Redirect problem in Captive Portal
-
Thanks for your help.
lighty-CaptivePortal.conf :
lighttpd configuration file
use a it as base for lighttpd 1.0.0 and above
############ Options you really have to take care of ####################
FreeBSD!
server.event-handler = "freebsd-kqueue"
server.network-backend = "writev"modules to load
server.modules = (
"mod_acc
esslog",
"mod_acc
ess", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect",
"mod_fas
tcgi", "mod_cgi","mod_rewrite"
)Unused modules
# "mod_setenv",
# "mod_rewrite",
# "mod_ssi",
# "mod_usertrack",
# "mod_expire",
# "mod_secdownload",
# "mod_rrdtool",
# "mod_auth",
# "mod_status",
# "mod_alias",
# "mod_proxy",
# "mod_simple_vhost",
# "mod_evhost",
# "mod_userdir",
# "mod_cgi",server.max-keep-alive-requests = 15
server.max-keep-alive-idle = 30a static document-root, for virtual-hosting take look at the
server.virtual-* options
server.document-root = "/usr/local/captiveportal/"
url.rewrite-once = ( "(.captiveportal.)" => "$1", "(.*)" => "/index.php?rediru
rl=$1" )Maximum idle time with nothing being written (php downloading)
server.max-write-idle = 999
where to send error-messages to
server.errorlog = "/var/log/lighttpd.error.log"
files to check for if …/ is requested
server.indexfiles = ( "index.php", "index.html",
"index.htm", "default.htm" )mimetype mapping
mimetype.assign = (
".pdf" => "application/pdf",
".sig" => "application/pgp-signature",
".spl" => "application/futuresplash",
".class" => "application/octet-stream",
".ps" => "application/postscript",
".torrent" => "application/x-bittorrent",
".dvi" => "application/x-dvi",
".gz" => "application/x-gzip",
".pac" => "application/x-ns-proxy-autoconfig",
".swf" => "application/x-shockwave-flash",
".tar.gz" => "application/x-tgz",
".tgz" => "application/x-tgz",
".tar" => "application/x-tar",
".zip" => "application/zip",
".mp3" => "audio/mpeg",
".m3u" => "audio/x-mpegurl",
".wma" => "audio/x-ms-wma",
".wax" => "audio/x-ms-wax",
".ogg" => "audio/x-wav",
".wav" => "audio/x-wav",
".gif" => "image/gif",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".png" => "image/png",
".xbm" => "image/x-xbitmap",
".xpm" => "image/x-xpixmap",
".xwd" => "image/x-xwindowdump",
".css" => "text/css",
".html" => "text/html",
".htm" => "text/html",
".js" => "text/javascript",
".asc" => "text/plain",
".c" => "text/plain",
".conf" => "text/plain",
".text" => "text/plain",
".txt" => "text/plain",
".dtd" => "text/xml",
".xml" => "text/xml",
".mpeg" => "video/mpeg",
".mpg" => "video/mpeg",
".mov" => "video/quicktime",
".qt" => "video/quicktime",
".avi" => "video/x-msvideo",
".asf" => "video/x-ms-asf",
".asx" => "video/x-ms-asf",
".wmv" => "video/x-ms-wmv",
".bz2" => "application/x-bzip",
".tbz" => "application/x-bzip-compressed-tar",
".tar.bz2" => "application/x-bzip-compressed-tar"
)Use the "Content-Type" extended attribute to obtain mime type if possible
#mimetypes.use-xattr = "enable"
accesslog module
#accesslog.filename = "/dev/null"
deny access the file-extensions
~ is for backupfiles from vi, emacs, joe, ...
.inc is often used for code includes which should in general not be part
# of the document-root
url.access-deny = ( "~", ".inc" )######### Options that are good to be but not neccesary to be changed #######
bind to port (default: 80)
server.port = 8000
error-handler for status 404
#server.error-handler-404 = "/error-handler.html"
#server.error-handler-404 = "/error-handler.php"to help the rc.scripts
server.pid-file = "/var/run/lighty-CaptivePortal.pid"
virtual directory listings
server.dir-listing = "disable"
enable debugging
debug.log-request-header = "disable"
debug.log-response-header = "disable"
debug.log-request-handling = "disable"
debug.log-file-not-found = "disable"gzip compression
compress.cache-dir = "/tmp/lighttpdcompress/"
compress.filetype = ("text/plain","text/css", "text/xml", "text/javascript" )server.upload-dirs = ( "/tmp/captiveportal/" )
server.max-request-size = 384
fastcgi module
read fastcgi.txt for more info
fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "/tmp/php-fastcgi.socket",
"min-procs" => 0,
"max-procs" => 3,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "3",
"PHP_FCGI_MAX_REQUESTS" => "500"
),
"bin-path" => "/usr/local/bin/php"
)
)
)CGI module
cgi.assign = ( ".cgi" => "" )
expire.url = (
"" => "access 50 hours",
)
lighty-webConfigurator.conf :
lighttpd configuration file
use a it as base for lighttpd 1.0.0 and above
############ Options you really have to take care of ####################
FreeBSD!
server.event-handler = "freebsd-kqueue"
server.network-backend = "writev"modules to load
server.modules = (
"mod_acc
ess", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect",
"mod_fas
tcgi", "mod_cgi"
)Unused modules
# "mod_setenv",
# "mod_rewrite",
# "mod_ssi",
# "mod_usertrack",
# "mod_expire",
# "mod_secdownload",
# "mod_rrdtool",
# "mod_auth",
# "mod_status",
# "mod_alias",
# "mod_proxy",
# "mod_simple_vhost",
# "mod_evhost",
# "mod_userdir",
# "mod_cgi",server.max-keep-alive-requests = 15
server.max-keep-alive-idle = 30a static document-root, for virtual-hosting take look at the
server.virtual-* options
server.document-root = "/usr/local/www/"
Maximum idle time with nothing being written (php downloading)
server.max-write-idle = 999
where to send error-messages to
server.errorlog = "/var/log/lighttpd.error.log"
files to check for if .../ is requested
server.indexfiles = ( "index.php", "index.html",
"index.htm", "default.htm" )mimetype mapping
mimetype.assign = (
".pdf" => "application/pdf",
".sig" => "application/pgp-signature",
".spl" => "application/futuresplash",
".class" => "application/octet-stream",
".ps" => "application/postscript",
".torrent" => "application/x-bittorrent",
".dvi" => "application/x-dvi",
".gz" => "application/x-gzip",
".pac" => "application/x-ns-proxy-autoconfig",
".swf" => "application/x-shockwave-flash",
".tar.gz" => "application/x-tgz",
".tgz" => "application/x-tgz",
".tar" => "application/x-tar",
".zip" => "application/zip",
".mp3" => "audio/mpeg",
".m3u" => "audio/x-mpegurl",
".wma" => "audio/x-ms-wma",
".wax" => "audio/x-ms-wax",
".ogg" => "audio/x-wav",
".wav" => "audio/x-wav",
".gif" => "image/gif",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".png" => "image/png",
".xbm" => "image/x-xbitmap",
".xpm" => "image/x-xpixmap",
".xwd" => "image/x-xwindowdump",
".css" => "text/css",
".html" => "text/html",
".htm" => "text/html",
".js" => "text/javascript",
".asc" => "text/plain",
".c" => "text/plain",
".conf" => "text/plain",
".text" => "text/plain",
".txt" => "text/plain",
".dtd" => "text/xml",
".xml" => "text/xml",
".mpeg" => "video/mpeg",
".mpg" => "video/mpeg",
".mov" => "video/quicktime",
".qt" => "video/quicktime",
".avi" => "video/x-msvideo",
".asf" => "video/x-ms-asf",
".asx" => "video/x-ms-asf",
".wmv" => "video/x-ms-wmv",
".bz2" => "application/x-bzip",
".tbz" => "application/x-bzip-compressed-tar",
".tar.bz2" => "application/x-bzip-compressed-tar"
)Use the "Content-Type" extended attribute to obtain mime type if possible
#mimetypes.use-xattr = "enable"
accesslog module
#accesslog.filename = "/dev/null"
deny access the file-extensions
~ is for backupfiles from vi, emacs, joe, ...
.inc is often used for code includes which should in general not be part
# of the document-root
url.access-deny = ( "~", ".inc" )######### Options that are good to be but not neccesary to be changed #######
bind to port (default: 80)
server.port = 443
error-handler for status 404
#server.error-handler-404 = "/error-handler.html"
#server.error-handler-404 = "/error-handler.php"to help the rc.scripts
server.pid-file = "/var/run/lighty-webConfigurator.pid"
virtual directory listings
server.dir-listing = "disable"
enable debugging
debug.log-request-header = "disable"
debug.log-response-header = "disable"
debug.log-request-handling = "disable"
debug.log-file-not-found = "disable"gzip compression
compress.cache-dir = "/tmp/lighttpdcompress/"
compress.filetype = ("text/plain","text/css", "text/xml", "text/javascript" )server.upload-dirs = ( "/root/", "/tmp/", "/var/" )
server.max-request-size = 2097152
fastcgi module
read fastcgi.txt for more info
fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "/tmp/php-fastcgi.socket",
"min-procs" => 0,
"max-procs" => 3,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "3",
"PHP_FCGI_MAX_REQUESTS" => "500"
),
"bin-path" => "/usr/local/bin/php"
)
)
)CGI module
cgi.assign = ( ".cgi" => "" )
expire.url = (
"" => "access 50 hours",
)ssl configuration
ssl.engine = "enable"
ssl.pemfile = "/var/etc/cert.pem"$SERVER["socket"] == ":80" {
$HTTP["host"] =~ "(.)" {
url.redirect = ( "^/(.)" => "https://%1/$1" )
} -
Should be fixed.
-
I've got the exact same problem. Using the snapshot from 06/08/2010. Going directly to 8000 works. The redirect fails.
-
i had same problem too…. snapshot 23/06/2010
-
Going to need a lot more info than "it doesn't work". It does work in every scenario I have setup, and we've deployed it in production in the past week for a WISP on several systems with multiple VLANs on each and no problems. I suspect at this point if it doesn't work you don't have things setup right for DNS to function, hence are never hitting the firewall to get redirected.
-
it doesnt redirect too here.
<pfsense><version>6.4</version>
<lastchange><theme>pfsense_ng</theme>
<sysctl><desc>Set the ephemeral port range to be lower.</desc>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
<desc>Drop packets to closed TCP ports without returning a RST</desc>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
<desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
<desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
<desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
<desc>Enable sending IPv4 redirects</desc>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
<desc>Enable sending IPv6 redirects</desc>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
<desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
<desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
<desc>Maximum incoming/outgoing TCP datagram size (send)</desc>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
<desc>IP Fastforwarding</desc>
<tunable>net.inet.ip.fastforwarding</tunable>
<value>default</value>
<desc>Do not delay ACK to try and piggyback it onto a data packet</desc>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
<desc>Maximum outgoing UDP datagram size</desc>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
<desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
<desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
<desc>Set to 1 to enable filtering on the bridge interface</desc>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
<desc>Allow unprivileged access to tap(4) device nodes</desc>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
<desc>Verbosity of the rndtest driver (0: do not display results on console)</desc>
<tunable>kern.rndtest.verbose</tunable>
<value>default</value>
<desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc>
<tunable>kern.randompid</tunable>
<value>default</value>
<desc>Maximum size of the IP input queue</desc>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
<value>default</value>
<desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
<desc>Enable TCP Inflight mode</desc>
<tunable>net.inet.tcp.inflight.enable</tunable>
<value>default</value>
<desc>Enable TCP extended debugging</desc>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
<desc>Set ICMP Limits</desc>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
<desc>TCP Offload Engine</desc>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
<desc>TCP Offload Engine - BCE</desc>
<tunable>hw.bce.tso_enable</tunable>
<value>default</value></sysctl>
<system><optimization>normal</optimization>
<hostname>pfsense1</hostname>
<domain>boekestijn.local</domain>
<group><name>all</name><scope>system</scope>
<gid>1998</gid>
<member>0</member></group>
<group><name>admins</name><scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv></group>
<user><name>admin</name>
<fullname>System Administrator</fullname>
<scope>system</scope>
<groupname>admins</groupname>
<password>$1$/bdU5Y/K$Q5eCW0JRmFZH50kyKlcqK1</password>
<uid>0</uid>
<priv>user-shell-access</priv>
<md5-hash>cd99523b68bceb84ae569a02e6eb4c31</md5-hash>
<nt-hash>097b6aee440ff80df44081606c2b6e57</nt-hash></user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Europe/Amsterdam</timezone>
<time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
<webgui><protocol>http</protocol>
<ssl-certref>4c1b276dc77a3</ssl-certref></webgui>
<disablenatreflection>yes</disablenatreflection>
<cert><refid>4c1b276dc77a3</refid>
<name>webConfigurator default</name>
<crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLRENDQTVHZ0F3SUJBZ0lKQU83SThGSGpvSTVOTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUcvTVFzd0NRWUQKVlFRR0V3SlZVekVTTUJBR0ExVUVDQk1KVTI5dFpYZG9aWEpsTVJFd0R3WURWUVFIRXdoVGIyMWxZMmwwZVRFVQpNQklHQTFVRUNoTUxRMjl0Y0dGdWVVNWhiV1V4THpBdEJnTlZCQXNUSms5eVoyRnVhWHBoZEdsdmJtRnNJRlZ1CmFYUWdUbUZ0WlNBb1pXY3NJSE5sWTNScGIyNHBNU1F3SWdZRFZRUURFeHREYjIxdGIyNGdUbUZ0WlNBb1pXY3MKSUZsUFZWSWdibUZ0WlNreEhEQWFCZ2txaGtpRzl3MEJDUUVXRFVWdFlXbHNJRUZrWkhKbGMzTXdIaGNOTVRBdwpOakU0TURjMU9UUXlXaGNOTVRVeE1qQTVNRGMxT1RReVdqQ0J2ekVMTUFrR0ExVUVCaE1DVlZNeEVqQVFCZ05WCkJBZ1RDVk52YldWM2FHVnlaVEVSTUE4R0ExVUVCeE1JVTI5dFpXTnBkSGt4RkRBU0JnTlZCQW9UQzBOdmJYQmgKYm5sT1lXMWxNUzh3TFFZRFZRUUxFeVpQY21kaGJtbDZZWFJwYjI1aGJDQlZibWwwSUU1aGJXVWdLR1ZuTENCegpaV04wYVc5dUtURWtNQ0lHQTFVRUF4TWJRMjl0Ylc5dUlFNWhiV1VnS0dWbkxDQlpUMVZTSUc1aGJXVXBNUnd3CkdnWUpLb1pJaHZjTkFRa0JGZzFGYldGcGJDQkJaR1J5WlhOek1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R04KQURDQmlRS0JnUUM4dkNydjV6WXpmZTFaWlNHZFp0ZDhZK0NQeUVtUndIcE5aNDVmUENqTFZVVitiaVQvcjJUKwpYN1RFcTFySVRNak52aVpTVEsyOGxzZGkva1lxSG53YWhRbHVOSFhGdkx4c3BxdEFzb0VMTVgyWDVmSktYbXVjCm8zSGFZWW1DTytKeUZsajdxdjFSMEFyMW5Kbkl0ZjZWY2pmZnZKVDBQZ2phSXVuT0RKU0dLUUlEQVFBQm80SUIKS0RDQ0FTUXdIUVlEVlIwT0JCWUVGTndVOUJJNUVYbFJXUnp0TGZrKzNmMW9wTEJvTUlIMEJnTlZIU01FZ2V3dwpnZW1BRk53VTlCSTVFWGxSV1J6dExmayszZjFvcExCb29ZSEZwSUhDTUlHL01Rc3dDUVlEVlFRR0V3SlZVekVTCk1CQUdBMVVFQ0JNSlUyOXRaWGRvWlhKbE1SRXdEd1lEVlFRSEV3aFRiMjFsWTJsMGVURVVNQklHQTFVRUNoTUwKUTI5dGNHRnVlVTVoYldVeEx6QXRCZ05WQkFzVEprOXlaMkZ1YVhwaGRHbHZibUZzSUZWdWFYUWdUbUZ0WlNBbwpaV2NzSUhObFkzUnBiMjRwTVNRd0lnWURWUVFERXh0RGIyMXRiMjRnVG1GdFpTQW9aV2NzSUZsUFZWSWdibUZ0ClpTa3hIREFhQmdrcWhraUc5dzBCQ1FFV0RVVnRZV2xzSUVGa1pISmxjM09DQ1FEdXlQQlI0NkNPVFRBTUJnTlYKSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUtGSFMyS2pGUitYMlZrQWVESm81cVF3T1ozOQpsQ2dsU2p0OSt0dXVqcjdndGcrTE1MbVdQaGdGQjZRSUpkNUlkLzhKNnlWOHd2Nms0cGJjZDhnRHEwY1hNeWJuCmlCNWU1a0xUaUVyc3EyMTlsL2tCQ1VlSDV1RGF5cVo1V0ppQ2tPZEU3ZlB5enZNS3VOVEhWZlZtTmRsdXZXaDUKWjVCUzlHbGxybHJEeU0rSAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
<prv>R2VuZXJhdGluZyBSU0EgcHJpdmF0ZSBrZXksIDEwMjQgYml0IGxvbmcgbW9kdWx1cwouLi4uLi4uKysrKysrCi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4rKysrKysKZSBpcyA2NTUzNyAoMHgxMDAwMSkKLS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWFFJQkFBS0JnUUM4dkNydjV6WXpmZTFaWlNHZFp0ZDhZK0NQeUVtUndIcE5aNDVmUENqTFZVVitiaVQvCnIyVCtYN1RFcTFySVRNak52aVpTVEsyOGxzZGkva1lxSG53YWhRbHVOSFhGdkx4c3BxdEFzb0VMTVgyWDVmSksKWG11Y28zSGFZWW1DTytKeUZsajdxdjFSMEFyMW5Kbkl0ZjZWY2pmZnZKVDBQZ2phSXVuT0RKU0dLUUlEQVFBQgpBb0dCQUpxRG1zdHBpVkJDcWt4anBVK040S0R2eStzcTJFQkJTbCtRaGxpbGtlaFYyVjBXbzZmSVduQit2aW04Cjk4ZkFSUzFiblZnSGVyMUkyOWZKd0h1L0ZXM2d5WEhYZHJReEpKYlFuc2xWQXN4Z3dYS00xQjFLdGMzQnJFQWEKVUlsbkVDSjFySG5paUZ4NWpZZEorTUNBeTc4Nm5qcjRjdmlIcCtWZ2pJUTY4eE01QWtFQTNqU0VFdkVGdi9Oegp0VjVqUnpERDk3Z2t1d2VWR3dHYUl2cXhJZ0lwTGpHVHA3L1ZqN2RyR3N3Smo2c1I0QSszeTZxSDhUa3JCamdjCk9VZlRQYXdjdHdKQkFObHdnUXNQNldURWJpci9NcDNoSEF3anFIRmJlUUhjVHlHd0pwZTFoRFVISGcyNkFaZDEKcUVCOTQ4eHNsRVBRc1NIcitEWlNkVXdVOTNpOEJKQTNWQjhDUVFESWlpYmtuV2Z1Qy83U29pUUJYUTZQNUQ0cQpHYmJGRDlZWFdaOUJyU2VUVENVUmtUMWhua3pvZTFycHNaL0pVd1l5cG01WUU1c3oycklHTkQ5K2VuWFRBa0JDCnA2UkhPZGQ0Rm1jWE15ZlhFZnpCRStVODZxZUxsSGVGZ2pReWFXaGZ3UkRMY0d1d2ZGYlpmajNvbXBoUXVaYXoKS1Z6cmVoZU8vUlpub210YnNqcE5Ba0JoR1hGb05GUUFoZGJuUHcrMFIydTV6UXdtdXY0ckFzMnduWldkS1pyYQpxQkVWb2ZRalp0YVN3OXJNQjl4ZGRBc2Q5Y0d5Z2daeEU3dEs5KzJwdkZ1WAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=</prv></cert>
<ipv6allow><enablesshd>enabled</enablesshd>
<firmware><alturl><enable><firmwareurl>http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_HEAD/.updaters</firmwareurl></enable></alturl></firmware>
<scrubnodf>enabled</scrubnodf>
<maximumstates><maximumtableentries><reflectiontimeout><lb_use_sticky><disablescrub>yes</disablescrub>
<dnsserver>192.168.254.254</dnsserver>
<dns1gwint>none</dns1gwint>
<dns2gwint>none</dns2gwint>
<dns3gwint>none</dns3gwint>
<dns4gwint>none</dns4gwint>
<authserver><refid>4c248ee714d96</refid>
<type>radius</type>
<name>radiusserver</name>
<host>10.1.0.241</host>
<radius_secret>secret</radius_secret>
<radius_auth_port>1812</radius_auth_port>
<radius_acct_port>1813</radius_acct_port></authserver></lb_use_sticky></reflectiontimeout></maximumtableentries></maximumstates></ipv6allow></time-update-interval></system>
<interfaces><wan><if>rl0</if>
<blockbogons><media><mediaopt><spoofmac><enable><ipaddr>192.168.254.2</ipaddr>
<subnet>24</subnet>
<gateway>WAN_GW_1</gateway></enable></spoofmac></mediaopt></media></blockbogons></wan>
<lan><enable><if>re0</if>
<media><mediaopt><ipaddr>10.1.0.2</ipaddr>
<subnet>24</subnet>
<blockbogons><spoofmac></spoofmac></blockbogons></mediaopt></media></enable></lan>
<opt1><if>re1</if>
<enable><ipaddr>10.1.1.2</ipaddr>
<subnet>24</subnet>
<blockbogons><spoofmac></spoofmac></blockbogons></enable></opt1>
<opt2><if>re2</if>
<enable><ipaddr>10.1.100.2</ipaddr>
<subnet>24</subnet>
<blockbogons><spoofmac></spoofmac></blockbogons></enable></opt2>
<opt3><if>re1_vlan20</if>
<enable><blockbogons><spoofmac><ipaddr>10.1.20.2</ipaddr>
<subnet>24</subnet></spoofmac></blockbogons></enable></opt3>
<opt4><if>re1_vlan99</if>
<enable><ipaddr>10.1.99.2</ipaddr>
<subnet>24</subnet>
<gateway>WAN_GW_99</gateway>
<blockbogons><spoofmac></spoofmac></blockbogons></enable></opt4>
<opt5><if>re1_vlan80</if>
<enable><ipaddr>10.1.80.2</ipaddr>
<subnet>24</subnet>
<blockbogons><spoofmac></spoofmac></blockbogons></enable></opt5>
<opt6><if>re1_vlan70</if>
<enable><ipaddr>10.1.70.2</ipaddr>
<subnet>24</subnet>
<blockbogons><spoofmac></spoofmac></blockbogons></enable></opt6></interfaces>
<staticroutes><pppoe><username><password></password></username></pppoe>
<pptp><username><password></password></username></pptp>
<dhcpd><lan><enable><range><from>10.1.0.50</from>
<to>10.1.0.200</to></range>
<defaultleasetime><maxleasetime><netmask><failover_peerip><gateway>10.1.0.1</gateway>
<domain><domainsearchlist><ddnsdomain><tftp><ldap><next-server><filename><rootpath><numberoptions><dnsserver>10.1.0.1</dnsserver></numberoptions></rootpath></filename></next-server></ldap></tftp></ddnsdomain></domainsearchlist></domain></failover_peerip></netmask></maxleasetime></defaultleasetime></enable></lan>
<opt5><range><from>10.1.80.50</from>
<to>10.1.80.200</to></range>
<defaultleasetime><maxleasetime><netmask><failover_peerip><dnsserver>10.1.80.1</dnsserver>
<gateway>10.1.80.1</gateway>
<domain><domainsearchlist><enable><ddnsdomain><tftp><ldap><next-server><filename><rootpath></rootpath></filename></next-server></ldap></tftp></ddnsdomain></enable></domainsearchlist></domain></failover_peerip></netmask></maxleasetime></defaultleasetime></opt5>
<opt6><range><from>10.1.70.50</from>
<to>10.1.70.200</to></range>
<defaultleasetime><maxleasetime><netmask><failover_peerip><gateway>10.1.70.1</gateway>
<domain><domainsearchlist><enable><ddnsdomain><tftp><ldap><next-server><filename><rootpath><numberoptions><dnsserver>10.1.70.1</dnsserver></numberoptions></rootpath></filename></next-server></ldap></tftp></ddnsdomain></enable></domainsearchlist></domain></failover_peerip></netmask></maxleasetime></defaultleasetime></opt6></dhcpd>
<pptpd><mode><redir><localip></localip></redir></mode></pptpd>
<ovpn><dnsmasq><enable><regdhcp><regdhcpstatic></regdhcpstatic></regdhcp></enable></dnsmasq>
<snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
<diag><ipv6nat></ipv6nat></diag>
<bridge><syslog><reverse><nentries>500</nentries></reverse></syslog>
<nat><ipsecpassthru><enable></enable></ipsecpassthru>
<advancedoutbound><rule><source>
<network>10.1.0.0/24</network><dstport>500</dstport>
<target><interface>wan</interface>
<destination><any></any></destination>
<staticnatport></staticnatport></target></rule>
<rule><source>
<network>10.1.0.0/24</network><dstport>5060</dstport>
<target><interface>wan</interface>
<destination><any></any></destination>
<staticnatport></staticnatport></target></rule>
<rule><source>
<network>10.1.0.0/24</network><sourceport><target><interface>wan</interface>
<destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<rule><source>
<network>10.1.1.0/24</network><dstport>500</dstport>
<target><interface>wan</interface>
<destination><any></any></destination>
<staticnatport></staticnatport></target></rule>
<rule><source>
<network>10.1.1.0/24</network><dstport>5060</dstport>
<target><interface>wan</interface>
<destination><any></any></destination>
<staticnatport></staticnatport></target></rule>
<rule><source>
<network>10.1.1.0/24</network><sourceport><target><interface>wan</interface>
<destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<rule><source>
<network>10.1.100.0/24</network><dstport>500</dstport>
<target><interface>wan</interface>
<destination><any></any></destination>
<staticnatport></staticnatport></target></rule>
<rule><source>
<network>10.1.100.0/24</network><dstport>5060</dstport>
<target><interface>wan</interface>
<destination><any></any></destination>
<staticnatport></staticnatport></target></rule>
<rule><source>
<network>10.1.100.0/24</network><sourceport><target><interface>wan</interface>
<destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<rule><source>
<network>10.1.20.0/24</network><dstport>500</dstport>
<target><interface>wan</interface>
<destination><any></any></destination>
<staticnatport></staticnatport></target></rule>
<rule><source>
<network>10.1.20.0/24</network><dstport>5060</dstport>
<target><interface>wan</interface>
<destination><any></any></destination>
<staticnatport></staticnatport></target></rule>
<rule><source>
<network>10.1.20.0/24</network><sourceport><target><interface>wan</interface>
<destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<rule><source>
<network>10.1.80.0/24</network><sourceport><target><interface>wan</interface>
<staticnatport><destination><any></any></destination>
<dstport>500</dstport></staticnatport></target></sourceport></rule>
<rule><source>
<network>10.1.80.0/24</network><sourceport><target><interface>wan</interface>
<staticnatport><destination><any></any></destination>
<dstport>5060</dstport></staticnatport></target></sourceport></rule>
<rule><source>
<network>10.1.80.0/24</network><sourceport><target><interface>wan</interface>
<destination><any></any></destination></target></sourceport></rule>
<rule><source>
<network>10.1.70.0/24</network><sourceport><target><interface>wan</interface>
<staticnatport><destination><any></any></destination>
<dstport>500</dstport></staticnatport></target></sourceport></rule>
<rule><source>
<network>10.1.70.0/24</network><sourceport><target><interface>wan</interface>
<staticnatport><destination><any></any></destination>
<dstport>5060</dstport></staticnatport></target></sourceport></rule>
<rule><source>
<network>10.1.70.0/24</network><sourceport><target><interface>wan</interface>
<destination><any></any></destination></target></sourceport></rule>
<rule><source>
<network>10.1.0.0/24</network><sourceport><target><interface>opt4</interface>
<staticnatport><destination><any></any></destination>
<dstport>500</dstport></staticnatport></target></sourceport></rule>
<rule><source>
<network>10.1.0.0/24</network><sourceport><target><interface>opt4</interface>
<staticnatport><destination><any></any></destination>
<dstport>5060</dstport></staticnatport></target></sourceport></rule>
<rule><source>
<network>10.1.0.0/24</network><sourceport><target><interface>opt4</interface>
<destination><any></any></destination></target></sourceport></rule>
<enable></enable></advancedoutbound>
<rule><source>
<any><destination><network>wan</network>
<port>5631</port></destination>
<protocol>tcp</protocol>
<target>hortimax</target>
<local-port>5631</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4c1b4426af2464.27325726</associated-rule-id></descr></any></rule>
<rule><source>
<any><destination><network>wan</network>
<port>5632</port></destination>
<protocol>udp</protocol>
<target>hortimax</target>
<local-port>5632</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4c1b44357c49a4.14192573</associated-rule-id></descr></any></rule>
<rule><source>
<any><destination><network>wan</network>
<port>80</port></destination>
<protocol>tcp</protocol>
<target>server</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4c1b57b62a5aa9.12048802</associated-rule-id></descr></any></rule>
<rule><source>
<any><destination><network>wan</network>
<port>81</port></destination>
<protocol>tcp</protocol>
<target>10.1.0.1</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4c1b87ce28c060.25443246</associated-rule-id></descr></any></rule>
<rule><source>
<any><destination><network>wan</network>
<port>82</port></destination>
<protocol>tcp</protocol>
<target>10.1.0.2</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4c1b885f994237.46693346</associated-rule-id></descr></any></rule>
<rule><source>
<any><destination><network>wan</network>
<port>83</port></destination>
<protocol>tcp</protocol>
<target>10.1.0.3</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4c1b886a8527d2.16324149</associated-rule-id></descr></any></rule>
<rule><source>
<any><destination><network>wan</network>
<port>3389</port></destination>
<protocol>tcp</protocol>
<target>10.1.0.242</target>
<local-port>3389</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4c22fe38b94296.26233715</associated-rule-id></descr></any></rule>
<onetoone><external>192.168.254.200</external>
<internal>10.1.0.243</internal>
<subnet>32</subnet>
<descr><interface>wan</interface></descr></onetoone></nat>
<filter><rule><id><type>pass</type>
<interface>wan</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>10.1.0.1</address><port>80</port></destination>
<log><associated-rule-id>nat_4c1b87ce28c060.25443246</associated-rule-id></log></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>wan</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>10.1.0.2</address><port>80</port></destination>
<log><associated-rule-id>nat_4c1b885f994237.46693346</associated-rule-id></log></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>wan</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>10.1.0.3</address><port>80</port></destination>
<log><associated-rule-id>nat_4c1b886a8527d2.16324149</associated-rule-id></log></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><source>
<any><interface>wan</interface>
<protocol>tcp</protocol>
<destination><address>10.1.0.242</address><port>3389</port></destination>
<associated-rule-id>nat_4c22fe38b94296.26233715</associated-rule-id></any></rule>
<rule><id><type>pass</type>
<interface>wan</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source><address>192.168.254.200</address>
<destination><address>10.1.0.243</address></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>opt6</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt6</network><destination><network>opt5</network></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>opt5</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt5</network><destination><any></any></destination>
<gateway>GW_GRP_1</gateway></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>opt1</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt1</network><destination><any></any></destination>
<gateway>GW_GRP_1</gateway></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>opt2</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>opt2</network><destination><any></any></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>lan</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><network>opt1</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>lan</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network><destination><any></any></destination>
<gateway>GW_GRP_1</gateway></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>enc0</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>WANgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source><address>169.254.0.0/16</address>
<destination><any></any></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>WANgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source><address>0.0.0.0</address>
<destination><any></any></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>WANgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol>
<source>
<any><destination><address>hortimax</address><port>5632</port></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>WANgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>hortimax</address><port>5631</port></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>WANgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>server</address><port>80</port></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>LANgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source><address>10.0.0.0/24</address>
<destination><any></any></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>LANgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source><address>0.0.0.0</address>
<destination><any></any></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>LANgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><any></any></destination><gateway>GW_GRP_1</gateway></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>INETONLYgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><network>opt3</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>INETONLYgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><network>opt2</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>INETONLYgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><network>opt1</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>INETONLYgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>INETONLYgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><network>opt5</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>block</type>
<interface>INETONLYgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><network>opt6</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>INETONLYgrp</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><any></any></destination>
<descr><gateway>GW_GRP_1</gateway></descr></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>GWs</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol>
<source>
<any><destination><address>hortimax</address><port>5632</port></destination>
<associated-rule-id>nat_4c1b44357c49a4.14192573</associated-rule-id></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>GWs</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>hortimax</address><port>5631</port></destination>
<associated-rule-id>nat_4c1b4426af2464.27325726</associated-rule-id></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule>
<rule><id><type>pass</type>
<interface>GWs</interface>
<max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>server</address><port>80</port></destination>
<log><associated-rule-id>nat_4c1b57b62a5aa9.12048802</associated-rule-id></log></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule></filter>
<shaper><ipsec><preferredoldsa><phase1><ikeid>1</ikeid>
<interface>vip3</interface>
<remote-gateway>secret</remote-gateway>
<mode>aggressive</mode>
<myid_type>fqdn</myid_type>
<myid_data>secret.local</myid_data>
<peerid_type>peeraddress</peerid_type>
<peerid_data><encryption-algorithm><name>aes</name>
<keylen>256</keylen></encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>5</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>secret</pre-shared-key>
<private-key><certref>4c1b276dc77a3</certref>
<authentication_method>pre_shared_key</authentication_method>
<descr><nat_traversal>on</nat_traversal>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail></descr></private-key></peerid_data></phase1>
<client><phase2><ikeid>1</ikeid>
<mode>tunnel</mode>
<localid><type>network</type><address>10.1.0.0</address>
<netbits>24</netbits></localid>
<remoteid><type>network</type><address>10.0.0.0</address>
<netbits>24</netbits></remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>256</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>5</pfsgroup>
<lifetime>3600</lifetime></phase2>
<phase2><ikeid>1</ikeid>
<mode>tunnel</mode>
<localid><type>network</type><address>10.1.0.0</address>
<netbits>24</netbits></localid>
<remoteid><type>network</type><address>10.0.1.0</address>
<netbits>24</netbits></remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>256</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>5</pfsgroup>
<lifetime>3600</lifetime></phase2>
<phase2><ikeid>1</ikeid>
<mode>tunnel</mode>
<localid><type>network</type><address>10.1.1.0</address>
<netbits>24</netbits></localid>
<remoteid><type>network</type><address>10.0.0.0</address>
<netbits>24</netbits></remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>256</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>5</pfsgroup>
<lifetime>3600</lifetime></phase2>
<phase2><ikeid>1</ikeid>
<mode>tunnel</mode>
<localid><type>network</type><address>10.1.1.0</address>
<netbits>24</netbits></localid>
<remoteid><type>network</type><address>10.0.1.0</address>
<netbits>24</netbits></remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>256</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>5</pfsgroup>
<lifetime>3600</lifetime></phase2>
<phase2><ikeid>1</ikeid>
<mode>tunnel</mode>
<localid><type>network</type><address>10.1.20.0</address>
<netbits>24</netbits></localid>
<remoteid><type>network</type><address>10.0.0.0</address>
<netbits>24</netbits></remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>256</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>5</pfsgroup>
<lifetime>3600</lifetime></phase2>
<enable></enable></client></preferredoldsa></ipsec>
<aliases><alias><name>hortimax</name><address>10.1.1.101</address>
<descr><type>host</type>
<detail>Entry added Fri, 18 Jun 2010 12:01:26 +0200</detail></descr></alias>
<alias><name>server</name><address>10.1.1.11</address>
<descr><type>host</type>
<detail>Entry added Fri, 18 Jun 2010 11:48:29 +0200</detail></descr></alias></aliases>
<proxyarp><cron><minute>0</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 newsyslog
<minute>1,31</minute>
<hour>0-5</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 adjkerntz -a
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
<minute>1</minute>
<hour>1</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
<minute>/5</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday>*</wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/bin/checkreload.sh</cron>
<wol><rrd><enable></enable></rrd>
<load_balancer><monitor_type><name>ICMP</name>
<type>icmp</type>
<desc>ICMP</desc></monitor_type>
<monitor_type><name>TCP</name>
<type>tcp</type>
<desc>Generic TCP</desc></monitor_type>
<monitor_type><name>HTTP</name>
<type>http</type>
<desc>Generic HTTP</desc>
<options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>HTTPS</name>
<type>https</type>
<desc>Generic HTTPS</desc>
<options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>SMTP</name>
<type>send</type>
<desc>Generic SMTP</desc>
<options><send>EHLO nosuchhost</send>
<expect>250-</expect></options></monitor_type></load_balancer>
<widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:show,carp_status-container:col1:show,cpu_graphs-container:col1:show,gateways-container:col1:show,gmirror_status-container:col1:close,installed_packages-container:col1:show,interface_statistics-container:col1:show,interfaces-container:col2:show,ipsec-container:col2:show,load_balancer_status-container:col2:show,log-container:col2:show,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:show,traffic_graphs-container:col2:show,openvpn-container:col2:none</sequence>
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:show,LAN2_graph-config:show,CARP_graph-config:show,V20_graph-config:show,WAN99_graph-config:show,WIFI_graph-config:show,POLEN_graph-config:show,refreshInterval=2</traffic_graphs-config></widgets>
<vlans><vlan><if>re0</if>
<tag>1</tag>
<vlanif>re0_vlan1</vlanif></vlan>
<vlan><if>re1</if>
<tag>2</tag>
<vlanif>re1_vlan2</vlanif></vlan>
<vlan><if>re1</if>
<tag>20</tag>
<descr><vlanif>re1_vlan20</vlanif></descr></vlan>
<vlan><if>re1</if>
<tag>99</tag><vlanif>re1_vlan99</vlanif></vlan>
<vlan><if>re1</if>
<tag>80</tag><vlanif>re1_vlan80</vlanif></vlan>
<vlan><if>re1</if>
<tag>70</tag><vlanif>re1_vlan70</vlanif></vlan></vlans>
<revision><time>1277809635</time><username>admin</username></revision>
<ppps><l7shaper><container></container></l7shaper>
<dnshaper><gateways><gateway_item><interface>wan</interface>
<gateway>192.168.254.254</gateway>
<name>WAN_GW_1</name>
<weight>1</weight>
<descr><monitor>192.168.254.254</monitor>
<defaultgw></defaultgw></descr></gateway_item>
<gateway_item><interface>opt4</interface>
<gateway>10.1.99.254</gateway>
<name>WAN_GW_99</name>
<weight>1</weight>
<descr><monitor>10.1.99.254</monitor></descr></gateway_item>
<gateway_group><name>GW_GRP_1</name>
WAN_GW_1|1
WAN_GW_99|5
<trigger>down</trigger></gateway_group>
<gateway_group><name>GW_GRP_99</name>
WAN_GW_1|5
WAN_G</gateway_group></gateways></dnshaper></ppps></wol></proxyarp></shaper></bridge></ovpn></staticroutes></lastchange></pfsense> -
it doesnt redirect too here.
your config is cut off, no captive portal config there at all.
-
damn, i see.
lets post the rest of it now then :P<gateways><gateway_item><interface>wan</interface>
<gateway>192.168.254.254</gateway>
<name>WAN_GW_1</name>
<weight>1</weight>
<descr><monitor>192.168.254.254</monitor>
<defaultgw></defaultgw></descr></gateway_item>
<gateway_item><interface>opt4</interface>
<gateway>10.1.99.254</gateway>
<name>WAN_GW_99</name>
<weight>1</weight>
<descr><monitor>10.1.99.254</monitor></descr></gateway_item>
<gateway_group><name>GW_GRP_1</name>
WAN_GW_1|1
WAN_GW_99|5
<trigger>down</trigger></gateway_group>
<gateway_group><name>GW_GRP_99</name>
WAN_GW_1|5
WAN_GW_99|1
<trigger>down</trigger></gateway_group></gateways>
<openvpn><virtualip><vip><vip><mode>carp</mode>
<interface>lan</interface>
<vhid>1</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.0.1</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>opt1</interface>
<vhid>2</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.1.1</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>wan</interface>
<vhid>3</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>192.168.254.1</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>opt1</interface>
<vhid>4</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.1.254</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>opt4</interface>
<vhid>99</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.99.1</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>opt3</interface>
<vhid>21</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.20.254</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>opt3</interface>
<vhid>20</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.20.1</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>lan</interface>
<vhid>5</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.0.254</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>opt5</interface>
<vhid>80</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.80.1</subnet></descr></vip>
<vip><vip><mode>carp</mode>
<interface>opt6</interface>
<vhid>70</vhid>
<advskew>0</advskew>
<password>secret</password>
<descr><type>single</type>
<subnet_bits>24</subnet_bits>
<subnet>10.1.70.1</subnet></descr></vip></vip></vip></vip></vip></vip></vip></vip></vip></vip></vip></virtualip>
<installedpackages><carpsettings><config><pfsyncenabled>on</pfsyncenabled>
<pfsyncinterface>opt2</pfsyncinterface>
<pfsyncpeerip><synchronizerules>on</synchronizerules>
<synchronizeschedules>on</synchronizeschedules>
<synchronizealiases>on</synchronizealiases>
<synchronizenat>on</synchronizenat>
<synchronizeipsec>on</synchronizeipsec>
<synchronizeopenvpn>on</synchronizeopenvpn>
<synchronizedhcpd>on</synchronizedhcpd>
<synchronizewol>on</synchronizewol>
<synchronizestaticroutes>on</synchronizestaticroutes>
<synchronizelb>on</synchronizelb>
<synchronizevirtualip>on</synchronizevirtualip>
<synchronizetrafficshaper>on</synchronizetrafficshaper>
<synchronizednsforwarder>on</synchronizednsforwarder>
<synchronizetoip>10.1.100.3</synchronizetoip>
<password>secret</password></pfsyncpeerip></config></carpsettings>
<phpsysinfo><config><hidepicklist>on</hidepicklist>
<sensorprogram>on</sensorprogram>
<showmountpoint>on</showmountpoint>
<showinodes>on</showinodes>
<loadbar>on</loadbar>
<showerrors>on</showerrors></config></phpsysinfo>
<service><package><name>phpSysInfo</name>
<website>http://phpsysinfo.sourceforge.net/</website><category>System</category>
<version>2.5.4</version>
<status>Beta</status>
<required_version>1.0</required_version>
<depends_on_package_base_url>http://www.pfsense.com/packages/config/phpsysinfo/bin/</depends_on_package_base_url>
<depends_on_package>mbmon-205_4.tbz</depends_on_package>
<config_file>http://www.pfsense.com/packages/config/phpsysinfo/phpsysinfo.xml</config_file>
<configurationfile>phpsysinfo.xml</configurationfile></package><menu>
<name>phpsysinfo</name>
<tooltiptext>Status
<url>/pkg_edit.php?xml=phpsysinfo.xml&id=0</url></tooltiptext> </menu><tab><text>phpsysinfo</text>
<url>/pkg_edit.php?xml=phpsysinfo.xml&id=0</url>
<active></active></tab></service></installedpackages>
<ifgroups><ifgroupentry><ifname>WANgrp</ifname>
<members>wan opt4</members></ifgroupentry>
<ifgroupentry><ifname>LANgrp</ifname>
<members>lan opt1 opt3 opt5</members></ifgroupentry>
<ifgroupentry><ifname>INETONLYgrp</ifname>
<members>opt6</members></ifgroupentry></ifgroups>
<captiveportal><page><htmltext>PGZvcm0gbWV0aG9kPSJwb3N0IiBhY3Rpb249IiRQT1JUQUxfQUNUSU9OJCI+DQogICBuYWFtOjxpbnB1dCBuYW1lPSJhdXRoX3VzZXIiIHR5cGU9InRleHQiPjxicj4NCiAgIHdhY2h0d29vcmQ6PGlucHV0IG5hbWU9ImF1dGhfcGFzcyIgdHlwZT0icGFzc3dvcmQiPjxicj4NCiAgIHZvdWNoZXI6PGlucHV0IG5hbWU9ImF1dGhfdm91Y2hlciIgdHlwZT0idGV4dCI+PGJyPg0KICAgPGlucHV0IG5hbWU9InJlZGlydXJsIiB0eXBlPSJoaWRkZW4iIHZhbHVlPSIkUE9SVEFMX1JFRElSVVJMJCI+DQogICA8aW5wdXQgbmFtZT0iYWNjZXB0IiB0eXBlPSJzdWJtaXQiIHZhbHVlPSJDb250aW51ZSI+DQo8L2Zvcm0+</htmltext>
<errtext>RVJST1I6DQo8aW5wdXQgbmFtZT0iZXJyb3IiIHZhbHVlPSIkUE9SVEFMX01FU1NBR0UkIj4=</errtext>
<logouttext>bG9nb3V0Og0KPGlucHV0IG5hbWU9ImxvZ291dCIgdmFsdWU9IiRQT1JUQUxfTUVTU0FHRSQiPg==</logouttext></page>
<timeout><interface>opt5</interface>
<maxproc></maxproc>
<idletimeout><auth_method>radius</auth_method>
<reauthenticateacct>interimupdate</reauthenticateacct>
<httpsname><bwdefaultdn><bwdefaultup><certificate><cacertificate><private-key><redirurl><radiusip>10.1.0.241</radiusip>
<radiusip2><radiusport><radiusport2><radiusacctport><radiuskey>secret</radiuskey>
<radiuskey2><radiusvendor>default</radiusvendor>
<radiussrcip_attribute>10.1.0.1</radiussrcip_attribute>
<radmac_format>default</radmac_format>
<radiussession_timeout><radacct_enable><reauthenticate><enable></enable></reauthenticate></radacct_enable></radiussession_timeout></radiuskey2></radiusacctport></radiusport2></radiusport></radiusip2></redirurl></private-key></cacertificate></certificate></bwdefaultup></bwdefaultdn></httpsname></idletimeout></timeout></captiveportal>
<voucher><charset>2345678abcdefhijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ</charset>
<rollbits>16</rollbits>
<ticketbits>10</ticketbits>
<saveinterval>300</saveinterval>
<checksumbits>5</checksumbits>
<magic>a nice magic number</magic>
<publickey>a nice secret key</publickey>
<privatekey>a nice secret key</privatekey>
<msgnoaccess>Voucher invalid</msgnoaccess>
<msgexpired>Voucher expired</msgexpired>
<enable><roll><number>1</number>
<minutes>15</minutes>
<comment>15min vouchers</comment>
<count>20</count>
<used>AgAA</used>
<active></active></roll>
<roll><number>2</number>
<minutes>60</minutes>
<comment>60min</comment>
<count>20</count>
<used>AAAA</used>
<active></active></roll>
<roll><number>3</number>
<minutes>120</minutes>
<comment>120min</comment>
<count>20</count>
<used>AAAA</used>
<active></active></roll></enable></voucher></openvpn> -
@cmb:
Going to need a lot more info than "it doesn't work". It does work in every scenario I have setup, and we've deployed it in production in the past week for a WISP on several systems with multiple VLANs on each and no problems. I suspect at this point if it doesn't work you don't have things setup right for DNS to function, hence are never hitting the firewall to get redirected.
I know from my friends, that actually makes the problem are:
- If we activate the option Enable logout popup window
<logoutwin_enable>/usr/local/captiveportal/index.php (original)
_if(isset($config['captiveportal']['logoutwin_enable']) && !$passthrumac) {
if (isset($config['captiveportal']['httpslogin']))
$logouturl = "https://{$config['captiveportal']['httpsname']}:8001/";
else {
$ifip = portal_ip_from_client_ip($clientip);
if (!$ifip)
$ourhostname = $config['system']['hostname'] . ":8000";
else
$ourhostname = "{$ifip}:8000";
$logouturl = "http://{$ourhostname}/";
}include("{$g['varetc_path']}/captiveportal-logout.html");
} else {
if($_POST['ORIGINAL_PORTAL_IP'] && $_SERVER['SERVER_NAME'] != $_POST['ORIGINAL_PORTAL_IP']) {
header ('HTTP/1.1 301 Moved Permanently');
header("Location: " . $_POST['ORIGINAL_PORTAL_IP']);
} else {
header("Location: " . $my_redirurl);
}
}return $sessionid;
}_I try to add (insert the bold text into /usr/local/captiveportal/index.php (line 478)
if(isset($config['captiveportal']['logoutwin_enable']) && !$passthrumac) {
if (isset($config['captiveportal']['httpslogin']))
$logouturl = "https://{$config['captiveportal']['httpsname']}:8001/";
else {
$ifip = portal_ip_from_client_ip($clientip);
if (!$ifip)
$ourhostname = $config['system']['hostname'] . ":8000";
else
$ourhostname = "{$ifip}:8000";
$logouturl = "http://{$ourhostname}/";
}
**echo << <eod<br><title>Redirecting…</title>Redirecting to {$my_redirurl}...
EOD;
/*</eod<br>** include("{$g['varetc_path']}/captiveportal-logout.html"); *Maybe its a bug, required variables are empty (eg. $my_redirurl, $redirurl, etc) /
} else {
if($_POST['ORIGINAL_PORTAL_IP'] && $_SERVER['SERVER_NAME'] != $_POST['ORIGINAL_PORTAL_IP']) {
header ('HTTP/1.1 301 Moved Permanently');
header("Location: " . $_POST['ORIGINAL_PORTAL_IP']);
} else {
header("Location: " . $my_redirurl);
}
}return $sessionid;
}and, works …</logoutwin_enable>
- If we activate the option Enable logout popup window
-
so you added
echo << <eod<br><title>Redirecting…</title>
Redirecting to {$my_redirurl}… [EOD;
and you commented out the line where the logout page is included?]({$my_redirurl})</eod<br>
-
so you added
echo << <eod<br><title>Redirecting…</title>
Redirecting to {$my_redirurl}… [.
.and you commented out the line where the logout page is included?]({$my_redirurl})</eod<br>
correct…
insert the bold text into /usr/local/captiveportal/index.php (line 478) -
I had a similar problem, I was having strange problems with the captive portal. Redirect wasn't working. Would only work when I would go to a specific local site that was listed in the allowed IP addresses. When I set it up from scratch it would work fine though. So I stopped trying to use the backed up config I was using and rebuilt it from scratch using the webgui, and now it works just fine. So something in my old config wasn't quite right.
I did notice that there was data in the "Authentication Error page contents" that I never explicitly set. It must have been assigned there by mistake.
Josh