[SOLVED] CP not working (1.2.3) - passes ALL traffic without auth
-
Hello,
I have a clean install pfSense 1.2.3-RELEASE (from liveCD).
CP enabled on LAN (fxp1) iface with local user manager and a list allowed IP (3 x AP not in list)
$ ipfw list 00030 skipto 50000 ip from any to any in via fxp0 keep-state 00500 allow pfsync from any to any 00500 allow carp from any to any 00500 allow ip from 10.22.21.1 to any out via fxp1 00501 allow ip from any to 10.22.21.1 in via fxp1 01000 skipto 50000 ip from any to any not layer2 not via fxp1 01001 allow ip from any to any layer2 not via fxp1 01100 allow ip from any to any layer2 mac-type 0x0806 01100 allow ip from any to any layer2 mac-type 0x888e 01100 allow ip from any to any layer2 mac-type 0x88c7 01100 allow ip from any to any layer2 mac-type 0x8863 01100 allow ip from any to any layer2 mac-type 0x8864 01100 allow ip from any to any layer2 mac-type 0x8863 01100 allow ip from any to any layer2 mac-type 0x8864 01100 allow ip from any to any layer2 mac-type 0x888e 01101 deny ip from any to any layer2 not mac-type 0x0800 01102 skipto 20000 ip from any to any layer2 01200 allow udp from any 68 to 255.255.255.255 dst-port 67 in 01201 allow udp from any 68 to 10.22.21.1 dst-port 67 in 01202 allow udp from 10.22.21.1 67 to any dst-port 68 out 01203 allow icmp from 10.22.21.1 to any out icmptypes 8 01204 allow icmp from any to 10.22.21.1 in icmptypes 0 01300 allow udp from any to 10.22.21.1 dst-port 53 in 01300 allow udp from any to 10.22.21.1 dst-port 53 in 01301 allow udp from 10.22.21.1 53 to any out 01301 allow udp from 10.22.21.1 53 to any out 01302 allow tcp from any to 10.22.21.1 dst-port 8000 in 01302 allow tcp from any to 10.22.21.1 dst-port 8000 in 01303 allow tcp from 10.22.21.1 8000 to any out 01303 allow tcp from 10.22.21.1 8000 to any out 10000 skipto 50000 ip from 10.22.21.11 to any in 10000 skipto 50000 ip from any to 10.22.21.11 out 10001 skipto 50000 ip from 10.22.21.12 to any in 10001 skipto 50000 ip from any to 10.22.21.12 out 10002 skipto 50000 ip from 10.22.21.13 to any in 10002 skipto 50000 ip from any to 10.22.21.13 out 10003 skipto 50000 ip from 10.22.21.14 to any in 10003 skipto 50000 ip from any to 10.22.21.14 out 10004 skipto 50000 ip from 10.22.21.15 to any in 10004 skipto 50000 ip from any to 10.22.21.15 out 10005 skipto 50000 ip from 10.22.21.16 to any in 10005 skipto 50000 ip from any to 10.22.21.16 out 10006 skipto 50000 ip from 10.22.21.17 to any in 10006 skipto 50000 ip from any to 10.22.21.17 out 10007 skipto 50000 ip from 10.22.21.18 to any in 10007 skipto 50000 ip from any to 10.22.21.18 out 10008 skipto 50000 ip from 10.22.21.19 to any in 10008 skipto 50000 ip from any to 10.22.21.19 out 10009 skipto 50000 ip from 10.22.21.2 to any in 10009 skipto 50000 ip from any to 10.22.21.2 out 10010 skipto 50000 ip from 10.22.21.20 to any in 10010 skipto 50000 ip from any to 10.22.21.20 out 10011 skipto 50000 ip from 10.22.21.21 to any in 10011 skipto 50000 ip from any to 10.22.21.21 out 10012 skipto 50000 ip from 10.22.21.22 to any in 10012 skipto 50000 ip from any to 10.22.21.22 out 10013 skipto 50000 ip from 10.22.21.23 to any in 10013 skipto 50000 ip from any to 10.22.21.23 out 10014 skipto 50000 ip from 10.22.21.24 to any in 10014 skipto 50000 ip from any to 10.22.21.24 out 10015 skipto 50000 ip from 10.22.21.25 to any in 10015 skipto 50000 ip from any to 10.22.21.25 out 10016 skipto 50000 ip from 10.22.21.26 to any in 10016 skipto 50000 ip from any to 10.22.21.26 out 10017 skipto 50000 ip from 10.22.21.27 to any in 10017 skipto 50000 ip from any to 10.22.21.27 out 10018 skipto 50000 ip from 10.22.21.28 to any in 10018 skipto 50000 ip from any to 10.22.21.28 out 10019 skipto 50000 ip from 10.22.21.29 to any in 10019 skipto 50000 ip from any to 10.22.21.29 out 10020 skipto 50000 ip from 10.22.21.30 to any in 10020 skipto 50000 ip from any to 10.22.21.30 out 10021 skipto 50000 ip from 10.22.21.31 to any in 10021 skipto 50000 ip from any to 10.22.21.31 out 10022 skipto 50000 ip from 10.22.21.32 to any in 10022 skipto 50000 ip from any to 10.22.21.32 out 10023 skipto 50000 ip from 10.22.21.33 to any in 10023 skipto 50000 ip from any to 10.22.21.33 out 10024 skipto 50000 ip from 10.22.21.34 to any in 10024 skipto 50000 ip from any to 10.22.21.34 out 10025 skipto 50000 ip from 10.22.21.35 to any in 10025 skipto 50000 ip from any to 10.22.21.35 out 10026 skipto 50000 ip from 10.22.21.36 to any in 10026 skipto 50000 ip from any to 10.22.21.36 out 10027 skipto 50000 ip from 10.22.21.37 to any in 10027 skipto 50000 ip from any to 10.22.21.37 out 10028 skipto 50000 ip from 10.22.21.38 to any in 10028 skipto 50000 ip from any to 10.22.21.38 out 10029 skipto 50000 ip from 10.22.21.39 to any in 10029 skipto 50000 ip from any to 10.22.21.39 out 10030 skipto 50000 ip from 10.22.21.40 to any in 10030 skipto 50000 ip from any to 10.22.21.40 out 10031 skipto 50000 ip from 10.22.21.41 to any in 10031 skipto 50000 ip from any to 10.22.21.41 out 10032 skipto 50000 ip from 10.22.21.42 to any in 10032 skipto 50000 ip from any to 10.22.21.42 out 10033 skipto 50000 ip from 10.22.21.43 to any in 10033 skipto 50000 ip from any to 10.22.21.43 out 10034 skipto 50000 ip from 10.22.21.44 to any in 10034 skipto 50000 ip from any to 10.22.21.44 out 10035 skipto 50000 ip from 10.22.21.45 to any in 10035 skipto 50000 ip from any to 10.22.21.45 out 10036 skipto 50000 ip from 10.22.21.46 to any in 10036 skipto 50000 ip from any to 10.22.21.46 out 10037 skipto 50000 ip from 10.22.21.47 to any in 10037 skipto 50000 ip from any to 10.22.21.47 out 10038 skipto 50000 ip from 10.22.21.48 to any in 10038 skipto 50000 ip from any to 10.22.21.48 out 10039 skipto 50000 ip from 10.22.21.49 to any in 10039 skipto 50000 ip from any to 10.22.21.49 out 10040 skipto 50000 ip from 10.22.21.50 to any in 10040 skipto 50000 ip from any to 10.22.21.50 out 10041 skipto 50000 ip from 212.191.64.10 to any in 10041 skipto 50000 ip from any to 212.191.64.10 out 10042 skipto 50000 ip from any to 212.191.64.10 in 10042 skipto 50000 ip from 212.191.64.10 to any out 10043 pipe 50543 ip from 10.22.21.7 to any in 10043 pipe 55543 ip from any to 10.22.21.7 out 19902 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in 19903 allow tcp from any 80 to any out 19904 deny ip from any to any 29900 allow ip from any to any layer2 65535 allow ip from any to anyand.. there is NO login page. Users from AP (10.22.21.3 ,6 ,7) can access internet unrestricted.
I belive this is not the way how CP should work..
I would be grateful for any help you could give me.
-
Did you make sure that your APs don't NAT?
If you allow traffic from the IPs/MACs of the APs and your APs do NAT, then all traffic from your clients will appear as if from the AP. -
Thanks for the reply.
APs do NAT.
192.168.1.0/24 <-> AP1 (10.22.21.3) <-> Gateway (10.22.21.1)
..but 10.22.21.3 is NOT on allowed list, so users should be redirected to CP.
Please correct me, if I'm wrong..
-
Hummm.
My C.P. IP (on Opt1) is 192.168.2.1
I have 5 Ap's : 192.168.2.2 - 3 -4 - 5 - 6
The DHCP server running on the C.P. is throwing out IP's on requests from 192.168.2.10 up untill 192.168.2.200
My AP do not NAT neither.
It works a published.YOU :
@luken:192.168.1.0/24 <-> AP1 (10.22.21.3) <-> Gateway (10.22.21.1)
192.168.1.0/24 is the IP set given to your clients ??
Your clienst should have an IP that runs from 10.22.21.10 (or more) up untill 10.22.21.254 - the 192.168.1.0 seems wrong to me here.
Who converts from 192.168.1.0/24 to 10.22.21.1 (btw : this is called NATting :D) -
192.168.1.0/24 is the IP set given to your clients ??
Your clienst should have an IP that runs from 10.22.21.10 (or more) up untill 10.22.21.254 - the 192.168.1.0 seems wrong to me here.
Who converts from 192.168.1.0/24 to 10.22.21.1 (btw : this is called NATting :D)Yes. Once again:
wifi-client1 (192.168.1.53 via DHCP )---<> (192.168.1.1) AP1 (NAT) (10.22.21.3 static) <> (10.22.21.1) Gateway wifi-client2 (192.168.1.78 via DHCP )---<>Wi-fi clients network shouldn't be a problem when they are translating on AP.. (Am I wrong?)
Today I checked again. Strange, but sometimes wifi client is redirected to login page, sometimes - not. ???
Please, help me diagnose this. -
The CP will show up for the first client to authenticate.
After that the MAC/IP of the AP is authenticated and all further clients can just go online.Wi-fi clients network shouldn't be a problem when they are translating on AP.. (Am I wrong?)
Yes you are wrong.
NAT breaks the CP functionality.
(This is not a pfSense limitation. This is just how CPs work) -
Many thanks GruensFroeschli! :) I undarstand now.
What should I do to auth client connecting from APs (WRT320N) on pfSense?
Thanks again.
EDIT:
PS: Since this is not CP-related problem I'm not sure is this a right place for my topic. Anyway modarators decide :) -
Many thanks GruensFroeschli! :) I undarstand now.
What should I do to auth client connecting from APs (WRT320N) on pfSense?
Thanks again.
EDIT:
PS: Since this is not CP-related problem I'm not sure is this a right place for my topic. Anyway modarators decide :)You should use an access point and not a NAT-router which you are using now, yours just happen to have an built-in access point. If your router can be set to AP mode (some can) use that (will bridge clients onto local net) otherwise buy a real access point and add that to your network. Now your built-in access point in the router is bridging clients onto the local net behind the router itself.
Apart from this issue with router/ap, you may also have the same problem that I have with CP, providing that you're not mistaken in your info regarding allowed list. Indeed you should see logon page at least once.
Some of my posts regarding my problems with CP: http://forum.pfsense.org/index.php/topic,20206.0.html
Cheers,
-
You can do this just fine with a WRT320N, I'm using one on my home pfSense server. Just disable the DHCP server on the Router and set it up with a static IP outside pfSense's DHCP range. Works without issue for me.
-
You can do this just fine with a WRT320N, I'm using one on my home pfSense server. Just disable the DHCP server on the Router and set it up with a static IP outside pfSense's DHCP range. Works without issue for me.
In your case you must be routing and not NATing.
If you NAT it wouldn't work. -
You can do this just fine with a WRT320N, I'm using one on my home pfSense server. Just disable the DHCP server on the Router and set it up with a static IP outside pfSense's DHCP range. Works without issue for me.
In your case you must be routing and not NATing.
If you NAT it wouldn't work.I was providing specific-case instructions from my own experience. In the standard issue Linksys firmware you just disable the DHCP server and set it to do DHCP forwarding pointed at the pfSense box. That will also disable the NAT leaving the routing functions.
-
You can do this just fine with a WRT320N, I'm using one on my home pfSense server. Just disable the DHCP server on the Router and set it up with a static IP outside pfSense's DHCP range. Works without issue for me.
In your case you must be routing and not NATing.
If you NAT it wouldn't work.I was providing specific-case instructions from my own experience. In the standard issue Linksys firmware you just disable the DHCP server and set it to do DHCP forwarding pointed at the pfSense box. That will also disable the NAT leaving the routing functions.
In your specific case that may be correct but generally no. Many SOHO routers have the ability to shut down DHCP service but that don't have to imply that NAT is also turned off, it's a separate setting, if available.
Neither is the same workings as a standard bridging AP though. Bridging is not the same as routing and in general terms they are very different, the former is data link and the latter is network.
Cheers,
-
Thanks.
I've just disabled DHCP server on wrt320n (and also wrt610n) and changed plug with inet source from WAN to LAN.
IP list based pass through -> mac list (for wired network)CP works like a charm. :)
SOLVED.
