Developers guide
Chapter 12
Copyright © 2008-2013 Inverse inc.
Technical introduction
to Inline enforcement 82
Technical introduction to Inline
enforcement
Introduction
Before the version 3.0 of PacketFence, it was not possible to support unmanageable devices such as
entry-level consumer switches or access-points. Now, with the new inline mode, PacketFence can be use
in-band for those devices. So in other words, PacketFence will become the gateway of that inline network,
and NAT or route the traffic using IPTables to the Internet (or to another section of the network). Let
see how it works.
Device configuration
No special configuration is needed on the unmanageable device. That’s the beauty of it. You only need to
ensure that the device is "talking" on the inline VLAN. At this point, all the traffic will be passing through
PacketFence since it is the gateway for this VLAN.
Access control
The access control relies entirely on IPTables. When a user is not registered, and connects in the inline
VLAN, PacketFence will give him an IP address. At this point, the user will be marked as unregistered
in the firewall, and all the Web traffic will be redirected to the captive portal and other traffic blocked.
The user will have to register through the captive portal as in VLAN enforcement. When he registers,
PacketFence changes the firewall marking rule to allow the user’s mac address to go through it.
Limitations
Inline enforcement because of it’s nature has several limitations that one must be aware of.