Skip captive portal for static ARP
-
Hello, I'm trying to understand if there is a right way to do what I'm trying to do.
I have a network with DHCP (ISC, but could switch to KEA if it is necessary) and a number of static mappings. Also, static ARP is enabled, I know it is not safe, but it is a first step to reduce noise. The DHCP server is configured to only answer to know hosts.
On another interface, I have enabled captive portal with radius authentication and it works great.
I would like to move the captive portal to the first network and behave like this: if you have a static mapping ARP entry, you skip the captive portal.
One way would be to add all the static ARP hosts to the "MAC" table of the portal, but that would oblige me to duplicate the configuration (i.e. that every static arp also has to be inserted in the portal configuration). I've played a bit with two dhcps on the same interface, but it is a bad hack and not reliable. Do you know if there is a better way to do it?
-
For every MAC you add here :
there will be no login page, these devices are granted right away.
And yes, you have to copy them over.@paulatz said in Skip captive portal for static ARP:
Do you know if there is a better way to do it?
The manual GUI way .... so you doing the job.
Or, if there are a lot of MACs to maintain, you change your job. By writing a script that this does for you.
Probably : Waay more complex, all depends on : do you know where to find the info, where to place the entry of your script, testing it etc>. When done, adding a static MAC into the DHCP server page, and it will also figure into the " Services > Captive Portal > cpzoneX > MACs" page.
You decide ^^ -
@Gertjan Thank you, yes, I have copied the ~900 static ARPs from DHCP to capive with a little bit of vim macros, copy/paste, import/export wich is fine for now.
While doing it, I've understood the best way to do it.
First of all, I have to disable static arp, as if it is active, the "dynamic" hosts will not be able to communicate with the firewall. Now, the static entries in DHCP are only used to assign static IPs. Checking the access is exclusively done by the captive portal.I have to set up an IP range that is dynamic and one that is static, and do not overlap.
In order to allow some host to bypass the portal, I have to insert their MAC adress in the portal section, they may be static or not, it does not matter.
In practice we may actually just use the portal-bypass part, as for 95% of our static hosts, it is not the static part that is important, but the non-interactive connection. The hosts that need to be static could even be configured static by hand outside of the dhcp range.
However, if you can point to some documentation on editing the pfSense scripts that could allow to keep the two in sync, I may have a go.
thank you
-
@paulatz said in Skip captive portal for static ARP:
some documentation
Euh, it's open source. So everything you need to know is already there.
No one ever wrote a book, guide or manual about these millions of lines of 'script'.
If you know what 'PHP' is : ssh into your pfSense and start to discover. this will take you some time ;)If you want write scripts for a system, you have to know (some what) that system.
