Redirect all trafict from 1 internal (LAN) IP to spesific IP address
-
Hey all
I need to make a bit unusuall cenario
I need to block all outgoing web traffic on port 80. So users can not access web.
Basically so that if you type www.pfsense.com :) you will go to IP 1.2.3.4:88 that will just display HTML page saying: This intranet does not allow external web access.
I know other way around where i can redirect all incomming traffic but i hav no ida how to do that like i want it.
I thoufgg just to reverse firewall rule, but lo luck :((Hope you can help me
-
You could probably use squid with a transparent filter. Then set it up to block everything and setup a custom error page.
-
what i realized I also have to do that only for spesific range of IP addreeses or at least for 1 by 1 IP as some users still should be allowed ato access web.
How do I use squid? I dont think its default package… im running on embedded board so wont be able to install any addons
-
Depending on what your using for DNS you could just setup a fake DNS that just returns your server for all DNS queries.
-
i though DNS would apply for all IP and not just selcetd list. or am i wrong?
-
Yes, unless you manually set a normal DNS server on the machines that you want to have access.
-
no network is DHCP controlled
I only have list of MAC addresses -
I would give captive portal a try. I haven't used it but I think you could set the portal page as your "Access to the internet is denied." page and use MAC pass-through for those clients who should receive internet access.
-
good try :((((
but captive portal is alredy in use for those who are allowed to get outside…
Ideally there should be option in captive portal for blockiing and redirecting traffic based on mac address, just like Dlink hotspot does that... but i guess for that I either have to do my own mod to CP script ( its actually easy fix) and then submit it to monowall and if they include that then it will go here to.but i dont wanna do custom images anymore...
-
If you're already using the captive portal, why not just have your logon page say that Internet access isn't allowed without a valid username/password?
I also think if you make a change, you should probably submit it to pfSense, not MonoWall. These releases aren't based off of what monowall is doing. :-\
-
as to CP its code is identical copy of monowall
CP doesn not solve problem for me as users can get Username and Password bery easy,,.. example shared password. I can allow only one seesion but thta still is not secure enougphIf i would have radius V2 then i can block spesific mac address but im runing 1.4 and there is bug there and we can not upgrade to v2 caz MySQL structure needs to be changed and we can not touch it :(
-
Well if security is a concern, mac-based filtering can be spoofed pretty easily.
Is it possible to require the valid clients to connect to a VPN for internet access?
-
well mac address can be spoofed if you know the right mac address =)
unfortunantly we dont use VPN (but maybe we might want to establish one) -
Yeah, even if it's just for local use, it's a quick way to have a completely different firewall policy apply to various clients that share the same network.
-
well i guess i do quick dirty trick with load and balance trunck that has 0 Kbps speed that will cut the web access for the port
but no explanation screen :(