Hi PacketFence team, I'm currently setting up an authentication system using external OIDC, with Keycloak as the identity provider, and I'm encountering issues related to traffic routing from the registration VLAN.
I'm using *VLAN enforcement* and have a dedicated VLAN for device registration (PF_REGISTER: 10.245.13.0/24). The issue arises when users are redirected to the external OIDC server (Keycloak) during the registration process. It seems that PacketFence resolves the public domain of the OIDC server to a fictitious public IP, which prevents proper communication between the client device and the Keycloak server. What I need is for devices in the registration VLAN to be able to reach certain external services (in this case, Keycloak) to complete the authentication process. *Here is the current VLAN configuration of my network:* - VLAN 1 – MANAGEMENT: 10.254.64.0/24 - VLAN 20 – PF_WLAN: 192.168.100.0/24 - VLAN 21 – PF_WLAN_CUSTOMERS: 192.168.200.0/24 - VLAN 22 – PF_LAN: 10.245.12.0/24 - VLAN 23 – PF_REGISTER: 10.245.13.0/24 - VLAN 24 – PF_ISOLATION: 10.245.14.0/24 - VLAN 25 – PF_VOIP: 10.245.15.0/24 *My questions are:* Is it possible to allow traffic from the registration VLAN (PF_REGISTER) to reach certain public domains or IP addresses (such as the Keycloak server)? What is the recommended way to achieve this within a VLAN enforcement setup? Should I use bypasses, specific ACLs, or DNS modifications? Are there any best practices or documentation on how to properly allow this type of traffic? Thank you very much in advance for any guidance you can provide. Best regards,
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users