Indeed it was this way on 7.4 :( But it stopped working on 8.0 :(
[root@srvpf conf]# cat pf.conf
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the
domain in Apache rewriting rules and therefore must be resolvable by
clients.
hostname=nac
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers. Passthroughs are created to
allow DHCP transactions from even "trapped" nodes.
dhcpservers=127.0.0.1,192.168.0.7,192.168.0.76,192.168.15.9
#
# general.timezone
#
#System's timezone in string format. List generated from Perl library
DataTime::TimeZone
timezone=Europe/Rome
[network]
#
# network.dhcpoption82logger
#
# If enabled PacketFence will monitor DHCP option82 location-based
information.
# This feature is only available if the dhcpdetector is activated.
dhcpoption82logger=enabled
[fencing]
#
# fencing.passthroughs
#
# Comma-delimited list of domains to be used as HTTP and HTTPS
passthroughs to web sites.
#
passthroughs=srvdc01.apra.it,srvdc02.apra.it,srvdc-dr.apra.it,apra.it,srvupdate.apra.it,srvupdate.apra.it:8530,srvupdate.apra.it:8531,*.windowsupdate.microsoft.com,*.update.microsoft.com,*.windowsupdate.com,test.stats.update.microsoft.com,ntservicepack.microsoft.com,*.download.windowsupdate.com,officecdn.microsoft.com,srvsophos.apra.it:tcp:445,*.ggpht.com,*.googleusercontent.com,android.clients.google.com,*.googleapis.com,*.android.clients.google.com,*.gvt1.com,*.l.google.com,play.google.com,*.gstatic.com
#
# fencing.isolation_passthrough
#
# When enabled, pfdns will resolve the real IP addresses of
passthroughs and add them in the ipset session to give access
# to trapped devices. Don´t forget to enable ip_forward on your server.
isolation_passthrough=enabled
#
# fencing.isolation_passthroughs
#
# Comma-delimited list of domains to be used as HTTP and HTTPS
passthroughs to web sites.
#
isolation_passthroughs=srvupdate.apra.it,srvupdate.apra.it:8530,srvupdate.apra.it:8531,*.windowsupdate.microsoft.com,*.update.microsoft.com,*.windowsupdate.com,test.stats.update.microsoft.com,ntservicepack.microsoft.com,*.download.windowsupdate.com,officecdn.microsoft.com,srvsophos.apra.it:tcp:445
[guests_admin_registration]
#
# guests_admin_registration.access_duration_choices
#
# These are all the choices offered in the guest management interface as
# possible access duration values for a given registration.
access_duration_choices=1h,3h,12h,1D,2D,3D,5D,6D,7D
#
# guests_admin_registration.default_access_duration
#
# This is the default access duration value selected in the dropdown
on the
# guest management interface.
default_access_duration=1D
[alerting]
#
# alerting.emailaddr
#
# Email address to which notifications of rogue DHCP servers,
violations with an action of "email", or any other
# PacketFence-related message goes to.
emailaddr=nac-al...@apra.it
#
# alerting.fromaddr
#
# Source email address for email notifications. Empty means
root@<server-domain-name>.
fromaddr=n...@apra.it
#
# alerting.smtpserver
#
# Server through which to send messages to the above emailaddr. The
default is localhost - be sure you're running an SMTP
# host locally if you don't change it!
smtpserver=mail.apra.it
[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence. Changing this
parameter after the initial configuration will *not* change it in the
database it self, only in the configuration.
#
# database.pass
#
# Password for the mysql database used by PacketFence. Changing this
parameter after the initial configuration will *not* change it in the
database it self, only in the configuration.
pass=xxx
[captive_portal]
#
# captive_portal.network_detection_ip
#
# This IP is used as the webserver who hosts the
common/network-access-detection.gif which is used to detect if network
# access was enabled.
# It cannot be a domain name since it is used in registration or
quarantine where DNS is blackholed.
# It is recommended that you allow your users to reach your
packetfence server and put your LAN's PacketFence IP.
# By default we will make this reach PacketFence's website as an easy
solution.
#
network_detection_ip=212.77.73.7
#
# captive_portal.image_path
#
# This is the path where the gif is on the webserver to detect if the
network access
# has been enabled.
image_path=/icons/poweredby.png
#
# captive_portal.request_timeout
#
# The amount of seconds before a request times out in the captive portal
request_timeout=60
#
# captive_portal.rate_limiting_threshold
#
# Amount of requests on invalid URLs after which the rate limiting
will kick in for this device
rate_limiting_threshold=60
[advanced]
#
# advanced.language
#
# Language choice for the communication with administrators
language=it_IT
[webservices]
#
# webservices.user
#
# username to use to connect to the webAPI
user=api
#
# webservices.pass
#
# password of the username
pass=xxx
[interface ens192.16]
ip=192.168.16.200
type=management
mask=255.255.255.0
[interface ens192.112]
enforcement=vlan
ip=192.168.112.254
type=internal
mask=255.255.255.0
[interface ens192.113]
enforcement=vlan
ip=192.168.113.254
type=internal
mask=255.255.255.0
[interface ens192.114]
ip=192.168.114.254
type=portal
mask=255.255.255.0
[root@srvpf conf]# cat networks.conf
[192.168.112.0]
dns=192.168.112.254
dhcp_start=192.168.112.10
gateway=192.168.112.254
domain-name=vlan-registration.apra.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.112.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30
[192.168.113.0]
dns=192.168.113.254
dhcp_start=192.168.113.10
gateway=192.168.113.254
domain-name=vlan-isolation.apra.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.113.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30
[root@srvpf conf]# cat pfdns.conf
.:54 {
[% domain %]
proxy . /etc/resolv.conf
}
# all other domains are subject to interception
:53 {
pfdns {
}
# Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]
# Default to system resolv.conf file
proxy . /etc/resolv.conf
log stdout
errors
}
Regards
C.
Il 02/05/2018 18:54, Fabrice Durand via PacketFence-users ha scritto:
Hello Cristian,
you don't have to allow the portal ip for the registration and
isolation vlan.
Can you share your pf.conf and networks.conf and
/usr/local/pf/var/conf/pfdns.conf
Regards
Fabrice
Le 2018-05-02 à 12:25, Cristian Mammoli via PacketFence-users a écrit :
Ok, then I have a problem:
I created a dns record for nac.apra.it on my corporate dns server
that points to the portal interface (nac.apra.it is
general.hostname+general.domain in pf.conf)
But even from an unregistered device pfdns resolves with this ip
address instead of replying with its own ip in the registration o
isolation vlan
I had to add an iptables rule to allow reaching the portal
interface ip address from the isolation and registration vlan.
Of course the dns server passed to the clients in those vlan is
packetfence (default configuration)
I tried deleting the portal interface and remove the A record from
my corporate DNS server but them pfdns answers with NXDOMAIN when
queried from an unregistered device.
In 7.4 this configuration worked (I erroneously thought that the
portal interface was required but probably it wasn't used at all)
This is my pfdns.conf:
Display all 147 possibilities? (y or n)
[root@srvpf addons]# cat /usr/local/pf/conf/pfdns.conf
.:54 {
[% domain %]
proxy . /etc/resolv.conf
}
# all other domains are subject to interception
:53 {
pfdns {
}
# Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]
# Default to system resolv.conf file
proxy . /etc/resolv.conf
log stdout
errors
}
resolv.conf contains my corp dns servers
Regards
C.
Il 30/04/2018 14:59, Fabrice Durand via PacketFence-users ha scritto:
Hello Cristian,
pfdns is suppose to resolv the portal fqdn if the device is unreg or if
there is a violation.
Also if there is a passthrough that match the portal fqdn name then it
will forward the request to another server.
Portal interface is just an interface with the portal on it, it
generally use for web auth.
Regards
Fabrice
Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit :
Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and
registration vlan? I'm using 8.0
ATM for me isn't working:
My pf.conf is:
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the
domain in Apache rewriting rules and therefore must be resolvable by
clients.
hostname=nac
But the requests for "nac.apra.it" are forwarded upstream.
Btw, whats the network interface type "portal" for? Are the client
supposed to reach this interface for the portal? Is it mandatory?
Thanks
C.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
*Cristian Mammoli*
System Administrator
T. +39 0731 719822
www.apra.it <http://www.apra.it>
ApraSpa
linksocial
*Avviso sulla tutela di informazioni riservate.* Questo messaggio è
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e
gli eventuali allegati, potrebbero contenere informazioni di
carattere estremamente riservato e confidenziale. Qualora non foste
i destinatari designati, vogliate cortesemente informarci
immediatamente con lo stesso mezzo ed eliminare il messaggio e i
relativi eventuali allegati, senza trattenerne copia.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
*Cristian Mammoli*
System Administrator
T. +39 0731 719822
www.apra.it <http://www.apra.it>
ApraSpa
linksocial
*Avviso sulla tutela di informazioni riservate.* Questo messaggio è
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e
gli eventuali allegati, potrebbero contenere informazioni di
carattere estremamente riservato e confidenziale. Qualora non foste i
destinatari designati, vogliate cortesemente informarci
immediatamente con lo stesso mezzo ed eliminare il messaggio e i
relativi eventuali allegati, senza trattenerne copia.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users