Commands to bypass CP at certain times?
-
Hi,
I am an ultra newbie, so go easy on me ;) I was given the task of running CP at all hours except at certain busy times when the guests would be allowed open wifi with no CP authorization. Based on other threads it sounded like there was a way to send ipfw commands via a CRON job….that would simply skirt the CP authorization requirement.
So is it only possible to bypass CP at certain times via a CRON job? If not, what are the other methods? What are the ipfw commands to bypass CP when it is enabled via the GUI?Your help is very much appreciated,
Andy -
Andy… Responded to your personal message this morning. If you have further questions - let's just handle it on this thread. Thanks!
-
Hi,
Got your message, which I posted below for other members to read. I'm sure I'll have more questions. ::) So there is no enable/disable flag, or something similar that can be changed in captiveportal.inc?Thanks for the info!
Andy#From rjcrowder#
This thread https://forum.pfsense.org/index.php?topic=71198.0 should give you enough info to get started.Basically you would just have to create a rule that allows all traffic and number the rule ahead of the portal rules. It looks like the portal rules start at 65291 - so any rule number prior to that should work. If you look at the "sample_output.txt" file, the ipfw command to create a rule that allows all traffic is "add 2000 set 20 allow ip from any to any". You don't need the "set 20" - I just put all my custom rules in the same "set" so the whole set can be removed at once.
You could write a little shell script that creates the rule and another one that removes the rule. Then schedule the scripts via cron.
-
Good point - I may have over complicated it because I already had a solution that did what I wanted…
You should be able to just switch the portal off... I'll take a look at what you would need to call in order to do it that way...
-
The following script will disable it… just save it as /etc/rc.captiveportal_disable and make it executable (chmod +x). Call it from cron to disable and then call rc.captiveportal_configure to re-enable the portal. Note that the script does not change the "enable" flag in the config.xml file, so if you go into the UI, it will still show as enabled.
#!/usr/local/bin/php -f /* $Id$ */ /* rc.captiveportal_disable copied and modified from rc.captiveportal_configure */ require("config.inc"); require("functions.inc"); require_once("filter.inc"); require("shaper.inc"); require("captiveportal.inc"); captiveportal_disable(); function captiveportal_disable() { global $config, $cpzone; if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; if (isset($cp['enable'])) { unset($cp['enable']); } captiveportal_configure_zone($cp); } } else mwexec("/sbin/sysctl net.link.ether.ipfw=0"); } ?>
-
Wow! I'll give it ago ;D Thank you!
Edit: If CP is running with authentication and the script is executed will users be directed right to the web?
I haven't been able to get it to work, but I most likely have something configured wrong…Andy
-
Well… I thought so. I tried it on mine - but I don't have the typical CP setup. I'm not doing any authentication and when I have rules in, I have some other stuff that bypasses the captive portal rules.
However, I don't know why it wouldn't work. The script should completely disable the ipfw firewall. You can double check that it is disabled by executing the ipfw command from a prompt (afer doing rc.captiveportal_disable)... do "ipfw -x your_zone_name show". When it is disabled, you should get an error back. When not disabled, it will show all the rules...
-
Looks like the text editor I used put a ^M at the end of each line. I'll clean it up and see what happens ::) I told you I'm new at this. lol
Edit: good grief I went through many commands to remove the carriage return only to have them come back when the script was executed or the server was rebooted. Apparently when a file is accessed in cron it is stored in the main xml file and rewrites anything back to the old state that has been changed. Solution was to remove the ^M, then cp to another file name and then point cron to the new file name that had the ^M removed.
-
THANK YOU ;D
This script works great, just what I was looking for!
Again greatly appreciated…
Andy from the U.S.
-
and for enable?
therer turns off and dont turn on :(
-
The following script will disable it… just save it as /etc/rc.captiveportal_disable and make it executable (chmod +x). Call it from cron to disable and then call rc.captiveportal_configure to re-enable the portal. Note that the script does not change the "enable" flag in the config.xml file, so if you go into the UI, it will still show as enabled.
This is just up the thread ;)
-
The following script will disable it… just save it as /etc/rc.captiveportal_disable and make it executable (chmod +x). Call it from cron to disable and then call rc.captiveportal_configure to re-enable the portal. Note that the script does not change the "enable" flag in the config.xml file, so if you go into the UI, it will still show as enabled.
This is just up the thread ;)
Sorry, ! without attention :D
I Changed the rc.captiveportal_configure same rc.captiveportal_disable hahahaha :-[
with same code ::)
-
The other thing you need to remember… this code does not actually change the "enable" setting in config.xml. So... if you go into the UI it will show the portal still enabled. In addition, if you save anything in the UI, it will be re-enabled...
-
I was wondering if this could be used to turn off CP on certain zones wile CP is still active on others?
Many thanks,
Andy -
Nice little backend workaround
-
I was wondering if this could be used to turn off CP on certain zones wile CP is still active on others?
Many thanks,
AndyAs currently written it just loops through all zones, but I'm sure I could modify it to shut off certain ones… How would you want it to work? Just provide a command line list of zones to disable?
-
Hello,
Thinking out loud here. As we currently use it, one CP zone is turned off a few times a week using cron jobs to activate your script. A second zone would be up all the time, for now.
The command line option sounds quite effective from a setup standpoint. Though depending on how it is written, if the need arose to have more than one CP deactivated/activated on different schedules, would we simply copy and rename the script for the new zone that we wanted controlled?
From a programming standpoint, if it would be much less complicated on your end, I could forgo the command line option and edit the script with the zone name to be controlled. If it would be easier on your end…Edit: Another thought / question, I am assuming that captiveportal_configure is a system wide ipfw restart and would boot everyone regardless of zone when activated...?
Many thanks,
Andy -
Yea… good point on captiveportal_configure. I will probably have to also create an enable script. Using both scripts you could explicitly start/stop named zones. The process would be something like "captiveportal_disable a c", "captiveportal_enable a c" - where 'a' and 'c' are zone names. Of course, you'd have to schedule the above commands (via cron) to execute in the correct order.
Make sense?
-
Yes it does :)
-
OK… think it will be pretty easy. If I can't get to it tonight, it will probably be Sunday or Monday.