Re: [PacketFence-users] inline, unpredictable behaviour

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Fabrice,

Finally I've had the time to test, and yes you are correct: using a 
different redirect url makes things work. Also disabling the dns cache 
(about:config, network.dnsCacheExpiration = 0) confirms that this was 
our issue.

If I may... I still have a question:

- why would (as you write below) registration take as long as 45 
seconds? (isn't it just a matter of adjusting ipset..?)

Thanks for the patch to fix the 10.19.0.1 switch problem, and 
explanation for the various errors and warnings.

I understand 5.3.0 is on it's way, with the samba/netns fix. Does it 
also contain the patch to solve the Unknown switch(es) 10.19.0.1?

(because I'm not sure if I would want to use 
https://github.com/inverse-inc/packetfence/compare/feature/hybrid_mode_by_vlan_filter.diff) 
(don't understand much of it..)

Anyway, thanks a lot!! (again...!)

MJ

On 7/10/2015 17:36, Fabrice DURAND wrote:
> Hello Mourik,
>
> my answer bellow.
>
> Regards
> Fabrice
>
> Le 2015-07-10 08:41, mourik jan heupink a écrit :
>> Hi Andy, list,
>>
>> Yes, you are totally right. :-) Sorry. Let me try again.
>>
>> I'm running packetfence 5.2.0, debian wheezy, installed from the repo's,
>> inline mode. My inline NATted network is 10.19.0.0/16 and packetfence
>> has ip 10.19.0.1 on eth0 as the gateway for the NATted network. We have
>> enabled the captive portal, with self registration.
>>
>> Anyway: Things seem to work 'unpredictable'. After registration,
>> sometimes network detection works, but sometimes clients become trapped
>> in the "Sorry, your network should be enabled within a minute or two".
> We found that chrome and other brother use a internal dns cache.
> So let's say your browser want to go on www.cisco.com, your laptop send
> a dns request to packetfence and return the portal ip (dns cached in the
> system for 15s and in the browser for 1 minute).
> Your browser is redirected to the captive portal, you register, the
> javascript try to fetch the giff (Success) and the javascript redirect
> you on www.cisco.com.
>
> So what happen, imagine you register took 1,2 minutes , then the laptop
> ask for www.cisco.com but now fetch the real ip, so you can see the web
> page.
>
> You registration took 45s, the dns cache for www.cisco.com is still the
> ip of the portal so you hit the portal with the Sorry page.
>
> What you can do is to force the redirection url on the captive portal to
> other thing that www.cisco.com.
> Or you can set the progress bar timer to something more than 1 minute
> (or use that
> https://github.com/inverse-inc/packetfence/compare/feature/hybrid_mode_by_vlan_filter.diff)
>
>
>> Having said that, we notice the following warnings in the logs:
>>
>>> WARN: Problem trying to run command: LANG=C sudo ipset del
>>> PF-iL2_ID4_10.19.0.0 10.19.218.65 2>&1 called from
>>> iptables_update_set. Child exited with non-zero value 1
>>> (pf::util::pf_run)
> Because your category changed but your device wasn't in the ipset
> session (first time you register)
>> (NOTE: manually running the same command as pf user seems to work!)
>>
>>> Jul 08 18:55:55 httpd.webservices(3636) WARN: Problem trying to run
>>> command: LANG=C sudo /usr/sbin/conntrack -D -s 10.19.218.65 2>&1
>>> called from iptables_unmark_node. Child exited with non-zero value 1
>>> (pf::util::pf_run)
> If there is no conntrack you have this message. (normal from unreg to reg)
>> (NOTE again: manually running the same command as pf also seems to work)
>>
>>> Jul 08 20:37:04 httpd.portal(3623) ERROR: WARNING ! Unknown
>>> switch(es) 10.19.0.1 (pf::SwitchFactory::instantiate)
> I fixed that in the patch above
>> (NOTE: this ip is the packetfence NAT address, gateway/dhcp, and there
>> is NO switch configured with this ip) (verified in switches.conf)
>>
>>> WARN: Problem trying to run command: LANG=C sudo ipset del
>>> PF-iL2_ID_10.19.0.0 10.19.218.65 2>&1 called from
>>> iptables_update_set. Child exited with non-zero value 1
>>> (pf::util::pf_run)
>> Judging from that, I assume that the ipset PF-iL2_ID_10.19.0.0 exists,
>> however it does not? See:
>>
>>> root@pf:/usr/local/pf/logs# su pf
>>> $ sudo ipset -L
>>> Name: PF-iL2_ID1_10.19.0.0
>>> Type: bitmap:ip
>>> Header: range 10.19.0.0-10.19.255.255
>>> Size in memory: 8312
>>> References: 2
>>> Members:
>>>
>>> Name: PF-iL2_ID2_10.19.0.0
>>> Type: bitmap:ip
>>> Header: range 10.19.0.0-10.19.255.255
>>> Size in memory: 8312
>>> References: 2
>>> Members:
>>>
>>> Name: PF-iL2_ID3_10.19.0.0
>>> Type: bitmap:ip
>>> Header: range 10.19.0.0-10.19.255.255
>>> Size in memory: 8312
>>> References: 2
>>> Members:
>>>
>>> Name: PF-iL2_ID4_10.19.0.0
>>> Type: bitmap:ip
>>> Header: range 10.19.0.0-10.19.255.255
>>> Size in memory: 8312
>>> References: 2
>>> Members:
>>> 10.19.218.65
>>>
>>> Name: PF-iL2_ID5_10.19.0.0
>>> Type: bitmap:ip
>>> Header: range 10.19.0.0-10.19.255.255
>>> Size in memory: 8312
>>> References: 2
>>> Members:
>>>
>>> Name: pfsession_Unreg_10.19.0.0
>>> Type: bitmap:ip,mac
>>> Header: range 10.19.0.0-10.19.255.255
>>> Size in memory: 1048688
>>> References: 1
>>> Members:
>>> 10.19.218.61,3C:97:0E:2F:14:F8
>>>
>>> Name: pfsession_Reg_10.19.0.0
>>> Type: bitmap:ip,mac
>>> Header: range 10.19.0.0-10.19.255.255
>>> Size in memory: 1048688
>>> References: 1
>>> Members:
>>> 10.19.218.65,60:67:20:5D:74:98
>>>
>>> Name: pfsession_Isol_10.19.0.0
>>> Type: bitmap:ip,mac
>>> Header: range 10.19.0.0-10.19.255.255
>>> Size in memory: 1048688
>>> References: 1
>>> Members:
>> So... I hope someone has the time to read/react to this. I know I'm
>> leaving out config files, but if those are relevant, I'll gladly post
>> them, of course. (but it's such a long email already...)
>>
>> MJ
>>
>> ------------------------------------------------------------------------------
>> Don't Limit Your Business. Reach for the Cloud.
>> GigeNET's Cloud Solutions provide you with the tools and support that
>> you need to offload your IT needs and focus on growing your business.
>> Configured For All Businesses. Start Your Cloud Today.
>> https://www.gigenetcloud.com/
>> _______________________________________________
>> PacketFence-users mailing list
>> Pac...@li...
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> Pac...@li...
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>