Captive Portal + PPPoE server at the same time

Richthofen · May 20, 2006, 6:51 PM

Hi guys.

I´m using PFsense BETA4 and I´d like to use Captive Portal and PPPoE server together so my clients will be separated from each other (pppoe tunnel) and must authenticate in CP.

Is it possible?

Thanx in advance.

sullrich · May 20, 2006, 6:57 PM

I seriously doubt it … :-[

Gertjan · May 21, 2006, 12:06 AM

@Richthofen:

I´m using PFsense BETA4 and I´d like to use Captive Portal and PPPoE server together so my clients will be separated from each other (pppoe tunnel) and must authenticate in CP.

Possible.

=> If you can accept another approach.

I'm filtering for ports 138,138,445 etc already on the OPT1 'Wifi' Interface.
But, on this interface I have a switch - and behind that 'many' AP's.
So, clients share all the same IP netmask - and could 'interact' with each other easily.
(One could discus about the fact that that is their problem ;-) ) - they share the stuff)

But, I thought I had to streamline things, so I used AP's Linksys WRT54G(S) with a modified firmware.
Activated ebtables in the WRT54G(S)'s and I entered this:

#Accept DHCP to go everywhere (meaning: broadcasting without special MAC info)... 
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-destination-port 67:68 -j ACCEPT 
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto udp --ip-destination-port 67:68 -j ACCEPT 

#Accept also arp-ing... 
ebtables -t broute -A BROUTING -i eth1 -p arp -j ACCEPT 

#For the rest, allow [b]only [/b]our gateway MAC (please insert yours) as a destination... 
ebtables -t broute -A BROUTING -i eth1 -d ! 00:01:02:03:04:05  -j redirect --redirect-target DROP

Note: eth1 = WLAN interface on AP
Note: 00:01:02:03:04:05 is the MAC of the OPT1 interface - the 'gateway' for all the clients.

Done. No more com possible between clients. Period.
DHCP broadcasts are still visible to all, but the rest of the (radio) communication is just client<->AP<->pfSense.

[edit] By the way: these AP's (with the Sveasoft firmware, to name the house) offer already 'Client Isolation', but that only works for all the clients connected to one AP - not from 'seeing' each other if they are connected to 2 different AP's. As already said, I have many AP's all over the place.

sullrich · May 20, 2006, 11:58 PM

@Gertjan:

Possible.

I stand corrected. Nice work.

Richthofen · May 22, 2006, 5:19 PM

Hi

I´m using Samsung SWL-3300 AP´s. Is there a modified firmware to allow this solution on such hardware?

Thnx

lylian · May 23, 2006, 11:47 AM

:) and for a Cisco Aeronet 1100 ? :D

Gertjan · May 23, 2006, 8:14 PM

@Richthofen:

… Samsung SWL-3300 AP´s...

&
@lylian:

:) and for a Cisco Aeronet 1100 ? :D

What you actually need is:

telnet (SSH) acces, and
ebtables has to be present in the firmware.

lylian · May 23, 2006, 8:53 PM

i will try tomorrow…very good job .... :) ...i'll become after