From: Peter B. <Pet...@ls...> - 2005-09-22 11:55:38
|
David... Just to add to this, I've returned to testing PF in inline mode because we've decided it might be the quickest way of replacing our current system (i.e. a box sitting as default gw). I'm running dhcpd on the PF box, and all works from that point of view. I'm however still seeing the DNS lookup problems. Adding my MASQ statements, clients get redirected and registered fine, scanned, and then run redir.cgi and... they get stuck! :( Looking again at the traffic the clients again are talking out of eth2 (the interface connected to the 'trusted network'), but are again not NAT-ed. So they're requesting www.google.com, and because there is no route back, nothing works. It's weird, because registering and everything else is working, it's just the initial DNS problem (fixed by my manual insertion of the MASQ rules) and then the fact the 'released' clients are not NAT-ed. It's odd because 'iptables -t nat -L -n' clearly shows: Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 which is being added by PF when it starts up... but it doesn't seem to work as it should. Thanks again for looking at this. I guess whatever fixes this will fix it for passive or inline mode in our environment. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, IT Services. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 |