Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal only working if firewall-rule exists

    Captive Portal
    2
    4
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thomask
      last edited by

      Hey Ho!

      I want to set up a captive portal for users of our dormitory, we blocked because of virus infections and put into a separate vlan. I want them to get a page: "computer infectet blabla, instructions". Also i want to enable them downloading virus scanners from pages I allow them to access. Of course I don't want the users to surf in the internet or something, because our policy is, that every computer has to be clean.

      My problem now: If I set up a rule that only allows a specific IP, the captive portal only appears if the user accesses that specific IP - but I want them to to get the captive portal.

      Any suggestions?

      Regards from Aachen, Germany,

      Thomas

      1 Reply Last reply Reply Quote 0
      • C
        capnsteve
        last edited by

        My temporary solution to a scarily similar situation was to just use OpenDNS their filters.  The DNS Blocking module that was available for 1.2.3 is kind of unwieldy IMO.

        Out of curiosity, what are you using to determine infections on the computers?  We're testing our own weird variation on MS-NAP, using pfSense as the gateway for machines that fail to pass the checks.

        1 Reply Last reply Reply Quote 0
        • T
          thomask
          last edited by

          We are not detecting such computers, it's the NOC of the university, they do this for the whole university-network…

          http://www1.rz.rwth-aachen.de/kommunikation/betrieb/auto/status/blast-o-mat.php

          so what they do is blocking infected ip's on the core network that they are not routed any more. we get a mail and do shut down the physical switch port till the system is cleaned...

          the sysadmin stuff of the dormitory is completely done by students, the things we get from the university fiber-line and a ip-range, the rest we do :-)

          Thanks for the idea, Regards,

          Thomas

          1 Reply Last reply Reply Quote 0
          • C
            capnsteve
            last edited by

            I ask because I actually help run a lot of the security for a University, as well, albeit much smaller.  It looks like your current setup is based off snort.  If that's the case, is there any reason you could not use the snort module for pfSense and use that to do detection and control?

            The solution we're looking at will use MS-NAP and interact with Windows clients, which is about 90% of our students, to preemptively check their security.  Though, if you have more info on your setup, I'd love to know how it all works.  So feel free to PM me, as I don't want to derail this thread any more than I have already.  But we're an 8 person operation serving about 5,000 students across 4 primary campuses, so any input is always welcome.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.