Hi Torry,
yes I'm sending UDP reflector to the mgmt IP of the server and it works fine. I configured the helper address only for the registration/isolation VLAN but it doesn't works. I also tried to configure routed networks from the web gui as suggested by Tim in another post and infacts routes are added to the routing table but the process is still not working. I also noticed that the routes PF daemon doesn't start at all. Is it a bug?
Luca
Inviato da Outlook<http://aka.ms/weboutlook>
________________________________
Da: Torry, Andrew <***@fxplus.ac.uk>
Inviato: venerdì 12 maggio 2017 18.12
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] PF 7 routed mode
Hi Luca,
Using UDP reflector makes the ip-helper option obsolete.
Does your UDP reflector send its data to the management IP? It must as this is the interface the pfdhcplistener process listens on usually eth0.
Andrew
From: luca comes [mailto:***@hotmail.it]
Sent: 12 May 2017 16:19
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-users] PF 7 routed mode
Hi Andrew,
I apologize but it's not so clear to me. For the MAC addresses identification I've installed UDP reflector on my production DHCP and that's working fine. The problem is that no dhcp requests are arriving to the server what helper address should I configure on my remote switches? At the moment I've configured the IP of the PF server on the registration VLAN but with this configuration the server should receive the request ont he registration interface and respond on the management? Underneath my switch configuration:
interface Vlan148
description Isolation
ip address 10.148.105.1 255.255.255.0
ip helper-address 10.255.30.5
interface Vlan149
description Registration
ip address 10.149.105.1 255.255.255.0
ip helper-address 10.255.20.5
And on the server side:
Interfaces:
[interface ens160]
ip=172.27.17.5
type=management
mask=255.255.255.0
[interface ens192.2446]
enforcement=vlan
ip=10.255.30.5
type=internal
mask=255.255.255.0
[interface ens192.2445]
enforcement=vlan
ip=10.255.20.5
type=internal
mask=255.255.255.0
Networks:
#############################
## Local PF Isolation VLAN ##
#############################
[10.255.30.0]
dns=10.255.30.5
dhcp_start=10.255.30.10
gateway=10.255.30.5
domain-name=vlan-isolation.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=10.255.30.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30
################################
## Local PF Registration VLAN ##
################################
[10.255.20.0]
dns=10.255.20.5
dhcp_start=10.255.20.10
gateway=10.255.20.5
domain-name=vlan-registration.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=10.255.20.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30
#####################################
## Remote Isolation VLAN ##
#####################################
[10.148.105.0]
dns=10.255.30.5
dhcp_start=10.148.105.10
gateway=10.148.105.1
domain-name=vlan-isolation-ge.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=10.148.105.200
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30
#########################################
### Remote Registration VLAN ##
#########################################
[10.149.105.0]
dns=10.255.20.5
dhcp_start=10.149.105.10
gateway=10.149.105.1
domain-name=vlan-registration-ge.datamanagement.it
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=10.149.105.200
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30
next_hop=10.255.20.231
Thank you in advance
Luca
________________________________
Da: Torry, Andrew <***@fxplus.ac.uk>
Inviato: venerdì 12 maggio 2017 16.12
A: packetfence-***@lists.sourceforge.net
Oggetto: Re: [PacketFence-users] PF 7 routed mode
Hi Luca,
In routed mode the PF is effectively Out-of-band so you would not need to add local routes on the PF server
for your remote subnets since your PF will be using its default gateway to reach devices on them.
The IPTABLES should be automatically configured to allow the remote subnets to hit the captive portal (on your Registration interface)
on HTTP/HTTPS and also access the MGMT IP address for DNS (which is how the captive-portal works).
Remember that PF uses MAC addresses only for identifying NODES and in a routed environment your PF server will never see the
MAC address of the users device(s) unless you have set up that either:-
Your PF server is the DHCP server for your remote subnets (Can produce a big load on the PF server on big networks running over slow
WAN links).
or
Your PF server (MGMT interface) is configured as an IP-HELPER for your remote subnets/VLANS This will NOT work for DHCP-ACK
as the DHCP ACK is a unicast packet and not a broadcast packet (so ip-helper will not forward to the PF server).
or (Easiest in my opinion)
You use the UDP-Reflector on your production DHCP server to send all the DHCP packets to the PF server (MGMT interface)- This can lead
to a bloated NODES database as you will get a NODE for every device on your network that uses the DHCP server. The reflector is quite
easy to set up (now comes with a configuration tool) and gives your PF server all the information it needs.
If at least one of these 3 DHCP methods is not in place then the PF server will never insert your client devices into its NODE database and
you will get the dreaded Your device is not found in the database
message all the time.
Your PF server can then control the remote switches using dynamic VLAN assignment or downloadable ACLs to control
network access depending on the role allocated to the client device.
HTH
Andrew
Andrew Torry
Senior Infrastructure Engineer
Tel: 01326 370760
Email: ***@fxplus.ac.uk<mailto:***@fxplus.ac.uk>
[cid:***@01D2CB42.7759A750]
[Falmouth Exeter Plus]
[cid:***@01D2CB42.7759A750]
[Twitter]<https://twitter.com/falmouthexeter>
[Facebook]<https://www.facebook.com/falmouthexeter>
[Instagram]<https://www.instagram.com/falmouthexeterplus/>
[YouTube]<https://www.youtube.com/channel/UC5-Jq4vTOhWgYoJJDYrZHWw>
[cid:***@01D2CB42.7759A750]
[Falmouth University]
Falmouth Exeter Plus is an exempt charity established by Falmouth University and the University of Exeter to deliver their shared Higher Education services in Cornwall.
From: luca comes [mailto:***@hotmail.it]
Sent: 12 May 2017 14:47
To: packetfence-***@lists.sourceforge.net
Subject: [PacketFence-users] PF 7 routed mode
Hi all,
I'm delivering my new PF to test wired 802.1x on my network. I need to work with routed network because PF is in our datacenter and I need to control subnets on remote sites. So I've created a local registration/isolation vlan directly attached to the server and I configured new vlans on the sites. I then configured PF to know that he is working in routed mode adding the necessary on conf/networks.conf as said in the admin giude. What I don't understand is if I need to add remote networks on the routing table of the server because at the moment the registration/isolation interfaces are not reachable and if I take a look to the routing table:
[***@pfnac01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.27.17.231 0.0.0.0 UG 0 0 0 ens160
10.255.10.0 0.0.0.0 255.255.255.0 U 0 0 0 ens192.2441
10.255.20.0 0.0.0.0 255.255.255.0 U 0 0 0 ens192.2445
10.255.30.0 0.0.0.0 255.255.255.0 U 0 0 0 ens192.2446
169.254.0.0 0.0.0.0 255.255.255.252 U 0 0 0 DM-b
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 ens160
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 ens192
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 ens192.2441
169.254.0.0 0.0.0.0 255.255.0.0 U 1005 0 0 ens192.2445
169.254.0.0 0.0.0.0 255.255.0.0 U 1006 0 0 ens192.2446
172.27.17.0 0.0.0.0 255.255.255.0 U 0 0 0 ens160
Where 10.255.10.0 is my regular network, 10.255.20.0 is my local registration, 10.255.30.0 is my local isolation and 172.27.17.0 is the management. I can't see my remote networks 10.149.105.0 (remote registration) and 10.148.105.0 (remote isolation).
Any help is appreciated
Thanks
Luca
Inviato da Outlook<http://aka.ms/weboutlook>