrebbero contenere informazioni di carattere
estremamente riservato e confidenziale. Qualora non foste i
destinatari designati, vogliate cortesemente informarci immediatamente
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali
allegati, senza trattenerne copia.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users