Menu
▾
▴
Re: [PacketFence-users] inline, unpredictable behaviour
|
From: Fabrice D. <fd...@in...> - 2015-07-10 15:36:51
|
Hello Mourik, my answer bellow. Regards Fabrice Le 2015-07-10 08:41, mourik jan heupink a écrit : > Hi Andy, list, > > Yes, you are totally right. :-) Sorry. Let me try again. > > I'm running packetfence 5.2.0, debian wheezy, installed from the repo's, > inline mode. My inline NATted network is 10.19.0.0/16 and packetfence > has ip 10.19.0.1 on eth0 as the gateway for the NATted network. We have > enabled the captive portal, with self registration. > > Anyway: Things seem to work 'unpredictable'. After registration, > sometimes network detection works, but sometimes clients become trapped > in the "Sorry, your network should be enabled within a minute or two". We found that chrome and other brother use a internal dns cache. So let's say your browser want to go on www.cisco.com, your laptop send a dns request to packetfence and return the portal ip (dns cached in the system for 15s and in the browser for 1 minute). Your browser is redirected to the captive portal, you register, the javascript try to fetch the giff (Success) and the javascript redirect you on www.cisco.com. So what happen, imagine you register took 1,2 minutes , then the laptop ask for www.cisco.com but now fetch the real ip, so you can see the web page. You registration took 45s, the dns cache for www.cisco.com is still the ip of the portal so you hit the portal with the Sorry page. What you can do is to force the redirection url on the captive portal to other thing that www.cisco.com. Or you can set the progress bar timer to something more than 1 minute (or use that https://github.com/inverse-inc/packetfence/compare/feature/hybrid_mode_by_vlan_filter.diff) > Having said that, we notice the following warnings in the logs: > >> WARN: Problem trying to run command: LANG=C sudo ipset del >> PF-iL2_ID4_10.19.0.0 10.19.218.65 2>&1 called from >> iptables_update_set. Child exited with non-zero value 1 >> (pf::util::pf_run) Because your category changed but your device wasn't in the ipset session (first time you register) > (NOTE: manually running the same command as pf user seems to work!) > >> Jul 08 18:55:55 httpd.webservices(3636) WARN: Problem trying to run >> command: LANG=C sudo /usr/sbin/conntrack -D -s 10.19.218.65 2>&1 >> called from iptables_unmark_node. Child exited with non-zero value 1 >> (pf::util::pf_run) If there is no conntrack you have this message. (normal from unreg to reg) > (NOTE again: manually running the same command as pf also seems to work) > >> Jul 08 20:37:04 httpd.portal(3623) ERROR: WARNING ! Unknown >> switch(es) 10.19.0.1 (pf::SwitchFactory::instantiate) I fixed that in the patch above > (NOTE: this ip is the packetfence NAT address, gateway/dhcp, and there > is NO switch configured with this ip) (verified in switches.conf) > >> WARN: Problem trying to run command: LANG=C sudo ipset del >> PF-iL2_ID_10.19.0.0 10.19.218.65 2>&1 called from >> iptables_update_set. Child exited with non-zero value 1 >> (pf::util::pf_run) > Judging from that, I assume that the ipset PF-iL2_ID_10.19.0.0 exists, > however it does not? See: > >> root@pf:/usr/local/pf/logs# su pf >> $ sudo ipset -L >> Name: PF-iL2_ID1_10.19.0.0 >> Type: bitmap:ip >> Header: range 10.19.0.0-10.19.255.255 >> Size in memory: 8312 >> References: 2 >> Members: >> >> Name: PF-iL2_ID2_10.19.0.0 >> Type: bitmap:ip >> Header: range 10.19.0.0-10.19.255.255 >> Size in memory: 8312 >> References: 2 >> Members: >> >> Name: PF-iL2_ID3_10.19.0.0 >> Type: bitmap:ip >> Header: range 10.19.0.0-10.19.255.255 >> Size in memory: 8312 >> References: 2 >> Members: >> >> Name: PF-iL2_ID4_10.19.0.0 >> Type: bitmap:ip >> Header: range 10.19.0.0-10.19.255.255 >> Size in memory: 8312 >> References: 2 >> Members: >> 10.19.218.65 >> >> Name: PF-iL2_ID5_10.19.0.0 >> Type: bitmap:ip >> Header: range 10.19.0.0-10.19.255.255 >> Size in memory: 8312 >> References: 2 >> Members: >> >> Name: pfsession_Unreg_10.19.0.0 >> Type: bitmap:ip,mac >> Header: range 10.19.0.0-10.19.255.255 >> Size in memory: 1048688 >> References: 1 >> Members: >> 10.19.218.61,3C:97:0E:2F:14:F8 >> >> Name: pfsession_Reg_10.19.0.0 >> Type: bitmap:ip,mac >> Header: range 10.19.0.0-10.19.255.255 >> Size in memory: 1048688 >> References: 1 >> Members: >> 10.19.218.65,60:67:20:5D:74:98 >> >> Name: pfsession_Isol_10.19.0.0 >> Type: bitmap:ip,mac >> Header: range 10.19.0.0-10.19.255.255 >> Size in memory: 1048688 >> References: 1 >> Members: > So... I hope someone has the time to read/react to this. I know I'm > leaving out config files, but if those are relevant, I'll gladly post > them, of course. (but it's such a long email already...) > > MJ > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fd...@in... :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) |
