Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal locks up system.

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    14 Posts 6 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cwilkinson
      last edited by

      Would it be a build posted today? Because all I see is Dec5th, and I tried that one already.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        there are new builds now

        1 Reply Last reply Reply Quote 0
        • N
          nocer
          last edited by

          Hello,

          Captive Portal seems to be fine(for now :P) to me on 01:45:00 EST 2008 build. How about you grab new snaps now?

          cheers,

          1 Reply Last reply Reply Quote 0
          • C
            cwilkinson
            last edited by

            Weird… I updated to the latest build, it doesn't lock up the system anymore, but it wont direct you to the captive portal page, or let you on the internet.
            Yes I added the firewall rule. Internet works fine without Captive Portal enabled.
            Do I have to do anything new with 2.0 to get the captive portal working?

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              Can you please give me your /tmp/rules.debug
              and output of ipfw show?

              1 Reply Last reply Reply Quote 0
              • C
                cwilkinson
                last edited by

                Rules.Debug

                #System aliases

loopback = "{ lo0 }"
WAN = "{ le1 }"
LAN = "{ le0 }"
OPT1 = "{ le2 }"
# User Aliases 

set loginterface le1
set loginterface le0
set loginterface le2
set optimization normal
set limit states 25000

scrub in on $WAN all    fragment reassemble
scrub in on $LAN all    fragment reassemble
scrub in on $OPT1 all    fragment reassemble

nat-anchor "ftp-proxy/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT 
tonatsubnets	= "{ 192.168.1.0/24 192.168.2.0/24  }"
no nat on $WAN to port tftp
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 192.168.9.56/32 port 500
nat on $WAN from $tonatsubnets port 4500 to any port 4500 -> 192.168.9.56/32 port 4500
nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> 192.168.9.56/32 port 5060
nat on $WAN from $tonatsubnets to any -> 192.168.9.56/32

#SSH Lockout Table
table <sshlockout> persist

# Load balancing anchor
rdr-anchor "relayd/*"
# FTP proxy
rdr-anchor "ftp-proxy/*"
rdr-anchor "tftp-proxy/*"

rdr on le0 proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port 8022
rdr on le0 proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969
rdr on le2 proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port 8023
rdr on le2 proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969

# IMSpector rdr anchor
rdr-anchor "imspector"
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "ftpsesame/*" 
anchor "relayd/*"
anchor "firewallrules"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# snort2c
table <snort2c> persist
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
table <virusprot>
block in quick from <virusprot> to any label "virusprot overload table"
table <bogons> persist file "/etc/bogons"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor "wanbogons"
block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN"
antispoof for le1
# block anything from private networks on interfaces with the option set 
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
# allow our DHCP client out to the WAN
anchor "wandhcp"
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for le0
# allow access to DHCP server on LAN
anchor "dhcpserverLAN"
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for le2
# allow access to DHCP server on OPT1
anchor "dhcpserverOPT1"
pass in on $OPT1 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $OPT1 proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
pass out on $OPT1 proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"
anchor "spoofing"

# loopback
anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
anchor "anti-lockout"
pass in quick on le0 from any to (le0) keep state label "anti-lockout rule"
# NAT Reflection rules
# package manager late specific hook
anchor "packagelate"

anchor "ftp-proxy/*"

# enable ftp-proxy
pass in quick inet proto tcp tagged PFFTPPROXY flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"

# User-defined aliases follow

# User-defined rules follow
pass  in  quick  on $OPT1  from 192.168.2.0/24 to any keep state  label "USER_RULE"
pass  in  quick  on $LAN  from 192.168.1.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

# VPN Rules

anchor "limitingesr"

# IMSpector
anchor "imspector"

# uPnPd
anchor "miniupnpd"</bogons></bogons></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>

                ipfw show

                $ ipfw show
00030    29    2168 skipto 50000 ip from any to any in via le1 keep-state
00030   223  100620 skipto 50000 ip from any to any in via le0 keep-state
00500     0       0 allow pfsync from any to any
00500     0       0 allow carp from any to any
01000     6    6691 skipto 50000 ip from any to any not layer2 not via le2
01001     6    5219 allow ip from any to any layer2 not via le2
01100     0       0 allow ip from any to any layer2 mac-type 0x0806
01100     0       0 allow ip from any to any layer2 mac-type 0x888e
01100     0       0 allow ip from any to any layer2 mac-type 0x88c7
01100     0       0 allow ip from any to any layer2 mac-type 0x8863
01100     0       0 allow ip from any to any layer2 mac-type 0x8864
01100     0       0 allow ip from any to any layer2 mac-type 0x8863
01100     0       0 allow ip from any to any layer2 mac-type 0x8864
01100     0       0 allow ip from any to any layer2 mac-type 0x888e
01101     0       0 deny ip from any to any layer2 not mac-type 0x0800
01102    59   10760 skipto 20000 ip from any to any layer2
01200     0       0 allow udp from any 68 to 255.255.255.255 dst-port 67 in
01201     0       0 allow udp from any 68 to 192.168.2.1 dst-port 67 in
01202     0       0 allow udp from 192.168.2.1 67 to any dst-port 68 out
01203     0       0 allow icmp from 192.168.2.1 to any out icmptypes 8
01204     0       0 allow icmp from any to 192.168.2.1 in icmptypes 0
01300     0       0 allow udp from any to 192.168.2.1 dst-port 53 in
01300     0       0 allow udp from any to 192.168.1.1 dst-port 53 in
01301     0       0 allow udp from 192.168.2.1 53 to any out
01301     0       0 allow udp from 192.168.1.1 53 to any out
01302     0       0 allow tcp from any to 192.168.2.1 dst-port 8000 in
01302     0       0 allow tcp from any to 192.168.1.1 dst-port 8000 in
01303     0       0 allow tcp from 192.168.2.1 8000 to any out
01303     0       0 allow tcp from 192.168.1.1 8000 to any out
19902     3     120 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
19903     0       0 allow tcp from any 80 to any out
19904    56   10640 deny ip from any to any
29900    59   10760 allow ip from any to any layer2
65535 12068 3677163 allow ip from any to any
                1 Reply Last reply Reply Quote 0
                • G
                  gazzer82
                  last edited by

                  I am also having the same problem, internet connection fine till i activate captive portal, then no access to internet/portal or pf web admin. Setting a mac id bypass does however still work.

                  ipfw show

                  00030   670    86456 skipto 50000 ip from any to any in via rl0 keep-state
00030     0        0 skipto 50000 ip from any to any in via ste0 keep-state
00030   817   279272 skipto 50000 ip from any to any in via ste1 keep-state
00050     6      240 skipto 29900 ip from any to any MAC 00:1b:63:c4:a6:9a any keep-state
00050   990   377008 skipto 29900 ip from any to any MAC any 00:1b:63:c4:a6:9a keep-state
00500     0        0 allow pfsync from any to any
00500     0        0 allow carp from any to any
01000     7      484 skipto 50000 ip from any to any not layer2 not via xl0
01001    56     6040 allow ip from any to any layer2 not via xl0
01100     0        0 allow ip from any to any layer2 mac-type 0x0806
01100     0        0 allow ip from any to any layer2 mac-type 0x888e
01100     0        0 allow ip from any to any layer2 mac-type 0x88c7
01100     0        0 allow ip from any to any layer2 mac-type 0x8863
01100     0        0 allow ip from any to any layer2 mac-type 0x8864
01100     0        0 allow ip from any to any layer2 mac-type 0x8863
01100     0        0 allow ip from any to any layer2 mac-type 0x8864
01100     0        0 allow ip from any to any layer2 mac-type 0x888e
01101     0        0 deny ip from any to any layer2 not mac-type 0x0800
01102     0        0 skipto 20000 ip from any to any layer2
01200     0        0 allow udp from any 68 to 255.255.255.255 dst-port 67 in
01201     0        0 allow udp from any 68 to 192.168.20.254 dst-port 67 in
01202     0        0 allow udp from 192.168.20.254 67 to any dst-port 68 out
01203     0        0 allow icmp from 192.168.20.254 to any out icmptypes 8
01204     0        0 allow icmp from any to 192.168.20.254 in icmptypes 0
01300     0        0 allow udp from any to 192.168.20.254 dst-port 53 in
01300     0        0 allow udp from any to 192.168.10.254 dst-port 53 in
01301     0        0 allow udp from 192.168.20.254 53 to any out
01301     0        0 allow udp from 192.168.10.254 53 to any out
01302     0        0 allow tcp from any to 192.168.20.254 dst-port 8000 in
01302     0        0 allow tcp from any to 192.168.10.254 dst-port 8000 in
01303     0        0 allow tcp from 192.168.20.254 8000 to any out
01303     0        0 allow tcp from 192.168.10.254 8000 to any out
19902     0        0 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
19903     2       80 allow tcp from any 80 to any out
19904    14    21000 deny ip from any to any
29900   499   188664 allow ip from any to any layer2
65535 61827 29950816 allow ip from any to any

                  Rules.Debug

                  #System aliases

loopback = "{ lo0 }"
WAN1 = "{ rl0 }"
LAN = "{ ste0 }"
WAN2 = "{ ste1 }"
WIRELESS = "{ xl0 }"
# User Aliases 

set loginterface rl0
set loginterface ste0
set loginterface ste1
set loginterface xl0
set optimization normal
set limit states 19000

scrub in on $WAN1 all    fragment reassemble
scrub in on $LAN all    fragment reassemble
scrub in on $WAN2 all    fragment reassemble
scrub in on $WIRELESS all    fragment reassemble

 altq on  rl0 hfsc bandwidth 4424Kb queue {  qInternet  } 
 queue qInternet on rl0 bandwidth 4424Kb hfsc (  ecn  , linkshare (4424Kb, 100, 4424Kb)  , upperlimit 4424Kb  )  {  qACK,  qDefault,  qP2P,  qOthersHigh,  qOthersLow  } 
 queue qACK on rl0 bandwidth 20% priority 6 hfsc (  ecn  , linkshare (0b, 100, 20%)  )  
 queue qDefault on rl0 bandwidth 10% priority 3 hfsc (  ecn  , default  )  
 queue qP2P on rl0 bandwidth 5% priority 1 hfsc (  ecn  , linkshare (5%, 300, 5%)  , upperlimit 5%  )  
 queue qOthersHigh on rl0 bandwidth 10% priority 4 hfsc (  ecn  , linkshare (0b, 200, 10%)  )  
 queue qOthersLow on rl0 bandwidth 5% priority 2 hfsc (  ecn  , linkshare (5%, 500, 5%)  )  

 altq on  xl0 hfsc bandwidth 1445Kb queue {  qInternet  } 
 queue qInternet on xl0 bandwidth 1445Kb hfsc (  ecn  , linkshare (1445Kb, 100, 1445Kb)  , upperlimit 1445Kb  )  {  qACK,  qDefault,  qP2P,  qOthersHigh,  qOthersLow  } 
 queue qACK on xl0 bandwidth 20% priority 6 hfsc (  ecn  , linkshare (0b, 100, 20%)  )  
 queue qDefault on xl0 bandwidth 10% priority 3 hfsc (  ecn  , default  )  
 queue qP2P on xl0 bandwidth 5% priority 1 hfsc (  ecn  , linkshare (5%, 300, 5%)  , upperlimit 5%  )  
 queue qOthersHigh on xl0 bandwidth 10% priority 4 hfsc (  ecn  , linkshare (0b, 200, 10%)  )  
 queue qOthersLow on xl0 bandwidth 5% priority 2 hfsc (  ecn  , linkshare (5%, 500, 5%)  )  

 altq on  ste0 hfsc bandwidth 1142Kb queue {  qInternet  } 
 queue qInternet on ste0 bandwidth 1142Kb hfsc (  ecn  , linkshare (1142Kb, 100, 1142Kb)  , upperlimit 1142Kb  )  {  qACK,  qDefault,  qP2P,  qOthersHigh,  qOthersLow  } 
 queue qACK on ste0 bandwidth 20% priority 6 hfsc (  ecn  , linkshare (0b, 100, 20%)  )  
 queue qDefault on ste0 bandwidth 10% priority 3 hfsc (  ecn  , default  )  
 queue qP2P on ste0 bandwidth 5% priority 1 hfsc (  ecn  , linkshare (5%, 300, 5%)  , upperlimit 5%  )  
 queue qOthersHigh on ste0 bandwidth 10% priority 4 hfsc (  ecn  , linkshare (0b, 200, 10%)  )  
 queue qOthersLow on ste0 bandwidth 5% priority 2 hfsc (  ecn  , linkshare (5%, 500, 5%)  )  

 altq on  ste1 hfsc bandwidth 1142Kb queue {  qInternet  } 
 queue qInternet on ste1 bandwidth 1142Kb hfsc (  ecn  , linkshare (1142Kb, 100, 1142Kb)  , upperlimit 1142Kb  )  {  qACK,  qDefault,  qP2P,  qOthersHigh,  qOthersLow  } 
 queue qACK on ste1 bandwidth 20% priority 6 hfsc (  ecn  , linkshare (0b, 100, 20%)  )  
 queue qDefault on ste1 bandwidth 10% priority 3 hfsc (  ecn  , default  )  
 queue qP2P on ste1 bandwidth 5% priority 1 hfsc (  ecn  , linkshare (5%, 300, 5%)  , upperlimit 5%  )  
 queue qOthersHigh on ste1 bandwidth 10% priority 4 hfsc (  ecn  , linkshare (0b, 200, 10%)  )  
 queue qOthersLow on ste1 bandwidth 5% priority 2 hfsc (  ecn  , linkshare (5%, 500, 5%)  )  

nat-anchor "ftp-proxy/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT 
tonatsubnets	= "{ 192.168.10.0/24 192.168.20.0/24  }"
no nat on $WAN1 to port tftp
nat on $WAN1 from $tonatsubnets port 500 to any port 500 -> 192.168.0.58/32 port 500
nat on $WAN1 from $tonatsubnets port 4500 to any port 4500 -> 192.168.0.58/32 port 4500
nat on $WAN1 from $tonatsubnets port 5060 to any port 5060 -> 192.168.0.58/32 port 5060
nat on $WAN1 from $tonatsubnets to any -> 192.168.0.58/32
no nat on $WAN2 to port tftp
nat on $WAN2 from $tonatsubnets port 500 to any port 500 -> 192.168.1.2/32 port 500
nat on $WAN2 from $tonatsubnets port 4500 to any port 4500 -> 192.168.1.2/32 port 4500
nat on $WAN2 from $tonatsubnets port 5060 to any port 5060 -> 192.168.1.2/32 port 5060
nat on $WAN2 from $tonatsubnets to any -> 192.168.1.2/32

#SSH Lockout Table
table <sshlockout>persist

# Load balancing anchor
rdr-anchor "relayd/*"
# FTP proxy
rdr-anchor "ftp-proxy/*"
rdr-anchor "tftp-proxy/*"

rdr on ste0 proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port 8022
rdr on ste0 proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969
rdr on xl0 proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port 8024
rdr on xl0 proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969

# IMSpector rdr anchor
rdr-anchor "imspector"
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "ftpsesame/*" 
anchor "relayd/*"
anchor "firewallrules"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for rl0
# allow our DHCP client out to the WAN1
anchor "wandhcp"
pass in on $WAN1 proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN1"
pass out on $WAN1 proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN1"
# Not installing DHCP server firewall rules for WAN1 which is configured for DHCP.
antispoof for ste0
# allow access to DHCP server on LAN
anchor "dhcpserverLAN"
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.10.254 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.10.254 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for ste1
# allow our DHCP client out to the WAN2
anchor "opt1dhcp"
pass in on $WAN2 proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN2"
pass out on $WAN2 proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN2"
# Not installing DHCP server firewall rules for WAN2 which is configured for DHCP.
antispoof for xl0
# allow access to DHCP server on WIRELESS
anchor "dhcpserverWIRELESS"
pass in on $WIRELESS proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $WIRELESS proto udp from any port = 68 to 192.168.20.254 port = 67 label "allow access to DHCP server"
pass out on $WIRELESS proto udp from 192.168.20.254 port = 67 to any port = 68 label "allow access to DHCP server"
anchor "spoofing"

# loopback
anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
anchor "anti-lockout"
pass in quick on ste0 from any to (ste0) keep state label "anti-lockout rule"
# NAT Reflection rules
# package manager late specific hook
anchor "packagelate"

anchor "ftp-proxy/*"

# enable ftp-proxy
pass in quick inet proto tcp tagged PFFTPPROXY flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"

# User-defined aliases follow

# User-defined rules follow
pass   out  proto tcp  from any to any port = 7668  label "USER_RULE: m_P2P Aimster outbound"
pass   out  proto tcp  from any to any  port 6880 >< 7000  label "USER_RULE: m_P2P BitTorrent outbound"
pass   out  proto udp  from any to any  port 6880 >< 7000  label "USER_RULE: m_P2P BitTorrent outbound"
pass   out  proto tcp  from any to any port = 7788  label "USER_RULE: m_P2P BuddyShare outbound"
pass   out  proto tcp  from any to any port = 2340  label "USER_RULE: m_P2P CuteMX outbound"
pass   out  proto tcp  from any to any  port 6665 >< 6669  label "USER_RULE: m_P2P dcc outbound"
pass   out  proto tcp  from any to any port = 412  label "USER_RULE: m_P2P DirectConnect outbound"
pass   out  proto tcp  from any to any  port 1043 >< 1046  label "USER_RULE: m_P2P DirectFileExpress outbound"
pass   out  proto tcp  from any to any  port 4660 >< 4666  label "USER_RULE: m_P2P EDonkey2000 outbound"
pass   out  proto tcp  from any to any port = 6346  label "USER_RULE: m_P2P Gnutella-TCP outbound"
pass   out  proto udp  from any to any port = 6346  label "USER_RULE: m_P2P Gnutella-UDP outbound"
pass   out  proto tcp  from any to any  port 8037 >< 8040  label "USER_RULE: m_P2P grouper outbound"
pass   out  proto tcp  from any to any  port 28863 >< 28866  label "USER_RULE: m_P2P hotComm outbound"
pass   out  proto tcp  from any to any  port 5499 >< 5504  label "USER_RULE: m_P2P HotlineConnect outbound"
pass   out  proto tcp  from any to any port = 4329  label "USER_RULE: m_P2P iMesh outbound"
pass   out  proto tcp  from any to any  port 6698 >< 6702  label "USER_RULE: m_P2P Napster outbound"
pass   out  proto tcp  from any to any  port 8887 >< 8890  label "USER_RULE: m_P2P OpenNap outbound"
pass   out  proto tcp  from any to any port = 8311  label "USER_RULE: m_P2P Scour outbound"
pass   out  proto tcp  from any to any port = 6346  label "USER_RULE: m_P2P Shareaza outbound"
pass   out  proto tcp  from any to any port = 5190  label "USER_RULE: m_P2P SongSpy outbound"
pass   out  proto tcp  from any to any port = 6699  label "USER_RULE: m_P2P WinMX outbound"
pass   out  proto tcp  from any to any port = 3389  label "USER_RULE: m_Other MSRDP outbound"
pass   out  proto tcp  from any to any port = 3283  label "USER_RULE: m_Other AppleRemoteDesktop1 outbound"
pass   out  proto tcp  from any to any port = 5900  label "USER_RULE: m_Other AppleRemoteDesktop2 outbound"
pass   out  proto udp  from any to any port = 3283  label "USER_RULE: m_Other AppleRemoteDesktop3 outbound"
pass   out  proto udp  from any to any port = 5900  label "USER_RULE: m_Other AppleRemoteDesktop4 outbound"
pass   out  proto tcp  from any to any port = 1723  label "USER_RULE: m_Other PPTP outbound"
pass   out  proto gre  from any to any  label "USER_RULE: m_Other PPTPGRE outbound"
pass   out  proto tcp  from any to any port = 554  label "USER_RULE: m_Other RTSP1 outbound"
pass   out  proto tcp  from any to any port = 80  label "USER_RULE: m_Other HTTP outbound"
pass   out  proto tcp  from any to any port = 443  label "USER_RULE: m_Other HTTPS outbound"
pass   out  proto tcp  from any to any port = 25  label "USER_RULE: m_Other SMTP outbound"
pass   out  proto tcp  from any to any port = 53  label "USER_RULE: m_Other DNS1 outbound"
pass   out  proto udp  from any to any port = 53  label "USER_RULE: m_Other DNS2 outbound"
pass  in  quick  on $WIRELESS  route-to { ( rl0 192.168.0.169 ) , ( ste1 192.168.1.254 ) } round-robin  from 192.168.20.0/24 to { ! 192.168.20.254 } keep state  label "USER_RULE"
pass  in  quick  on $WIRELESS  from 192.168.20.0/24 to any keep state  label "USER_RULE"
pass  in  quick  on $LAN  route-to { ( rl0 192.168.0.169 ) , ( ste1 192.168.1.254 ) } round-robin  from 192.168.10.0/24 to { ! 192.168.10.254 } keep state  label "USER_RULE"
pass  in  quick  on $LAN  from 192.168.10.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

# VPN Rules

anchor "limitingesr"

# IMSpector
anchor "imspector"

# uPnPd
anchor "miniupnpd"</virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>

                  Thanks

                  Gareth

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    Its fixed now grab the next snapshot.
                    If anybody of you that have multiwan too can confirm that CP works on multiwan too?!

                    1 Reply Last reply Reply Quote 0
                    • G
                      gazzer82
                      last edited by

                      cheers Ermal,

                      I do indeed have have a multi wan setup, so when i am back in the office i will give it a try.

                      Cheers

                      Gareth

                      1 Reply Last reply Reply Quote 0
                      • G
                        gazzer82
                        last edited by

                        Yes it appears to be working, though i have been unable to check multi-lan as i am having some issues with static ip's/gateways at the moment :(

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.