Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan
Il 05/05/2018 04:25, Durand fabrice via PacketFence-users ha scritto: So i did the change and the new binary will be available tomorrow there: http://inverse.ca/downloads/PacketFence/CentOS7/binaries/maintenance/8.0/ Regards Fabrice Thanks Fabrice, i'll do some tests ASAP. I need to download pfdns and overwrite mine I guess. Just another confirmation if possible. Do I need the portal interface to access the portal *after* a device has been registered? For example email registration, when a device is moved to the guest vlan to check the email? Regards C. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan
So i did the change and the new binary will be available tomorrow there: http://inverse.ca/downloads/PacketFence/CentOS7/binaries/maintenance/8.0/ Regards Fabrice Le 2018-05-04 à 08:40, Fabrice Durand via PacketFence-users a écrit : Ok i probably know what happen. Let me do some test on my side and i will provide a patch. Regards Fabrice Le 2018-05-03 à 09:27, Cristian Mammoli via PacketFence-users a écrit : It seems that trying to resolve a domain returns the registration vlan IP (192.168.112.254) while trying to resolve the portal FQDN returns the portal interface IP (*192.168.114.254*) Probably the 2nd query is forwarded upstream for some reason C:\Windows\system32>nslookup www.pippo.com Server: 254.112.168.192.in-addr.arpa Address: 192.168.112.254 *Nome: www.pippo.com** **Addresses: 192.168.112.254** **192.168.112.254* C:\Windows\system32>nslookup nac.apra.it Server: 254.112.168.192.in-addr.arpa Address: 192.168.112.254 *Nome: nac.apra.it** **Address: 192.168.114.254* C:\Windows\system32> May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] "A IN www.pippo.com.vlan-registration.apra.it. udp 57 false 512" NXDOMAIN qr,aa,rd,ra 115 4.506862ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] " IN www.pippo.com.vlan-registration.apra.it. udp 57 false 512" NXDOMAIN qr,aa,rd,ra 115 5.510869ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] "A IN www.pippo.com.apra.it. udp 39 false 512" NXDOMAIN qr,aa,rd,ra 97 4.253698ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] " IN www.pippo.com.apra.it. udp 39 false 512" NXDOMAIN qr,aa,rd,ra 97 4.34452ms May 03 15:17:30 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:30 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:30 +0200] "A IN www.pippo.com. udp 31 false 512" NOERROR qr,aa,rd 47 4.200221ms May 03 15:17:30 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:30 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:30 +0200] " IN www.pippo.com. udp 31 false 512" NOERROR qr,aa,rd 47 5.50361ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "PTR IN 254.112.168.192.in-addr.arpa. udp 46 false 512" NOERROR qr,aa,rd 62 3.463945ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it.vlan-registration.apra.it. udp 55 false 512" NXDOMAIN qr,aa,rd,ra 113 3.784624ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it.vlan-registration.apra.it. udp 55 false 512" NXDOMAIN qr,aa,rd,ra 113 4.101483ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it.apra.it. udp 37 false 512" NXDOMAIN qr,aa,rd,ra 95 3.522312ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it.apra.it. udp 37 false 512" NXDOMAIN qr,aa,rd,ra 95 4.039791ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it. udp 29 false 512" NOERROR qr,aa,rd,ra 45 20.000424ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it. udp 29 false 512" NOERROR qr,aa,rd,ra 87 3.211035ms Il 03/05/2018 14:34, Fabrice Durand via PacketFence-users ha scritto: Weird, it's suppose to return the portal ip. Can you do this on a laptop: nslookup nac.apra.it and on the same time on the packetfence server : journalctl -f | grep dns And give me the result. Regards Fabrice Le 2018-05-03 à 03:44, Cristian Mammoli via PacketFence-users a écrit : Indeed it was this way on 7.4 :( But it stopped working on 8.0
Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan
Ok i probably know what happen. Let me do some test on my side and i will provide a patch. Regards Fabrice Le 2018-05-03 à 09:27, Cristian Mammoli via PacketFence-users a écrit : It seems that trying to resolve a domain returns the registration vlan IP (192.168.112.254) while trying to resolve the portal FQDN returns the portal interface IP (*192.168.114.254*) Probably the 2nd query is forwarded upstream for some reason C:\Windows\system32>nslookup www.pippo.com Server: 254.112.168.192.in-addr.arpa Address: 192.168.112.254 *Nome: www.pippo.com** **Addresses: 192.168.112.254** **192.168.112.254* C:\Windows\system32>nslookup nac.apra.it Server: 254.112.168.192.in-addr.arpa Address: 192.168.112.254 *Nome: nac.apra.it** **Address: 192.168.114.254* C:\Windows\system32> May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] "A IN www.pippo.com.vlan-registration.apra.it. udp 57 false 512" NXDOMAIN qr,aa,rd,ra 115 4.506862ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] " IN www.pippo.com.vlan-registration.apra.it. udp 57 false 512" NXDOMAIN qr,aa,rd,ra 115 5.510869ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] "A IN www.pippo.com.apra.it. udp 39 false 512" NXDOMAIN qr,aa,rd,ra 97 4.253698ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] " IN www.pippo.com.apra.it. udp 39 false 512" NXDOMAIN qr,aa,rd,ra 97 4.34452ms May 03 15:17:30 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:30 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:30 +0200] "A IN www.pippo.com. udp 31 false 512" NOERROR qr,aa,rd 47 4.200221ms May 03 15:17:30 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:30 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:30 +0200] " IN www.pippo.com. udp 31 false 512" NOERROR qr,aa,rd 47 5.50361ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "PTR IN 254.112.168.192.in-addr.arpa. udp 46 false 512" NOERROR qr,aa,rd 62 3.463945ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it.vlan-registration.apra.it. udp 55 false 512" NXDOMAIN qr,aa,rd,ra 113 3.784624ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it.vlan-registration.apra.it. udp 55 false 512" NXDOMAIN qr,aa,rd,ra 113 4.101483ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it.apra.it. udp 37 false 512" NXDOMAIN qr,aa,rd,ra 95 3.522312ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it.apra.it. udp 37 false 512" NXDOMAIN qr,aa,rd,ra 95 4.039791ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it. udp 29 false 512" NOERROR qr,aa,rd,ra 45 20.000424ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it. udp 29 false 512" NOERROR qr,aa,rd,ra 87 3.211035ms Il 03/05/2018 14:34, Fabrice Durand via PacketFence-users ha scritto: Weird, it's suppose to return the portal ip. Can you do this on a laptop: nslookup nac.apra.it and on the same time on the packetfence server : journalctl -f | grep dns And give me the result. Regards Fabrice Le 2018-05-03 à 03:44, Cristian Mammoli via PacketFence-users a écrit : Indeed it was this way on 7.4 :( But it stopped working on 8.0 :( [root@srvpf conf]# cat pf.conf [general] # # general.domain # # Domain name of PacketFence system. domain=apra.it # # general.hostname # # Hostname of PacketFence system. This is concatenated with the domain in Apache rewriting rules
Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan
It seems that trying to resolve a domain returns the registration vlan IP (192.168.112.254) while trying to resolve the portal FQDN returns the portal interface IP (*192.168.114.254*) Probably the 2nd query is forwarded upstream for some reason C:\Windows\system32>nslookup www.pippo.com Server: 254.112.168.192.in-addr.arpa Address: 192.168.112.254 *Nome: www.pippo.com** **Addresses: 192.168.112.254** **192.168.112.254* C:\Windows\system32>nslookup nac.apra.it Server: 254.112.168.192.in-addr.arpa Address: 192.168.112.254 *Nome: nac.apra.it** **Address: 192.168.114.254* C:\Windows\system32> May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] "A IN www.pippo.com.vlan-registration.apra.it. udp 57 false 512" NXDOMAIN qr,aa,rd,ra 115 4.506862ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] " IN www.pippo.com.vlan-registration.apra.it. udp 57 false 512" NXDOMAIN qr,aa,rd,ra 115 5.510869ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] "A IN www.pippo.com.apra.it. udp 39 false 512" NXDOMAIN qr,aa,rd,ra 97 4.253698ms May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:29 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:29 +0200] " IN www.pippo.com.apra.it. udp 39 false 512" NXDOMAIN qr,aa,rd,ra 97 4.34452ms May 03 15:17:30 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:30 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:30 +0200] "A IN www.pippo.com. udp 31 false 512" NOERROR qr,aa,rd 47 4.200221ms May 03 15:17:30 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:30 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:30 +0200] " IN www.pippo.com. udp 31 false 512" NOERROR qr,aa,rd 47 5.50361ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: Returned portal for MAC 20:cf:30:36:88:15 with IP 192.168.112.33 May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "PTR IN 254.112.168.192.in-addr.arpa. udp 46 false 512" NOERROR qr,aa,rd 62 3.463945ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it.vlan-registration.apra.it. udp 55 false 512" NXDOMAIN qr,aa,rd,ra 113 3.784624ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it.vlan-registration.apra.it. udp 55 false 512" NXDOMAIN qr,aa,rd,ra 113 4.101483ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it.apra.it. udp 37 false 512" NXDOMAIN qr,aa,rd,ra 95 3.522312ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it.apra.it. udp 37 false 512" NXDOMAIN qr,aa,rd,ra 95 4.039791ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] "A IN nac.apra.it. udp 29 false 512" NOERROR qr,aa,rd,ra 45 20.000424ms May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 : 20:cf:30:36:88:15 passthrough May 03 15:17:33 srvpf.apra.it pfdns[2301]: 192.168.112.33 - [03/May/2018:15:17:33 +0200] " IN nac.apra.it. udp 29 false 512" NOERROR qr,aa,rd,ra 87 3.211035ms Il 03/05/2018 14:34, Fabrice Durand via PacketFence-users ha scritto: Weird, it's suppose to return the portal ip. Can you do this on a laptop: nslookup nac.apra.it and on the same time on the packetfence server : journalctl -f | grep dns And give me the result. Regards Fabrice Le 2018-05-03 à 03:44, Cristian Mammoli via PacketFence-users a écrit : Indeed it was this way on 7.4 :( But it stopped working on 8.0 :( [root@srvpf conf]# cat pf.conf [general] # # general.domain # # Domain name of PacketFence system. domain=apra.it # # general.hostname # # Hostname of PacketFence system. This is concatenated with the domain in Apache rewriting rules and therefore must be resolvable by clients. hostname=nac # # general.dhcpservers # # Comma-delimited list of DHCP servers. Passthroughs are created to allow DHCP transactions from
Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan
Weird, it's suppose to return the portal ip. Can you do this on a laptop: nslookup nac.apra.it and on the same time on the packetfence server : journalctl -f | grep dns And give me the result. Regards Fabrice Le 2018-05-03 à 03:44, Cristian Mammoli via PacketFence-users a écrit : Indeed it was this way on 7.4 :( But it stopped working on 8.0 :( [root@srvpf conf]# cat pf.conf [general] # # general.domain # # Domain name of PacketFence system. domain=apra.it # # general.hostname # # Hostname of PacketFence system. This is concatenated with the domain in Apache rewriting rules and therefore must be resolvable by clients. hostname=nac # # general.dhcpservers # # Comma-delimited list of DHCP servers. Passthroughs are created to allow DHCP transactions from even "trapped" nodes. dhcpservers=127.0.0.1,192.168.0.7,192.168.0.76,192.168.15.9 # # general.timezone # #System's timezone in string format. List generated from Perl library DataTime::TimeZone timezone=Europe/Rome [network] # # network.dhcpoption82logger # # If enabled PacketFence will monitor DHCP option82 location-based information. # This feature is only available if the dhcpdetector is activated. dhcpoption82logger=enabled [fencing] # # fencing.passthroughs # # Comma-delimited list of domains to be used as HTTP and HTTPS passthroughs to web sites. # passthroughs=srvdc01.apra.it,srvdc02.apra.it,srvdc-dr.apra.it,apra.it,srvupdate.apra.it,srvupdate.apra.it:8530,srvupdate.apra.it:8531,*.windowsupdate.microsoft.com,*.update.microsoft.com,*.windowsupdate.com,test.stats.update.microsoft.com,ntservicepack.microsoft.com,*.download.windowsupdate.com,officecdn.microsoft.com,srvsophos.apra.it:tcp:445,*.ggpht.com,*.googleusercontent.com,android.clients.google.com,*.googleapis.com,*.android.clients.google.com,*.gvt1.com,*.l.google.com,play.google.com,*.gstatic.com # # fencing.isolation_passthrough # # When enabled, pfdns will resolve the real IP addresses of passthroughs and add them in the ipset session to give access # to trapped devices. Don´t forget to enable ip_forward on your server. isolation_passthrough=enabled # # fencing.isolation_passthroughs # # Comma-delimited list of domains to be used as HTTP and HTTPS passthroughs to web sites. # isolation_passthroughs=srvupdate.apra.it,srvupdate.apra.it:8530,srvupdate.apra.it:8531,*.windowsupdate.microsoft.com,*.update.microsoft.com,*.windowsupdate.com,test.stats.update.microsoft.com,ntservicepack.microsoft.com,*.download.windowsupdate.com,officecdn.microsoft.com,srvsophos.apra.it:tcp:445 [guests_admin_registration] # # guests_admin_registration.access_duration_choices # # These are all the choices offered in the guest management interface as # possible access duration values for a given registration. access_duration_choices=1h,3h,12h,1D,2D,3D,5D,6D,7D # # guests_admin_registration.default_access_duration # # This is the default access duration value selected in the dropdown on the # guest management interface. default_access_duration=1D [alerting] # # alerting.emailaddr # # Email address to which notifications of rogue DHCP servers, violations with an action of "email", or any other # PacketFence-related message goes to. emailaddr=nac-al...@apra.it # # alerting.fromaddr # # Source email address for email notifications. Empty means root@. fromaddr=n...@apra.it # # alerting.smtpserver # # Server through which to send messages to the above emailaddr. The default is localhost - be sure you're running an SMTP # host locally if you don't change it! smtpserver=mail.apra.it [database] # # database.pass # # Password for the mysql database used by PacketFence. Changing this parameter after the initial configuration will *not* change it in the database it self, only in the configuration. # # database.pass # # Password for the mysql database used by PacketFence. Changing this parameter after the initial configuration will *not* change it in the database it self, only in the configuration. pass=xxx [captive_portal] # # captive_portal.network_detection_ip # # This IP is used as the webserver who hosts the common/network-access-detection.gif which is used to detect if network # access was enabled. # It cannot be a domain name since it is used in registration or quarantine where DNS is blackholed. # It is recommended that you allow your users to reach your packetfence server and put your LAN's PacketFence IP. # By default we will make this reach PacketFence's website as an easy solution. # network_detection_ip=212.77.73.7 # # captive_portal.image_path # # This is the path where the gif is on the webserver to detect if the network access # has been enabled. image_path=/icons/poweredby.png # # captive_portal.request_timeout # # The amount of seconds before a request times out in the captive portal request_timeout=60 # # captive_portal.rate_limiting_threshold # # Amount of requests on invalid URLs after which the rate limiting will kick in for this device
Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan
Hello Cristian,
you don't have to allow the portal ip for the registration and isolation
vlan.
Can you share your pf.conf and networks.conf and
/usr/local/pf/var/conf/pfdns.conf
Regards
Fabrice
Le 2018-05-02 à 12:25, Cristian Mammoli via PacketFence-users a écrit :
Ok, then I have a problem:
I created a dns record for nac.apra.it on my corporate dns server that
points to the portal interface (nac.apra.it is
general.hostname+general.domain in pf.conf)
But even from an unregistered device pfdns resolves with this ip
address instead of replying with its own ip in the registration o
isolation vlan
I had to add an iptables rule to allow reaching the portal interface
ip address from the isolation and registration vlan.
Of course the dns server passed to the clients in those vlan is
packetfence (default configuration)
I tried deleting the portal interface and remove the A record from my
corporate DNS server but them pfdns answers with NXDOMAIN when queried
from an unregistered device.
In 7.4 this configuration worked (I erroneously thought that the
portal interface was required but probably it wasn't used at all)
This is my pfdns.conf:
Display all 147 possibilities? (y or n)
[root@srvpf addons]# cat /usr/local/pf/conf/pfdns.conf
.:54 {
[% domain %]
proxy . /etc/resolv.conf
}
# all other domains are subject to interception
:53 {
pfdns {
}
# Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]
# Default to system resolv.conf file
proxy . /etc/resolv.conf
log stdout
errors
}
resolv.conf contains my corp dns servers
Regards
C.
Il 30/04/2018 14:59, Fabrice Durand via PacketFence-users ha scritto:
Hello Cristian,
pfdns is suppose to resolv the portal fqdn if the device is unreg or if
there is a violation.
Also if there is a passthrough that match the portal fqdn name then it
will forward the request to another server.
Portal interface is just an interface with the portal on it, it
generally use for web auth.
Regards
Fabrice
Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit :
Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and
registration vlan? I'm using 8.0
ATM for me isn't working:
My pf.conf is:
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the
domain in Apache rewriting rules and therefore must be resolvable by
clients.
hostname=nac
But the requests for "nac.apra.it" are forwarded upstream.
Btw, whats the network interface type "portal" for? Are the client
supposed to reach this interface for the portal? Is it mandatory?
Thanks
C.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
*Cristian Mammoli*
System Administrator
T. +39 0731 719822
www.apra.it
ApraSpa
linksocial
*Avviso sulla tutela di informazioni riservate.* Questo messaggio è
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e
gli eventuali allegati, potrebbero contenere informazioni di carattere
estremamente riservato e confidenziale. Qualora non foste i
destinatari designati, vogliate cortesemente informarci immediatamente
con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali
allegati, senza trattenerne copia.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan
Ok, then I have a problem:
I created a dns record for nac.apra.it on my corporate dns server that
points to the portal interface (nac.apra.it is
general.hostname+general.domain in pf.conf)
But even from an unregistered device pfdns resolves with this ip address
instead of replying with its own ip in the registration o isolation vlan
I had to add an iptables rule to allow reaching the portal interface ip
address from the isolation and registration vlan.
Of course the dns server passed to the clients in those vlan is
packetfence (default configuration)
I tried deleting the portal interface and remove the A record from my
corporate DNS server but them pfdns answers with NXDOMAIN when queried
from an unregistered device.
In 7.4 this configuration worked (I erroneously thought that the portal
interface was required but probably it wasn't used at all)
This is my pfdns.conf:
Display all 147 possibilities? (y or n)
[root@srvpf addons]# cat /usr/local/pf/conf/pfdns.conf
.:54 {
[% domain %]
proxy . /etc/resolv.conf
}
# all other domains are subject to interception
:53 {
pfdns {
}
# Anything not handled by pfdns will be resolved normally
[% domain %]
[% inline %]
# Default to system resolv.conf file
proxy . /etc/resolv.conf
log stdout
errors
}
resolv.conf contains my corp dns servers
Regards
C.
Il 30/04/2018 14:59, Fabrice Durand via PacketFence-users ha scritto:
Hello Cristian,
pfdns is suppose to resolv the portal fqdn if the device is unreg or if
there is a violation.
Also if there is a passthrough that match the portal fqdn name then it
will forward the request to another server.
Portal interface is just an interface with the portal on it, it
generally use for web auth.
Regards
Fabrice
Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit :
Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and
registration vlan? I'm using 8.0
ATM for me isn't working:
My pf.conf is:
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=apra.it
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the
domain in Apache rewriting rules and therefore must be resolvable by
clients.
hostname=nac
But the requests for "nac.apra.it" are forwarded upstream.
Btw, whats the network interface type "portal" for? Are the client
supposed to reach this interface for the portal? Is it mandatory?
Thanks
C.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
*Cristian Mammoli*
System Administrator
T. +39 0731 719822
www.apra.it
ApraSpa
linksocial
*Avviso sulla tutela di informazioni riservate.* Questo messaggio è
stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli
eventuali allegati, potrebbero contenere informazioni di carattere
estremamente riservato e confidenziale. Qualora non foste i destinatari
designati, vogliate cortesemente informarci immediatamente con lo stesso
mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza
trattenerne copia.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Portal fqdn resolution from isolation and registration vlan
Hello Cristian, pfdns is suppose to resolv the portal fqdn if the device is unreg or if there is a violation. Also if there is a passthrough that match the portal fqdn name then it will forward the request to another server. Portal interface is just an interface with the portal on it, it generally use for web auth. Regards Fabrice Le 2018-04-27 à 09:34, Cristian Mammoli via PacketFence-users a écrit : > Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and > registration vlan? I'm using 8.0 > > ATM for me isn't working: > > My pf.conf is: > > [general] > # > # general.domain > # > # Domain name of PacketFence system. > domain=apra.it > # > # general.hostname > # > # Hostname of PacketFence system. This is concatenated with the > domain in Apache rewriting rules and therefore must be resolvable by > clients. > hostname=nac > > But the requests for "nac.apra.it" are forwarded upstream. > > Btw, whats the network interface type "portal" for? Are the client > supposed to reach this interface for the portal? Is it mandatory? > > Thanks > > C. > > -- > > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Portal fqdn resolution from isolation and registration vlan
Hi, isn't pfdns supposed to resolve the portal FQDN from isolation and registration vlan? I'm using 8.0 ATM for me isn't working: My pf.conf is: [general] # # general.domain # # Domain name of PacketFence system. domain=apra.it # # general.hostname # # Hostname of PacketFence system. This is concatenated with the domain in Apache rewriting rules and therefore must be resolvable by clients. hostname=nac But the requests for "nac.apra.it" are forwarded upstream. Btw, whats the network interface type "portal" for? Are the client supposed to reach this interface for the portal? Is it mandatory? Thanks C. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
