Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How does CP block internet access?

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rovshango
      last edited by

      Dear pfSense users, admins and all,

      I am using pfSense and I love it.
      Here is my scenario:
      We have custom designed and developed CP landing page which asks for specific credentials (which are benign provided by SMS). After successful login user can access Internet for 60 min, as set limit. Firstly, I have to mention that LAN port also provides IP address as DHCP server is on it.

      So my question is HOW DOES CP BLOCKS USERS (SOURCE ADDRESS) TO ACCESS INTERNET UNLESS HE/SHE PASSED SUCCESSFULLY LOGIN.

      Thank you all in advance.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        You should have a look at the ipfw rules.

        Goto SSH access.
        Enter

        ipfw zone list

        to get the 'context'(s) of your portal(s) - note: more then 1 portal can exist.
        Mine is

        2: sis0

        which is the interface (OPT1) on which I run the Portal (of course, I'm NOT using LAN for this)

        Now its time to get the rules:

        ipfw -x 2 show

        All you need now is some basic understanding about what a "ipfw firewall" is.

        Basically:

        ...
65318 2817852  553246341 pipe tablearg ip from table(1) to any in
65319 2701090 2391214552 pipe tablearg ip from any to table(2) out
...

        All authenticated portal users are loaded into table 1 and 2 (their IP and MAC).

        If a portal user isn't authenticated, the portal user will hit one of these two rules:

        ...
65531   32792    2594776 fwd 127.0.0.1,8003 tcp from any to any dst-port 443 in
65532   19579    1611232 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
...

        (== http and https and gets redirected to out portal page).

        If rule

        65534  102444    7525149 deny ip from any to any

```is reached, they hit the wall.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • R
          rovshango
          last edited by

          Hi,

          Thank you for detailed reply.
          I just have problem with "ipfw zone list", it gives me this output:

          ipfw: Context is mandatory: No such file or directory
          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            @rovshango:

            I just have problem with "ipfw zone list", it gives me this output:

            ipfw: Context is mandatory: No such file or directory

            When people are posting without mentioning their pfSense version, by default, we always talk about the latest stable version.
            So, mine is, of course, 2.2.2
            Your's isn't …. consequences are ... well ... beyond my imagination.

            Have a look at the pfSense manual : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting ;)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • R
              rovshango
              last edited by

              Oh, I am so sorry. I should mentioned it before. Mine is 2.1.5-RELEASE
              And I found correct command.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.