Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    One-way captive portal exception

    Scheduled Pinned Locked Moved Captive Portal
    16 Posts 5 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matthewmdn
      last edited by

      @BlueKobold
      I am trying to avoid a seperate VPN connection for each user. I have a site-to-site IPSEC tunnel between our office and Colo. I want users to have to dual-factor auth to get to production resources over that site-to-site VPN tunnel.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Just curious…

        How do the clients and DC2 on the Dev LAN know to send traffic to pfSense or the ASA?  What is their default gateway?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          matthewmdn
          last edited by

          @Derelict:

          Just curious…

          How do the clients and DC2 on the Dev LAN know to send traffic to pfSense or the ASA?  What is their default gateway?

          I just use static routes on my Layer 3 devices. I should have specified that the switch is actually doing internal routing before it gets to one firewall or the other. It's actually even more complicated than that. I was just trying to diagram the issue to simplify for this question.

          Sorry about that.

          1 Reply Last reply Reply Quote 0
          • M
            matthewmdn
            last edited by

            updated diagram

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              What on that diagram is the asset you want those clients to have access to whether or not they are through the portal?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                @BlueKobold
                I am trying to avoid a seperate VPN connection for each user. I have a site-to-site IPSEC tunnel between our office and Colo. I want users to have to dual-factor auth to get to production resources over that site-to-site VPN tunnel.

                Yes for sure and I was meaning it in exactly that direction also!
                But it dosen´t matter in which way you want to realize it, please refer the network schematic I draw,
                on one side you need installed Radius certificates on the clients that should be able to use the VPN
                connection or on all clients, then all VPN clients from the VPN network on the other side are able to
                use it.

                Alternate to this you could trying to set up a AD and only the clients with an account on that AD are able to
                enter the VPN network on the other side!

                Or alternatively to that you could set up an AD with installed LDAP roll and you might not are
                on the need for the Radius Server and the certificate installations and only with an LDAP account
                they would be able to connect to the production network.

                There are many solutions and ways out there to solve this right and secure for you,
                but for sure not each of them is easy to go.

                matthewmdn.jpg
                matthewmdn.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • M
                  matthewmdn
                  last edited by

                  @Derelict:

                  What on that diagram is the asset you want those clients to have access to whether or not they are through the portal?

                  It's the other way around actually. I would like vlan10-11 have access to anything on vlan20-21, but vlan20-21 have to auth with dual-factor to get to vlan10-11

                  1 Reply Last reply Reply Quote 0
                  • M
                    matthewmdn
                    last edited by

                    @BlueKobold
                    I am using Radius on the captive portal because that is how I tie in duo security dual factor authentication. I'm not sure a radius certificate would work in this instance, but I will look into it. I am trying to bypass the captive portal in one direction only.

                    If I was to have one of our programmers look at adding the directional option to the allowed IP address section of captive portal, what file would I need to look at editing?

                    Thanks

                    1 Reply Last reply Reply Quote 0
                    • M
                      matthewmdn
                      last edited by

                      Can anyone tell me what file that rule gets written to when I add an exception for allowed IP?
                      Thanks again for all the replies. You guys are really encouraging.

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan
                        last edited by

                        Consider https://your-pfsense-box/services_captiveportal_ip.php?zone=cpzone1
                        where cpzone1 is your captive portal instance.

                        This file, find it here : /usr/local/www/services_captiveportal_ip.php handles the IP-through-portal-interface.
                        Inspecting it (its basic PHP) will bring you to /etc/inc/captiveportal.inc

                        Point your programmer to function captiveportal_init_rules($reinit = false) (env. line 479)

                        Give him also this https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting which permits you to see how rules are setup in 'ipfw' (the firewall the portal uses - not to be confounded with the firewall rules you set up in the GUI on the portal 'interface' )

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • M
                          matthewmdn
                          last edited by

                          So I found that if you use allowed hostname instead of allowed IP, you can specify a direction for the exception.

                          You can only do one host at a time, but I think that is OK for my purposes.

                          Doing some further testing, then going to put it into production.

                          Thanks all for your answers. I'll reply back if it doesn't work as expected.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.