One-way captive portal exception
-
Just curious…
How do the clients and DC2 on the Dev LAN know to send traffic to pfSense or the ASA? What is their default gateway?
-
Just curious…
How do the clients and DC2 on the Dev LAN know to send traffic to pfSense or the ASA? What is their default gateway?
I just use static routes on my Layer 3 devices. I should have specified that the switch is actually doing internal routing before it gets to one firewall or the other. It's actually even more complicated than that. I was just trying to diagram the issue to simplify for this question.
Sorry about that.
-
updated diagram
-
What on that diagram is the asset you want those clients to have access to whether or not they are through the portal?
-
@BlueKobold
I am trying to avoid a seperate VPN connection for each user. I have a site-to-site IPSEC tunnel between our office and Colo. I want users to have to dual-factor auth to get to production resources over that site-to-site VPN tunnel.Yes for sure and I was meaning it in exactly that direction also!
But it dosen´t matter in which way you want to realize it, please refer the network schematic I draw,
on one side you need installed Radius certificates on the clients that should be able to use the VPN
connection or on all clients, then all VPN clients from the VPN network on the other side are able to
use it.Alternate to this you could trying to set up a AD and only the clients with an account on that AD are able to
enter the VPN network on the other side!Or alternatively to that you could set up an AD with installed LDAP roll and you might not are
on the need for the Radius Server and the certificate installations and only with an LDAP account
they would be able to connect to the production network.There are many solutions and ways out there to solve this right and secure for you,
but for sure not each of them is easy to go.
-
What on that diagram is the asset you want those clients to have access to whether or not they are through the portal?
It's the other way around actually. I would like vlan10-11 have access to anything on vlan20-21, but vlan20-21 have to auth with dual-factor to get to vlan10-11
-
@BlueKobold
I am using Radius on the captive portal because that is how I tie in duo security dual factor authentication. I'm not sure a radius certificate would work in this instance, but I will look into it. I am trying to bypass the captive portal in one direction only.If I was to have one of our programmers look at adding the directional option to the allowed IP address section of captive portal, what file would I need to look at editing?
Thanks
-
Can anyone tell me what file that rule gets written to when I add an exception for allowed IP?
Thanks again for all the replies. You guys are really encouraging. -
Consider https://your-pfsense-box/services_captiveportal_ip.php?zone=cpzone1
where cpzone1 is your captive portal instance.This file, find it here : /usr/local/www/services_captiveportal_ip.php handles the IP-through-portal-interface.
Inspecting it (its basic PHP) will bring you to /etc/inc/captiveportal.incPoint your programmer to function captiveportal_init_rules($reinit = false) (env. line 479)
Give him also this https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting which permits you to see how rules are setup in 'ipfw' (the firewall the portal uses - not to be confounded with the firewall rules you set up in the GUI on the portal 'interface' )
-
So I found that if you use allowed hostname instead of allowed IP, you can specify a direction for the exception.
You can only do one host at a time, but I think that is OK for my purposes.
Doing some further testing, then going to put it into production.
Thanks all for your answers. I'll reply back if it doesn't work as expected.
