Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal: no login screen

    Scheduled Pinned Locked Moved Captive Portal
    16 Posts 6 Posters 13.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nerbas
      last edited by

      Hi everyone - looked everywhere but even in irc noone could help so you all are my last hope :)

      Summary: The captive portal authentication page is not shown.

      System:

      • 1.2.3-RELEASE [just updated] on a dedicated server (as a vm),
      • no installed packages (I read that squid etc. could interfere with CP, so I deinstalled it)
      • 3 Interfaces (LAN, WLAN, WAN) and the CP is enabled on WLAN
      • DSL Router –-- pfsense WAN - pfsense WLAN ------- Laptop as testing configuration (so no AccessPoint is involved)
      • I can enable/disable firewall rules (so routing is working) but the redirect tothe CP login-page does not work
      • the status page of the CP doesn't show any activity
      • and for testing purposes I set all firewall rules to * * * ALLOW nevertheless - no CP page is shown
      • it doesn't matter which authentication i chose RADIUS or "local user" -both doesn't work
      • tail var/log/lighttpd.error.log shows no problems
      • reboot/update to 1.2.3/1.2.2 does not help

      so what am i doing wrong? Should there be any Firewall-rules for the CP?

      Details:

      
$ ipfw list
00002 allow ip from any to any in recv re1
00003 allow ip from any to 192.168.1.0/24 in recv re2
00004 allow tcp from 192.168.3.0/24 to { 192.168.1.254 or dst-ip
192.168.3.254 or dst-ip 192.168.4.254 } in recv re2
00005 allow ip from 192.168.3.0/24 to { 192.168.1.254 or dst-ip
192.168.3.254 or dst-ip 192.168.4.254 } dst-port 53 in recv re2
00006 allow tcp from 127.0.0.0/8 to 192.168.3.0/24 in recv re2
00007 allow tcp from any to not 192.168.0.0/16 dst-port 80 in recv re2
00008 allow ip from any to any in recv re2
00009 allow ip from any to any in recv re0
00010 allow ip from 192.168.1.0/24 to any in recv re0
00011 allow ip from any to any in recv re1
00012 allow ip from any to 192.168.1.0/24 in recv re2
00013 allow tcp from 192.168.3.0/24 to { 192.168.1.254 or dst-ip
192.168.3.254 or dst-ip 192.168.4.254 } in recv re2
00014 allow ip from 192.168.3.0/24 to { 192.168.1.254 or dst-ip
192.168.3.254 or dst-ip 192.168.4.254 } dst-port 53 in recv re2
00015 allow tcp from 127.0.0.0/8 to 192.168.3.0/24 in recv re2
00016 allow tcp from any to not 192.168.0.0/16 dst-port 80 in recv re2
00017 allow ip from any to any in recv re2
00018 allow ip from any to any in recv re0
00019 allow ip from 192.168.1.0/24 to any in recv re0
00030 skipto 50000 ip from any to any in via re0 keep-state
00030 skipto 50000 ip from any to any in via re1 keep-state
00500 allow pfsync from any to any
00500 allow carp from any to any
01000 skipto 50000 ip from any to any not layer2 not via re2
01001 allow ip from any to any layer2 not via re2
01100 allow ip from any to any layer2 mac-type 0x0806
01100 allow ip from any to any layer2 mac-type 0x888e
01100 allow ip from any to any layer2 mac-type 0x88c7
01100 allow ip from any to any layer2 mac-type 0x8863
01100 allow ip from any to any layer2 mac-type 0x8864
01100 allow ip from any to any layer2 mac-type 0x8863
01100 allow ip from any to any layer2 mac-type 0x8864
01100 allow ip from any to any layer2 mac-type 0x888e
01101 deny ip from any to any layer2 not mac-type 0x0800
01102 skipto 20000 ip from any to any layer2
01200 allow udp from any 68 to 255.255.255.255 dst-port 67 in
01201 allow udp from any 68 to 192.168.3.254 dst-port 67 in
01202 allow udp from 192.168.3.254 67 to any dst-port 68 out
01203 allow icmp from 192.168.3.254 to any out icmptypes 8
01204 allow icmp from any to 192.168.3.254 in icmptypes 0
01300 allow udp from any to 192.168.3.254 dst-port 53 in
01300 allow udp from any to 192.168.1.254 dst-port 53 in
01301 allow udp from 192.168.3.254 53 to any out
01301 allow udp from 192.168.1.254 53 to any out
01302 allow tcp from any to 192.168.3.254 dst-port 8000 in
01302 allow tcp from any to 192.168.1.254 dst-port 8000 in
01303 allow tcp from 192.168.3.254 8000 to any out
01303 allow tcp from 192.168.1.254 8000 to any out
10000 skipto 50000 ip from any to 192.168.1.251 in
10000 skipto 50000 ip from 192.168.1.251 to any out
10001 skipto 50000 ip from any to 192.168.1.2 in
10001 skipto 50000 ip from 192.168.1.2 to any out
19902 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
19903 allow tcp from any 80 to any out
19904 deny ip from any to any
29900 allow ip from any to any layer2
65535 allow ip from any to any


      
$ cat /tmp/rules.debug
# System Aliases
loopback = "{ lo0 }"
lan = "{ re0  }"
wan = "{ re1   }"
enc0 = "{ enc0 }"
WLAN = "{ re2 }"
# User Aliases
NetzInternGrafik = "{ 192.168.2.0/24 }"
NetzInternVerwaltung = "{ 192.168.1.0/24 }"
NetzwerkWLAN = "{ 192.168.3.0/24 }"
m10 = "{ 192.168.2.10 }"
m2 = "{ 192.168.1.2 }"
m5 = "{ 192.168.1.5 }"
m6 = "{ 192.168.1.6 }"
m7 = "{ 192.168.1.7 }"
m8 = "{ 192.168.1.254 192.168.3.254 192.168.4.254 }"
m9 = "{ 192.168.1.9 }"

set loginterface re1
set loginterface re0
set loginterface re2
set optimization normal

set skip on pfsync0
scrub all random-id  fragment reassemble
altq on re1 hfsc bandwidth 1500Kb queue { qwanRoot }
altq on re0 hfsc bandwidth 10000Kb queue { qlanRoot }

queue qwanRoot bandwidth 1500Kb priority 0 hfsc { qwandef, qwanacks,
qVOIPUp, qP2PUp, qOthersUpH, qOthersUpL }
queue qlanRoot bandwidth 10000Kb priority 0 hfsc { qlandef, qlanacks,
qVOIPDown, qP2PDown, qOthersDownH, qOthersDownL }
queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc (  default
realtime 1% )
queue qlandef bandwidth 1% priority 1 qlimit 500 hfsc (  default
realtime 1% )
queue qwanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
queue qlanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
queue qVOIPUp bandwidth 25% priority 7 hfsc (  realtime 32Kb )
queue qVOIPDown bandwidth 25% priority 7 hfsc (  realtime 32Kb )
queue qP2PUp bandwidth 1% priority 1 qlimit 500 hfsc (  red ecn
upperlimit 1000Kb realtime 1Kb )
queue qP2PDown bandwidth 1% priority 1 qlimit 500 hfsc (  red ecn
upperlimit 100Kb realtime 1Kb )
queue qOthersUpH bandwidth 25% priority 4 hfsc (  red ecn realtime 1Kb )
queue qOthersDownH bandwidth 25% priority 4 hfsc (  red ecn realtime 1Kb )
queue qOthersUpL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn
realtime 1Kb )
queue qOthersDownL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn
realtime 1Kb )

nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"

# Outbound NAT rules
nat on $wan from 192.168.0.0/16 to !192.168.0.0/16 -> (re1) port 1024:65535

#SSH Lockout Table
table <sshlockout>persist

# Load balancing anchor - slbd updates
rdr-anchor "slb"

# FTP Proxy/helper
table <vpns>{    }
no rdr on re0 proto tcp from any to <vpns>port 21
rdr on re0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
no rdr on re2 proto tcp from any to <vpns>port 21
rdr on re2 proto tcp from any to any port 21 -> 127.0.0.1 port 8022

# IMSpector rdr anchor
rdr-anchor "imspector"
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

block in all tag unshaped label "SHAPER: first match rule"
pass in on  $wan from any  to 192.168.1.0/24 tos lowdelay  keep state
tagged unshaped tag qVOIPUp
pass out on $lan from any to 192.168.1.0/24 tos lowdelay keep state
tagged qVOIPUp tag qVOIPDown
pass in on  $lan from 192.168.1.0/24  to any tos lowdelay  keep state
tagged unshaped tag qVOIPDown
pass out on $wan from any to any tos lowdelay keep state tagged
qVOIPDown tag qVOIPUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5900:5930
keep state tagged unshaped tag qOthersUpH
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5900:5930
keep state tagged qOthersUpH tag qOthersDownH
pass in on  $wan proto ah from any  to 192.168.1.0/24  keep state tagged
unshaped tag qOthersUpH
pass out on $lan proto ah from any to 192.168.1.0/24 keep state tagged
qOthersUpH tag qOthersDownH
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5900:5930
keep state tagged unshaped tag qOthersDownH
pass out on $wan proto tcp from any to any port 5900:5930 keep state
tagged qOthersDownH tag qOthersUpH
pass in on  $lan proto esp from 192.168.1.0/24  to any  keep state
tagged unshaped tag qOthersDownH
pass out on $wan proto esp from any to any keep state tagged
qOthersDownH tag qOthersUpH
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 3389  keep
state tagged unshaped tag qOthersDownH
pass out on $wan proto tcp from any to any port 3389 keep state tagged
qOthersDownH tag qOthersUpH
pass in on  $wan proto esp from any  to 192.168.1.0/24  keep state
tagged unshaped tag qOthersUpH
pass out on $lan proto esp from any to 192.168.1.0/24 keep state tagged
qOthersUpH tag qOthersDownH
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 500  keep
state tagged unshaped tag qOthersUpH
pass out on $lan proto udp from any to 192.168.1.0/24 port 500 keep
state tagged qOthersUpH tag qOthersDownH
pass in on  $lan proto ah from 192.168.1.0/24  to any  keep state tagged
unshaped tag qOthersDownH
pass out on $wan proto ah from any to any keep state tagged qOthersDownH
tag qOthersUpH
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 1723  keep
state tagged unshaped tag qOthersDownH
pass out on $wan proto tcp from any to any port 1723 keep state tagged
qOthersDownH tag qOthersUpH
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 3389  keep
state tagged unshaped tag qOthersUpH
pass out on $lan proto tcp from any to 192.168.1.0/24 port 3389 keep
state tagged qOthersUpH tag qOthersDownH
pass in on  $lan proto gre from 192.168.1.0/24  to any  keep state
tagged unshaped tag qOthersDownH
pass out on $wan proto gre from any to any keep state tagged
qOthersDownH tag qOthersUpH
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 1723  keep
state tagged unshaped tag qOthersUpH
pass out on $lan proto tcp from any to 192.168.1.0/24 port 1723 keep
state tagged qOthersUpH tag qOthersDownH
pass in on  $wan proto gre from any  to 192.168.1.0/24  keep state
tagged unshaped tag qOthersUpH
pass out on $lan proto gre from any to 192.168.1.0/24 keep state tagged
qOthersUpH tag qOthersDownH
pass in on  $lan proto udp from 192.168.1.0/24  to any port 500  keep
state tagged unshaped tag qOthersDownH
pass out on $wan proto udp from any to any port 500 keep state tagged
qOthersDownH tag qOthersUpH
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6667:6670
keep state tagged unshaped tag qOthersUpL
pass out on $lan proto tcp from any to 192.168.1.0/24 port 6667:6670
keep state tagged qOthersUpL tag qOthersDownL
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6667:6670
keep state tagged unshaped tag qOthersDownL
pass out on $wan proto tcp from any to any port 6667:6670 keep state
tagged qOthersDownL tag qOthersUpL
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5222  keep
state tagged unshaped tag qOthersDownL
pass out on $wan proto tcp from any to any port 5222 keep state tagged
qOthersDownL tag qOthersUpL
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5223  keep
state tagged unshaped tag qOthersDownL
pass out on $wan proto tcp from any to any port 5223 keep state tagged
qOthersDownL tag qOthersUpL
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 14534  keep
state tagged unshaped tag qOthersUpL
pass out on $lan proto tcp from any to 192.168.1.0/24 port 14534 keep
state tagged qOthersUpL tag qOthersDownL
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 14534  keep
state tagged unshaped tag qOthersDownL
pass out on $wan proto tcp from any to any port 14534 keep state tagged
qOthersDownL tag qOthersUpL
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 51234  keep
state tagged unshaped tag qOthersDownL
pass out on $wan proto tcp from any to any port 51234 keep state tagged
qOthersDownL tag qOthersUpL
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 51234  keep
state tagged unshaped tag qOthersUpL
pass out on $lan proto tcp from any to 192.168.1.0/24 port 51234 keep
state tagged qOthersUpL tag qOthersDownL
pass in on  $lan proto udp from 192.168.1.0/24  to any port 8767:8768
keep state tagged unshaped tag qOthersDownL
pass out on $wan proto udp from any to any port 8767:8768 keep state
tagged qOthersDownL tag qOthersUpL
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 5190  keep
state tagged unshaped tag qOthersUpL
pass out on $lan proto udp from any to 192.168.1.0/24 port 5190 keep
state tagged qOthersUpL tag qOthersDownL
pass in on  $lan proto udp from 192.168.1.0/24  to any port 5190  keep
state tagged unshaped tag qOthersDownL
pass out on $wan proto udp from any to any port 5190 keep state tagged
qOthersDownL tag qOthersUpL
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5269  keep
state tagged unshaped tag qOthersDownL
pass out on $wan proto tcp from any to any port 5269 keep state tagged
qOthersDownL tag qOthersUpL
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 8767:8768
keep state tagged unshaped tag qOthersUpL
pass out on $lan proto udp from any to 192.168.1.0/24 port 8767:8768
keep state tagged qOthersUpL tag qOthersDownL
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5269  keep
state tagged unshaped tag qOthersUpL
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5269 keep
state tagged qOthersUpL tag qOthersDownL
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5190  keep
state tagged unshaped tag qOthersDownL
pass out on $wan proto tcp from any to any port 5190 keep state tagged
qOthersDownL tag qOthersUpL
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5190  keep
state tagged unshaped tag qOthersUpL
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5190 keep
state tagged qOthersUpL tag qOthersDownL
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5222  keep
state tagged unshaped tag qOthersUpL
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5222 keep
state tagged qOthersUpL tag qOthersDownL
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5223  keep
state tagged unshaped tag qOthersUpL
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5223 keep
state tagged qOthersUpL tag qOthersDownL
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5900  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5900 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5900  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 5900 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 3283  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 3283 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 3283  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 3283 keep state tagged
qlandef tag qwandef
pass in on  $lan proto udp from 192.168.1.0/24  to any port 3283  keep
state tagged unshaped tag qlandef
pass out on $wan proto udp from any to any port 3283 keep state tagged
qlandef tag qwandef
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 3283  keep
state tagged unshaped tag qwandef
pass out on $lan proto udp from any to 192.168.1.0/24 port 3283 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 2340  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 2340 keep state tagged
qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 2340  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 2340 keep
state tagged qP2PUp tag qP2PDown
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 5900  keep
state tagged unshaped tag qwandef
pass out on $lan proto udp from any to 192.168.1.0/24 port 5900 keep
state tagged qwandef tag qlandef
pass in on  $lan proto udp from 192.168.1.0/24  to any port 5900  keep
state tagged unshaped tag qlandef
pass out on $wan proto udp from any to any port 5900 keep state tagged
qlandef tag qwandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6666:6668
keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 6666:6668 keep state
tagged qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6666:6668
keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 6666:6668
keep state tagged qP2PUp tag qP2PDown
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 137:139
keep state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 137:139 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 137:139
keep state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 137:139 keep state
tagged qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 445  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 445 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 445  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 445 keep state tagged
qlandef tag qwandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 554  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 554 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 554  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 554 keep
state tagged qwandef tag qlandef
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 161  keep
state tagged unshaped tag qwandef
pass out on $lan proto udp from any to 192.168.1.0/24 port 161 keep
state tagged qwandef tag qlandef
pass in on  $lan proto udp from 192.168.1.0/24  to any port 161  keep
state tagged unshaped tag qlandef
pass out on $wan proto udp from any to any port 161 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 161  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 161 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 161  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 161 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 7788  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 7788 keep
state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 7788  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 7788 keep state tagged
qP2PDown tag qP2PUp
pass in on  $lan proto udp from 192.168.1.0/24  to any port 6881:6999
keep state tagged unshaped tag qP2PDown
pass out on $wan proto udp from any to any port 6881:6999 keep state
tagged qP2PDown tag qP2PUp
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 6881:6999
keep state tagged unshaped tag qP2PUp
pass out on $lan proto udp from any to 192.168.1.0/24 port 6881:6999
keep state tagged qP2PUp tag qP2PDown
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 5632  keep
state tagged unshaped tag qwandef
pass out on $lan proto udp from any to 192.168.1.0/24 port 5632 keep
state tagged qwandef tag qlandef
pass in on  $lan proto udp from 192.168.1.0/24  to any port 5632  keep
state tagged unshaped tag qlandef
pass out on $wan proto udp from any to any port 5632 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6881:6999
keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 6881:6999
keep state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6881:6999
keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 6881:6999 keep state
tagged qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5999  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5999 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5999  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 5999 keep state tagged
qlandef tag qwandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 7668  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 7668 keep state tagged
qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 7668  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 7668 keep
state tagged qP2PUp tag qP2PDown
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5631  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5631 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5631  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 5631 keep state tagged
qlandef tag qwandef
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 1352  keep
state tagged unshaped tag qwandef
pass out on $lan proto udp from any to 192.168.1.0/24 port 1352 keep
state tagged qwandef tag qlandef
pass in on  $lan proto udp from 192.168.1.0/24  to any port 1352  keep
state tagged unshaped tag qlandef
pass out on $wan proto udp from any to any port 1352 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 1352  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 1352 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 1352  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 1352 keep state tagged
qlandef tag qwandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 3306  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 3306 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 3306  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 3306 keep
state tagged qwandef tag qlandef
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 119  keep
state tagged unshaped tag qwandef
pass out on $lan proto udp from any to 192.168.1.0/24 port 119 keep
state tagged qwandef tag qlandef
pass in on  $lan proto udp from 192.168.1.0/24  to any port 119  keep
state tagged unshaped tag qlandef
pass out on $wan proto udp from any to any port 119 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 119  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 119 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 119  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 119 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 143  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 143 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 143  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 143 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 28864:28865
 keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 28864:28865
keep state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5500:5503
keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 5500:5503 keep state
tagged qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5500:5503
keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5500:5503
keep state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 4329  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 4329 keep state tagged
qP2PDown tag qP2PUp
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 28864:28865
 keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 28864:28865 keep state
tagged qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 8038:8039
keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 8038:8039
keep state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 8000:8100
keep state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 8000:8100 keep state
tagged qlandef tag qwandef
pass in on  $lan proto udp from 192.168.1.0/24  to any port 6346  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto udp from any to any port 6346 keep state tagged
qP2PDown tag qP2PUp
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 6346  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto udp from any to 192.168.1.0/24 port 6346 keep
state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 8038:8039
keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 8038:8039 keep state
tagged qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 4329  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 4329 keep
state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6699:6701
keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 6699:6701 keep state
tagged qP2PDown tag qP2PUp
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6346  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 6346 keep state tagged
qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 8311  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 8311 keep
state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 8311  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 8311 keep state tagged
qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 8888:8889
keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 8888:8889
keep state tagged qP2PUp tag qP2PDown
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6346  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 6346 keep
state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5190  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 5190 keep state tagged
qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6699:6701
keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 6699:6701
keep state tagged qP2PUp tag qP2PDown
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6699  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 6699 keep
state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6699  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 6699 keep state tagged
qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5190  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 5190 keep
state tagged qP2PUp tag qP2PDown
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 8000:8100
keep state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 8000:8100
keep state tagged qwandef tag qlandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6346  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 6346 keep
state tagged qP2PUp tag qP2PDown
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 443  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 443 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 443  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 443 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 80  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 80 keep state
tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 80  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 80 keep state tagged
qlandef tag qwandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 25  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 25 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 25  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 25 keep state
tagged qwandef tag qlandef
pass in on  $wan proto icmp from any  to 192.168.1.0/24  keep state
tagged unshaped tag qwandef
pass out on $lan proto icmp from any to 192.168.1.0/24 keep state tagged
qwandef tag qlandef
pass in on  $lan proto icmp from 192.168.1.0/24  to any  keep state
tagged unshaped tag qlandef
pass out on $wan proto icmp from any to any keep state tagged qlandef
tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 110  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 110 keep
state tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 110  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 110 keep state tagged
qlandef tag qwandef
pass in on  $wan proto udp from any  to 192.168.1.0/24 port 53  keep
state tagged unshaped tag qwandef
pass out on $lan proto udp from any to 192.168.1.0/24 port 53 keep state
tagged qwandef tag qlandef
pass in on  $lan proto udp from 192.168.1.0/24  to any port 53  keep
state tagged unshaped tag qlandef
pass out on $wan proto udp from any to any port 53 keep state tagged
qlandef tag qwandef
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 1044:1045
keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 1044:1045
keep state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 4661:4665
keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 4661:4665 keep state
tagged qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 4661:4665
keep state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 4661:4665
keep state tagged qP2PUp tag qP2PDown
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6346  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 6346 keep state tagged
qP2PDown tag qP2PUp
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 1044:1045
keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 1044:1045 keep state
tagged qP2PDown tag qP2PUp
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 412  keep
state tagged unshaped tag qP2PUp
pass out on $lan proto tcp from any to 192.168.1.0/24 port 412 keep
state tagged qP2PUp tag qP2PDown
pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 53  keep
state tagged unshaped tag qwandef
pass out on $lan proto tcp from any to 192.168.1.0/24 port 53 keep state
tagged qwandef tag qlandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 53  keep
state tagged unshaped tag qlandef
pass out on $wan proto tcp from any to any port 53 keep state tagged
qlandef tag qwandef
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 412  keep
state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 412 keep state tagged
qP2PDown tag qP2PUp
pass in on  $lan proto tcp from 192.168.1.0/24  to any port 8888:8889
keep state tagged unshaped tag qP2PDown
pass out on $wan proto tcp from any to any port 8888:8889 keep state
tagged qP2PDown tag qP2PUp
pass in on  $lan from 192.168.1.0/24  to any  keep state tagged unshaped
tag qP2PDown
pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
pass in on  $wan from any  to 192.168.1.0/24  keep state tagged unshaped
tag qP2PUp
pass out on $lan from any to 192.168.1.0/24 keep state tagged qP2PUp tag
qP2PDown
pass in on  $lan from 192.168.1.0/24  to any  keep state tagged unshaped
tag qP2PDown
pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
pass in on  $wan from any  to 192.168.1.0/24  keep state tagged unshaped
tag qP2PUp
pass out on $lan from any to 192.168.1.0/24 keep state tagged qP2PUp tag
qP2PDown

pass in quick on re2 proto tcp from any to 192.168.3.254 port { 8000
8001 } keep state
anchor "ftpsesame/*"
anchor "firewallrules"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"
# Block all IPv6
block in quick inet6 all
block out quick inet6 all
# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"

# permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from 192.168.4.254 to any keep state

# NAT Reflection rules

# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255
port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 192.168.1.254 port
= 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 192.168.1.254 port = 67 to any
port = 68 label "allow access to DHCP server on LAN"
block in log quick on $wan proto udp from any port = 67 to
192.168.1.0/24 port = 68 label "block dhcp client out wan"

# LAN/OPT spoof check (needs to be after DHCP because of broadcast
addresses)
antispoof for re0
antispoof for re2

anchor "spoofing"
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on re1 all keep state tagged qwandef queue (qwandef,
qwanacks) label "let out anything from firewall host itself"
pass out quick on re1 all keep state tagged qVOIPUp queue (qVOIPUp,
qwanacks) label "let out anything from firewall host itself"
pass out quick on re1 all keep state tagged qP2PUp queue (qP2PUp,
qwanacks) label "let out anything from firewall host itself"
pass out quick on re1 all keep state tagged qOthersUpH queue
(qOthersUpH, qwanacks) label "let out anything from firewall host itself"
pass out quick on re1 all keep state tagged qOthersUpL queue
(qOthersUpL, qwanacks) label "let out anything from firewall host itself"
pass out quick on re1 all keep state queue (qwandef, qwanacks) label
"let out anything from firewall host itself"
pass out quick on re0 all keep state tagged qlandef queue (qlandef,
qlanacks) label "let out anything from firewall host itself"
pass out quick on re0 all keep state tagged qVOIPDown queue (qVOIPDown,
qlanacks) label "let out anything from firewall host itself"
pass out quick on re0 all keep state tagged qP2PDown queue (qP2PDown,
qlanacks) label "let out anything from firewall host itself"
pass out quick on re0 all keep state tagged qOthersDownH queue
(qOthersDownH, qlanacks) label "let out anything from firewall host itself"
pass out quick on re0 all keep state tagged qOthersDownL queue
(qOthersDownL, qlanacks) label "let out anything from firewall host itself"
pass out quick on re0 all keep state queue (qlandef, qlanacks) label
"let out anything from firewall host itself"
pass out quick on re2 all keep state  label "let out anything from
firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on re2 proto icmp keep state ( tcp.closed 5 ) label "let
out anything from firewall host itself"
pass out quick on $WLAN all keep state ( tcp.closed 5 ) label "let out
anything from firewall host itself"

# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick on re0 from any to 192.168.1.254 keep state label
"anti-lockout web rule"

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label
"sshlockout"

anchor "ftpproxy"
anchor "pftpx/*"

# User-defined aliases follow
table <m8>{  192.168.1.254 192.168.3.254 192.168.4.254 }

# Anchors for rules that might be matched by queues
anchor qwanRoot tagged qwanRoot
load anchor qwanRoot from "/tmp/qwanRoot.rules"
anchor qlanRoot tagged qlanRoot
load anchor qlanRoot from "/tmp/qlanRoot.rules"
anchor qwandef tagged qwandef
load anchor qwandef from "/tmp/qwandef.rules"
anchor qlandef tagged qlandef
load anchor qlandef from "/tmp/qlandef.rules"
anchor qwanacks tagged qwanacks
load anchor qwanacks from "/tmp/qwanacks.rules"
anchor qlanacks tagged qlanacks
load anchor qlanacks from "/tmp/qlanacks.rules"
anchor qVOIPUp tagged qVOIPUp
load anchor qVOIPUp from "/tmp/qVOIPUp.rules"
anchor qVOIPDown tagged qVOIPDown
load anchor qVOIPDown from "/tmp/qVOIPDown.rules"
anchor qP2PUp tagged qP2PUp
load anchor qP2PUp from "/tmp/qP2PUp.rules"
anchor qP2PDown tagged qP2PDown
load anchor qP2PDown from "/tmp/qP2PDown.rules"
anchor qOthersUpH tagged qOthersUpH
load anchor qOthersUpH from "/tmp/qOthersUpH.rules"
anchor qOthersDownH tagged qOthersDownH
load anchor qOthersDownH from "/tmp/qOthersDownH.rules"
anchor qOthersUpL tagged qOthersUpL
load anchor qOthersUpL from "/tmp/qOthersUpL.rules"
anchor qOthersDownL tagged qOthersDownL
load anchor qOthersDownL from "/tmp/qOthersDownL.rules"

# User-defined rules follow
pass in quick on $wan reply-to (re1 192.168.4.251) from any to any keep
state  queue (qwandef, qwanacks)  label "USER_RULE"
block in quick on $WLAN from any to 192.168.1.0/24  label "USER_RULE"
pass in quick on $WLAN proto tcp from 192.168.3.0/24 to <m8>keep
state  label "USER_RULE"
pass in quick on $WLAN proto { tcp udp } from 192.168.3.0/24 to <m8>port = 53 keep state  label "USER_RULE"
pass in quick on $WLAN proto tcp from {  127.0.0.0/8 } to 192.168.3.0/24
keep state  label "USER_RULE"
pass in quick on $WLAN proto tcp from any to { ! 192.168.0.0/16 } port =
80 keep state  label "USER_RULE"
pass in quick on $WLAN from any to any keep state  label "USER_RULE"
pass in quick on $lan from any to any keep state  queue (qlandef,
qlanacks)  label "USER_RULE"
pass in quick on $lan from 192.168.1.0/24 to any keep state  queue
(qlandef, qlanacks)  label "USER_RULE: Default LAN -> any"

# VPN Rules

pass in quick on re0 inet proto tcp from any to $loopback port 8021 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to $loopback port 21 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on re1 inet proto tcp from port 20 to (re1) port > 49000
flags S/SA keep state label "FTP PROXY: PASV mode data connection"
# enable ftp-proxy
pass in quick on re2 inet proto tcp from any to $loopback port 8022 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on re2 inet proto tcp from any to $loopback port 21 keep
state label "FTP PROXY: Allow traffic to localhost"

# IMSpector
anchor "imspector"

# uPnPd
anchor "miniupnpd"

#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"
block out log quick all label "Default deny rule"</m8></m8></m8></sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></vpns></sshlockout> 

      
$ cat /conf/config.xml

 <pfsense><version>3.0</version>
	 <lastchange><theme>nervecenter</theme>
	 <system><optimization>normal</optimization>
		<hostname>m8</hostname>
		<domain>town.m.de</domain>
		<username>admin</username>
		<password>$kjhzkgSUZSKjZSJhshJS/</password>
		<timezone>Etc/GMT-1</timezone>
		 <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
		 <webgui><protocol>http</protocol>
			<port>88</port>
			 <certificate><private-key></private-key></certificate></webgui> 
		<disablenatreflection>yes</disablenatreflection>
		 <ssh><authorizedkeys></authorizedkeys></ssh> 
		 <maximumstates><shapertype><dnsserver>192.168.1.251</dnsserver>
		<dnsserver>192.168.1.2</dnsserver>
		 <firmware><alturl><enable><firmwareurl>http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/.updaters</firmwareurl></enable></alturl></firmware></shapertype></maximumstates></time-update-interval></system> 
	 <interfaces><lan><if>re0</if>
			<ipaddr>192.168.1.254</ipaddr>
			<subnet>24</subnet>
			 <media><mediaopt><bandwidth>100</bandwidth>
			<bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> 
		 <wan><if>re1</if>
			 <mtu><media><mediaopt><bandwidth>100</bandwidth>
			<bandwidthtype>Mb</bandwidthtype>
			<spoofmac>00:30:48:8f:56:ab</spoofmac>
			 <disableftpproxy><ipaddr>192.168.4.254</ipaddr>
			<subnet>24</subnet>
			<gateway>192.168.4.251</gateway></disableftpproxy></mediaopt></media></mtu></wan> 
		 <opt1><if>re2</if>
			<descr>WLAN</descr>
			 <bridge><ipaddr>192.168.3.254</ipaddr>
			<subnet>24</subnet>
			 <gateway><spoofmac>00:30:48:8f:56:aa</spoofmac>
			 <mtu><enable></enable></mtu></gateway></bridge></opt1></interfaces> 
	 <staticroutes><route><interface>lan</interface>
			<network>192.168.2.0/24</network>
			<gateway>192.168.1.250</gateway>
			<descr>Netzwerk Grafik</descr></route></staticroutes> 
	 <pppoe><username><password></password></username></pppoe> 
	 <pptp><username><password><local></local></password></username></pptp> 
	 <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond> 
	 <dyndns><type>dyndns</type>
		 <username><password></password></username></dyndns> 
	 <dhcpd><lan><range><from>192.168.1.10</from>
				<to>192.168.1.245</to></range></lan></dhcpd> 
	 <pptpd><mode><redir><localip></localip></redir></mode></pptpd> 
	 <ovpn><dnsmasq><enable><regdhcp><regdhcpstatic></regdhcpstatic></regdhcp></enable></dnsmasq> 
	 <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> 
	 <diag><ipv6nat></ipv6nat></diag> 
	 <bridge><syslog><reverse><nentries>50</nentries></reverse></syslog> 
	 <nat><ipsecpassthru><advancedoutbound><rule><source>
					<network>192.168.0.0/16</network>

				 <sourceport><descr>rule for LAN</descr>
				 <target><interface>wan</interface>
				 <destination><address>192.168.0.0/16</address></destination> 
				 <natport></natport></target></sourceport></rule> 
			 <enable></enable></advancedoutbound></ipsecpassthru></nat> 
	 <filter><rule><type>pass</type>
			<interface>wan</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><source>
				 <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
		 <rule><type>block</type>
			<interface>opt1</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><source>
				 <any><destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
		 <rule><type>pass</type>
			<interface>opt1</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><protocol>tcp</protocol>
			<source>
				<network>opt1</network>

			 <destination><address>m8</address></destination></os></statetimeout></max-src-states></max-src-nodes></rule> 
		 <rule><type>pass</type>
			<interface>opt1</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><protocol>tcp/udp</protocol>
			<source>
				<network>opt1</network>

			 <destination><address>m8</address>

				<port>53</port></destination></os></statetimeout></max-src-states></max-src-nodes></rule> 
		 <rule><type>pass</type>
			<interface>opt1</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><protocol>tcp</protocol>
			<source>

<address>127.0.0.0/8</address>

			 <destination><network>opt1</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule> 
		 <rule><type>pass</type>
			<interface>opt1</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><protocol>tcp</protocol>
			<source>
				 <any><destination><address>192.168.0.0/16</address>

				 <not><port>80</port></not></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
		 <rule><type>pass</type>
			<interface>opt1</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><source>
				 <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
		 <rule><type>pass</type>
			<interface>lan</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><source>
				 <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
		 <rule><type>pass</type>
			<descr>Default LAN -> any</descr>
			<interface>lan</interface>
			<source>
				<network>lan</network>

			 <destination><any></any></destination></rule></filter> 
	 <shaper><schedulertype>hfsc</schedulertype>
		 <queue><name>qwanRoot</name>
			<associatedrule>0</associatedrule>
			<priority>0</priority>
			<parentqueue>on</parentqueue>
			<bandwidth>1500</bandwidth>
			<bandwidthtype>Kb</bandwidthtype></queue> 
		 <queue><name>qlanRoot</name>
			<associatedrule>0</associatedrule>
			<priority>0</priority>
			<parentqueue>on</parentqueue>
			<bandwidth>10000</bandwidth>
			<bandwidthtype>Kb</bandwidthtype></queue> 
		 <queue><name>qwandef</name>
			<attachtoqueue>qwanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<defaultqueue>true</defaultqueue>
			<priority>1</priority>
			<realtime>on</realtime>
			<realtime3>1%</realtime3>
			<bandwidth>1</bandwidth>
			<bandwidthtype>%</bandwidthtype>
			<qlimit>500</qlimit></queue> 
		 <queue><name>qlandef</name>
			<priority>1</priority>
			<attachtoqueue>qlanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<defaultqueue>true</defaultqueue>
			<realtime>on</realtime>
			<realtime3>1%</realtime3>
			<bandwidth>1</bandwidth>
			<bandwidthtype>%</bandwidthtype>
			<qlimit>500</qlimit></queue> 
		 <queue><name>qwanacks</name>
			 <ack><attachtoqueue>qwanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>7</priority>
			<realtime>on</realtime>
			<realtime3>10%</realtime3>
			<bandwidth>25</bandwidth>
			<bandwidthtype>%</bandwidthtype></ack></queue> 
		 <queue><name>qlanacks</name>
			 <ack><attachtoqueue>qlanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>7</priority>
			<realtime>on</realtime>
			<realtime3>10%</realtime3>
			<bandwidth>25</bandwidth>
			<bandwidthtype>%</bandwidthtype></ack></queue> 
		 <queue><name>qVOIPUp</name>
			<attachtoqueue>qwanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>7</priority>
			<realtime>on</realtime>
			<realtime3>32Kb</realtime3>
			<bandwidth>25</bandwidth>
			<bandwidthtype>%</bandwidthtype></queue> 
		 <queue><name>qVOIPDown</name>
			<attachtoqueue>qlanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>7</priority>
			<realtime>on</realtime>
			<realtime3>32Kb</realtime3>
			<bandwidth>25</bandwidth>
			<bandwidthtype>%</bandwidthtype></queue> 
		 <queue><name>qP2PUp</name>
			<attachtoqueue>qwanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>1</priority>
			<red>on</red>
			<ecn>on</ecn>
			<realtime>on</realtime>
			<realtime3>1Kb</realtime3>
			<upperlimit>on</upperlimit>
			<upperlimit3>1000Kb</upperlimit3>
			<bandwidth>1</bandwidth>
			<bandwidthtype>%</bandwidthtype>
			<qlimit>500</qlimit></queue> 
		 <queue><name>qP2PDown</name>
			<attachtoqueue>qlanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>1</priority>
			<red>on</red>
			<ecn>on</ecn>
			<realtime>on</realtime>
			<realtime3>1Kb</realtime3>
			<upperlimit>on</upperlimit>
			<upperlimit3>100Kb</upperlimit3>
			<bandwidth>1</bandwidth>
			<bandwidthtype>%</bandwidthtype>
			<qlimit>500</qlimit></queue> 
		 <queue><name>qOthersUpH</name>
			<attachtoqueue>qwanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>4</priority>
			<red>on</red>
			<ecn>on</ecn>
			<realtime>on</realtime>
			<realtime3>1Kb</realtime3>
			<bandwidth>25</bandwidth>
			<bandwidthtype>%</bandwidthtype></queue> 
		 <queue><name>qOthersDownH</name>
			<attachtoqueue>qlanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>4</priority>
			<red>on</red>
			<ecn>on</ecn>
			<realtime>on</realtime>
			<realtime3>1Kb</realtime3>
			<bandwidth>25</bandwidth>
			<bandwidthtype>%</bandwidthtype></queue> 
		 <queue><name>qOthersUpL</name>
			<attachtoqueue>qwanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>2</priority>
			<red>on</red>
			<ecn>on</ecn>
			<realtime>on</realtime>
			<realtime3>1Kb</realtime3>
			<bandwidth>1</bandwidth>
			<bandwidthtype>%</bandwidthtype>
			<qlimit>500</qlimit></queue> 
		 <queue><name>qOthersDownL</name>
			<attachtoqueue>qlanRoot</attachtoqueue>
			<associatedrule>0</associatedrule>
			<priority>2</priority>
			<red>on</red>
			<ecn>on</ecn>
			<realtime>on</realtime>
			<realtime3>1Kb</realtime3>
			<bandwidth>1</bandwidth>
			<bandwidthtype>%</bandwidthtype>
			<qlimit>500</qlimit></queue> 
		 <rule><descr>DiffServ/Lowdelay/Download</descr>
			<inqueue>qVOIPUp</inqueue>
			<outqueue>qVOIPDown</outqueue>
			<in-interface>wan</in-interface>
			<out-interface>lan</out-interface>
			<source>
				 <any></any></rule></shaper></bridge></ovpn></lastchange></pfsense>
      1 Reply Last reply Reply Quote 0
      • 0
        0tt0
        last edited by

        On CP interface (I now have CP disabled since it's not working but when it worked it did so with these rules..) I have the following FW rules in place:

        PASS TCP/UDP  GUEST net  *  n.n.n.n.1  53 (DNS)  *
        BLOCK TCP/UDP  GUEST net  *  *  53 (DNS)  *
        BLOCK *  GUEST net  *  LAN net  *  *
        PASS *  GUEST net  *  *  *  *

        where n.n.n.n.1 is pfS GW address on that net.

        The idea is to allow only local DNS for clients (to not allow people to circumvent OpenDNS blockings if used) and to disallow LAN network and allow everything else (=Internet).

        If you only have the last rule it should work. Not sure if you would hit CP (if working) first or if FW would prevent even that contact if rule is absent, the latter would feel logical.

        Just like in the case with my pfS 1.2.3RC1 there must be something causing the malfunctioning, left overs from previously installed packages causing trouble even though they shouldn't or something; perhaps this is a random bug of some sort, I don't know, I'm mostly puzzled that noone seem to be able to outline a troubleshooting procedure that would pin these problems down. Perhaps there's more help in the pfS book.

        Cheers,

        1 Reply Last reply Reply Quote 0
        • G
          gregf
          last edited by

          Having this same problem right now. If I manually go to https://192.168.1.1:8000 i can login and then things work. Captive portal should automatically redirect me there if I'm not logged in though.

          1 Reply Last reply Reply Quote 0
          • N
            nerbas
            last edited by

            hmm - not even that (accessing https://192.168.1.1:8000) works at my system…

            Does anybody know how to debug any further? What processes should run, what logfiles should i look into...?

            1 Reply Last reply Reply Quote 0
            • B
              Burken
              last edited by

              I can't get Captive Portal to work…
              Never redirects me to the login page..
              I can surf directly...

              http://<gateway>:8000 works.. gives me the login page..
              Login work..

              But i can already surf so the login is superfluous...</gateway>

              1 Reply Last reply Reply Quote 0
              • A
                axscode
                last edited by

                Just my 2 cents.

                1. Enable DNS Forwarding
                2. Under DHCP Server
                  Gateway Address = LAN Address
                  DNS 1 = LAN Address
                  DNS 2 = Blank

                You may now renew using your dhclient or ipconfig /renew (on win).

                Also, try disabling squid proxy just for testing, and if there's an assigned proxy for your browser.

                Regards.

                Regards

                1 Reply Last reply Reply Quote 0
                • B
                  Burken
                  last edited by

                  I tryd that.. dident help.. even did a hard reboot on my pfsense…
                  :(

                  1 Reply Last reply Reply Quote 0
                  • A
                    axscode
                    last edited by

                    Can you share your hardware specs?

                    And can you reinstall your pfsense?

                    • use default configuration, but only editing your LAN and WAN. and get internet connection working

                    • enable captive portal.

                    • dont add any packages yet, and dont enable traffic shapings and all sorts of that, just the default.

                    • if you get captive portal working, by then you'll add one by one what you need so that you will know whats interfering with CP.

                    So far my new installation works perfectly
                    – with or without radius

                    packages

                    • with bandwidthD
                    • with IMSpector
                    • with Dashboard

                    Regards

                    1 Reply Last reply Reply Quote 0
                    • M
                      mrvanity
                      last edited by

                      @axscode:

                      Just my 2 cents.

                      1. Enable DNS Forwarding
                      2. Under DHCP Server
                         Gateway Address = LAN Address
                         DNS 1 = LAN Address
                         DNS 2 = Blank

                      You may now renew using your dhclient or ipconfig /renew (on win).

                      Also, try disabling squid proxy just for testing, and if there's an assigned proxy for your browser.

                      Regards.

                      I had the same problem.The login page wouldn't appear and i had to manually navigate to http://ip:8000.
                      The problem existed from the 1.2.3 RC's to the final version.
                      As DNS servers on the DHCP I had DNS from Opendns.
                      I removed the Open DNS servers from the DHCP page leaving it blank (the DNS forwarder is enabled) and everything works like a charm!!!

                      Thanx axscode!!!

                      1 Reply Last reply Reply Quote 0
                      • B
                        Burken
                        last edited by

                        I use

                        My pfsense has 7 Interfaces enabled..
                        WAN  - DHCP from ISP
                        WAN1  - DHCP from ISP
                        WAN2  - DHCP from ISP
                        WAN3  - DHCP from ISP
                        WAN4  - DHCP from ISP
                        LAN  - 192.168.1.0/24
                        GUEST - 192.168.0.0/24 - Captive Portal Enabled - DHCP Enabled. No DNS, GW edited. Interface ip 192.168.0.1

                        Guest Firewall Rules:
                        Allow
                        Proto:
                        *
                        Source:
                        Guest NET
                        Port
                        *
                        Desti
                        *
                        Port
                        *
                        Gateway
                        LoadBalance

                        (and yes i have tryd without loadbalance rule)

                        Packages installed:
                        bandwidthd
                        phpSysInfo
                        rate

                        ipconfig /all from computer connected to GUEST:
                          Anslutningsspecifika DNS-suffix . : burken.biz
                          Beskrivning . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E
                        Gigabit Ethernet NIC (NDIS 6.0)
                          Fysisk adress . . . . . . . . . . : 00-23-8B-A8-DE-57
                          DHCP activated. . . . . . . . . . : Ja
                          Autokonfiguration activated. . . : Ja
                          IPv4-adress . . . . . . . . . . . : 192.168.0.49(Standard)
                          Nätmask . . . . . . . . . . . . . : 255.255.255.0
                          Lånet erhölls . . . . . . . . . . : den 12 januari 2010 17:35:08
                          Lånet upphör. . . . . . . . . . . : den 12 januari 2010 19:35:08
                          Standard-gateway. . . . . . . . . : 192.168.0.1
                          DHCP-server . . . . . . . . . . . : 192.168.0.1
                          DNS-servrar . . . . . . . . . . . : 192.168.0.1
                          NetBIOS över TCP/IP . . . . . . . : activated

                        1 Reply Last reply Reply Quote 0
                        • A
                          axscode
                          last edited by

                          @mrvanity, Glad to hear that it works for you..

                          @Burken, I am sorry mate, havent tried CP on multiple WANs

                          Regards

                          1 Reply Last reply Reply Quote 0
                          • M
                            mrvanity
                            last edited by

                            @axscode:

                            @Burken, I am sorry mate, havent tried CP on multiple WANs

                            My setup consists on 2 wan connections and it works ok.
                            (see my setup here)
                            http://forum.pfsense.org/index.php/topic,16338.msg84899.html#msg84899

                            1 Reply Last reply Reply Quote 0
                            • A
                              axscode
                              last edited by

                              Well done mate. maybe you can share with burken some of your notes.

                              Regards

                              1 Reply Last reply Reply Quote 0
                              • B
                                Burken
                                last edited by

                                I dont think the multiple wan is the problem.
                                I can just change so everyting goes out to the normal WAN interface.. I will still never get navigated to the login screen…

                                I have 192.168.0.1 as DNS server..

                                :(

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mrvanity
                                  last edited by

                                  One of the differences i see in your setup is that you use a wlan interface.
                                  My LAN interface ends up to a structure of ~50 AP's.
                                  If it is possible, try to use an ethernet AP and and test again..

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    Burken
                                    last edited by

                                    I don't use WLAN.
                                    GUEST is FastEthernet-RJ45 to my neighbors computer.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.