[PacketFence-users] PF 7 routed mode

2017-05-12 Thread luca comes 
Hi all,

I'm delivering my new PF to test wired 802.1x on my network. I need to work 
with routed network because PF is in our datacenter and I need to control 
subnets on remote sites. So I've created a local registration/isolation vlan 
directly attached to the server and I configured new vlans on the sites. I then 
configured PF to know that he is working in routed mode adding the necessary on 
conf/networks.conf as said in the admin giude. What I don't understand is if I 
need to add remote networks on the routing table of the server because at the 
moment the registration/isolation interfaces are not reachable and if I take a 
look to the routing table:


[root@pfnac01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
0.0.0.0 172.27.17.231   0.0.0.0 UG0  00 ens160
10.255.10.0 0.0.0.0 255.255.255.0   U 0  00 
ens192.2441
10.255.20.0 0.0.0.0 255.255.255.0   U 0  00 
ens192.2445
10.255.30.0 0.0.0.0 255.255.255.0   U 0  00 
ens192.2446
169.254.0.0 0.0.0.0 255.255.255.252 U 0  00 DM-b
169.254.0.0 0.0.0.0 255.255.0.0 U 1002   00 ens160
169.254.0.0 0.0.0.0 255.255.0.0 U 1003   00 ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1004   00 
ens192.2441
169.254.0.0 0.0.0.0 255.255.0.0 U 1005   00 
ens192.2445
169.254.0.0 0.0.0.0 255.255.0.0 U 1006   00 
ens192.2446
172.27.17.0 0.0.0.0 255.255.255.0   U 0  00 ens160


Where 10.255.10.0 is my regular network, 10.255.20.0 is my local registration, 
10.255.30.0 is my local isolation and 172.27.17.0 is the management. I can't 
see my remote networks 10.149.105.0 (remote registration) and 10.148.105.0 
(remote isolation).


Any help is appreciated


Thanks


Luca



Inviato da Outlook
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7 routed mode

2017-05-12 Thread Torry, Andrew 
Hi Luca,

In routed mode the PF is effectively ‘Out-of-band’ so you would not need to add 
local routes on the PF server
for your remote subnets since your PF will be using it’s default gateway to 
reach devices on them.

The IPTABLES should be automatically configured to allow the remote subnets to 
hit the captive portal (on your Registration interface)
on HTTP/HTTPS and also access the MGMT IP address for DNS (which is how the 
captive-portal works).

Remember that PF uses MAC addresses only for identifying NODES and in a routed 
environment your PF server will never see the
MAC address of the user’s device(s) unless you have set up that either:-

Your PF server is the DHCP server for your remote subnets (Can produce a big 
load on the PF server on big networks running over slow
WAN links).

or

Your PF server (MGMT interface) is configured as an IP-HELPER for your remote 
subnets/VLANS – This will NOT work for DHCP-ACK
as the DHCP ACK is a unicast packet and not a broadcast packet (so ip-helper 
will not forward to the PF server).

or (Easiest in my opinion)

You use the UDP-Reflector on your production DHCP server to send all the DHCP 
packets to the PF server (MGMT interface)- This can lead
to a bloated NODES database as you will get a NODE for every device on your 
network that uses the DHCP server. The reflector is quite
easy to set up (now comes with a configuration tool) and gives your PF server 
all the information it needs.

If at least one of these 3 DHCP methods is not in place then the PF server will 
never insert your client devices into its NODE database and
you will get the dreaded ‘Your device is not found in the database…” message 
all the time.

Your PF server can then control the remote switches using dynamic VLAN 
assignment or downloadable ACLs to control
network access depending on the role allocated to the client device.

HTH

Andrew




Andrew Torry

Senior Infrastructure Engineer



Tel: 01326 370760

Email: andrew.to...@fxplus.ac.uk




[cid:imaged1e91b.PNG@9359bc63.42b56ad6]
[Falmouth Exeter Plus]  
[cid:image61baf9.PNG@1e6d0401.4f959fae]


[Twitter]   [Facebook] 
[Instagram] 
 [YouTube] 


[cid:image614cec.PNG@20109f6c.439ec518]


[Falmouth University]

Falmouth Exeter Plus is an exempt charity established by Falmouth University 
and the University of Exeter to deliver their shared Higher Education services 
in Cornwall.
From: luca comes [mailto:lucaco...@hotmail.it]
Sent: 12 May 2017 14:47
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] PF 7 routed mode


Hi all,

I'm delivering my new PF to test wired 802.1x on my network. I need to work 
with routed network because PF is in our datacenter and I need to control 
subnets on remote sites. So I've created a local registration/isolation vlan 
directly attached to the server and I configured new vlans on the sites. I then 
configured PF to know that he is working in routed mode adding the necessary on 
conf/networks.conf as said in the admin giude. What I don't understand is if I 
need to add remote networks on the routing table of the server because at the 
moment the registration/isolation interfaces are not reachable and if I take a 
look to the routing table:


[root@pfnac01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
0.0.0.0 172.27.17.231   0.0.0.0 UG0  00 ens160
10.255.10.0 0.0.0.0 255.255.255.0   U 0  00 
ens192.2441
10.255.20.0 0.0.0.0 255.255.255.0   U 0  00 
ens192.2445
10.255.30.0 0.0.0.0 255.255.255.0   U 0  00 
ens192.2446
169.254.0.0 0.0.0.0 255.255.255.252 U 0  00 DM-b
169.254.0.0 0.0.0.0 255.255.0.0 U 1002   00 ens160
169.254.0.0 0.0.0.0 255.255.0.0 U 1003   00 ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1004   00 
ens192.2441
169.254.0.0 0.0.0.0 255.255.0.0 U 1005   00 
ens192.2445
169.254.0.0 0.0.0.0 255.255.0.0 U 1006   00 
ens192.2446
172.27.17.0 0.0.0.0 255.255.255.0   U 0  00 ens160



Where 10.255.10.0 is my regular network, 10.255.20.0 is my local registration, 
10.255.30.0 is my local isolation and 172.27.17.0 is the management. I can't 
see my remote networks 10.149.105.0 (remote registration) and 10.148.105.0 
(remote isolation).



Any help is appreciated



Thanks



Luca





Inviato da Outlook
--
Check out the vibrant tech community on one of the world's most

Re: [PacketFence-users] PF 7 routed mode

2017-05-12 Thread Tim DeNike 
If you add networks in the GUI it will create static routes with the
gateway specified. Or use ospf/bgp like I do and create one aggregate route
on the PD server.  We have an isolation/registration network per building
through mpls.  Nothing touches the Pf servers at l2.

Sent from my iPhone

On May 12, 2017, at 9:48 AM, luca comes  wrote:

Hi all,

I'm delivering my new PF to test wired 802.1x on my network. I need to work
with routed network because PF is in our datacenter and I need to control
subnets on remote sites. So I've created a local registration/isolation
vlan directly attached to the server and I configured new vlans on the
sites. I then configured PF to know that he is working in routed mode
adding the necessary on conf/networks.conf as said in the admin giude. What
I don't understand is if I need to add remote networks on the routing table
of the server because at the moment the registration/isolation interfaces
are not reachable and if I take a look to the routing table:


[root@pfnac01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
0.0.0.0 172.27.17.231   0.0.0.0 UG0  00
ens160
10.255.10.0 0.0.0.0 255.255.255.0   U 0  00
ens192.2441
10.255.20.0 0.0.0.0 255.255.255.0   U 0  00
ens192.2445
10.255.30.0 0.0.0.0 255.255.255.0   U 0  00
ens192.2446
169.254.0.0 0.0.0.0 255.255.255.252 U 0  00 DM-b
169.254.0.0 0.0.0.0 255.255.0.0 U 1002   00
ens160
169.254.0.0 0.0.0.0 255.255.0.0 U 1003   00
ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1004   00
ens192.2441
169.254.0.0 0.0.0.0 255.255.0.0 U 1005   00
ens192.2445
169.254.0.0 0.0.0.0 255.255.0.0 U 1006   00
ens192.2446
172.27.17.0 0.0.0.0 255.255.255.0   U 0  00
ens160


Where 10.255.10.0 is my regular network, 10.255.20.0 is my local
registration, 10.255.30.0 is my local isolation and 172.27.17.0 is the
management. I can't see my remote networks 10.149.105.0 (remote
registration) and 10.148.105.0 (remote isolation).


Any help is appreciated


Thanks


Luca



Inviato da Outlook 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF 7 routed mode

2017-05-12 Thread Torry, Andrew 
Hi Luca,

Using UDP reflector makes the ip-helper option obsolete.

Does your UDP reflector send its data to the management IP? - It must as this 
is the interface the pfdhcplistener process listens on usually eth0.

Andrew

From: luca comes [mailto:lucaco...@hotmail.it]
Sent: 12 May 2017 16:19
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PF 7 routed mode


Hi Andrew,

I apologize but it's not so clear to me. For the MAC addresses identification 
I've installed UDP reflector on my production DHCP and that's working fine. The 
problem is that no dhcp requests are arriving to the server what helper address 
should I configure on my remote switches? At the moment I've configured the IP 
of the PF server on the registration VLAN but with this configuration the 
server should receive the request ont he registration interface and respond on 
the management? Underneath my switch configuration:


interface Vlan148
 description Isolation
 ip address 10.148.105.1 255.255.255.0
 ip helper-address 10.255.30.5

interface Vlan149
 description Registration
 ip address 10.149.105.1 255.255.255.0
 ip helper-address 10.255.20.5



And on the server side:



Interfaces:


[interface ens160]
ip=172.27.17.5
type=management
mask=255.255.255.0

[interface ens192.2446]
enforcement=vlan
ip=10.255.30.5
type=internal
mask=255.255.255.0

[interface ens192.2445]
enforcement=vlan
ip=10.255.20.5
type=internal
mask=255.255.255.0





Networks:


#
## Local PF Isolation VLAN ##
#
[10.255.30.0]
dns=10.255.30.5
dhcp_start=10.255.30.10
gateway=10.255.30.5
domain-name=vlan-isolation.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=10.255.30.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30


## Local PF Registration VLAN ##

[10.255.20.0]
dns=10.255.20.5
dhcp_start=10.255.20.10
gateway=10.255.20.5
domain-name=vlan-registration.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=10.255.20.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30

#
## Remote Isolation VLAN ##
#
[10.148.105.0]
dns=10.255.30.5
dhcp_start=10.148.105.10
gateway=10.148.105.1
domain-name=vlan-isolation-ge.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=10.148.105.200
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30


#
### Remote Registration VLAN ##
#
[10.149.105.0]
dns=10.255.20.5
dhcp_start=10.149.105.10
gateway=10.149.105.1
domain-name=vlan-registration-ge.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=10.149.105.200
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30
next_hop=10.255.20.231



Thank you in advance



Luca






Da: Torry, Andrew 
Inviato: venerdì 12 maggio 2017 16.12
A: packetfence-users@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] PF 7 routed mode


Hi Luca,



In routed mode the PF is effectively 'Out-of-band' so you would not need to add 
local routes on the PF server

for your remote subnets since your PF will be using it's default gateway to 
reach devices on them.



The IPTABLES should be automatically configured to allow the remote subnets to 
hit the captive portal (on your Registration interface)

on HTTP/HTTPS and also access the MGMT IP address for DNS (which is how the 
captive-portal works).



Remember that PF uses MAC addresses only for identifying NODES and in a routed 
environment your PF server will never see the

MAC address of the user's device(s) unless you have set up that either:-



Your PF server is the DHCP server for your remote subnets (Can produce a big 
load on the PF server on big networks running over slow

WAN links).



or



Your PF server (MGMT interface) is configured as an IP-HELPER for your remote 
subnets/VLANS - This will NOT work for DHCP-ACK

as the DHCP ACK is a unicast packet and not a broadcast packet (so ip-helper 
will not forward to the PF server).



or (Easiest in my opinion)



You use the UDP-Reflector on your production DHCP server to send all the DHCP 
packets to the PF server (MGMT interface)- This can lead

to a bloated NODES database as you will get a NODE for every device on your 
network that uses the DHCP server. The reflector is quite

easy to set up (now comes with a configuration tool) and gives your PF server 
all the information it needs.



If at least one of these 3 DHCP methods is not in place then the PF server will 
never insert your client devices into it