DNS forwarder, resolver or both
-
your correct that you need a cert your machines trusts if you don't want errors yes.
-
Thanks, i will get the cert and such and play around with it reading the topics to install it and set everything.
If i get an error I will report again :) -
I do not get it to work, I tried to follow the guide from the link in a earlier post, just what he is writing doesn't make sence to me and the website Startssl does not do the things he is writing.. is there another guide that shows how to install it, been searching for even with no luck.
chose certificate target “Webserver SSL/TLS Certificate”. Press continue and set a key that you remember. Press continue.
not possibl after selecting "Webserver SSL/TLS Certificate" you go directly to the screen to enter your domains
Once the wizard is done go to the Tool Box leaf and select the “Decrypt Private key” option.
I do not see any option to do this :/
I added the 2 cert into the CAs part of the certificate manager.
then i added the cert into the certificite leaf. on the name saide it gives me
ca: NO server: NO ..not sure if this is good.i use autentication local user manager
added IP in DNS forwarder
https:// hangs when i try to enter a website..
EDIT: when i use a http connection I get the green lock with the right sertificate and inlog page
but any other site still has a cert error :/"this certificate is only valid for the following names"
any idea's maybe?
-
Why do you need something from startssl.. Pfsense has a CA built right in, create a cert there and have your machine trust this CA. Are you needing this for machines that are not under your control? So a public CA that everyone trusts?
-
I thought the build in CA gave errors and wanted soemthing that did not gave any errors.. users or guest do not always click yes to something they don't know..
thats the reason i wanted guest to directly go to the login page in https without any error.. even in the build in one i cant get that to work with no error.
I am building this for a hotel and wanted to have it working properly and not half wayDo you know a guide or can you guide me through this?
-
Guide on trusting pfsense cert signed by pfsense.. Hmm I just went over this not so long ago in a thread..
https://forum.pfsense.org/index.php?topic=114712.0
Again this is for machines that you set to trust your CA that creates your cert. If these are like guests machines and you want them to trust your cert without them trusting your CA then yeah you need to get a cert from a public CA that everyone's machine will trust automatic.
How is it your using something your new to for building out a system for a hotel? So you have no SSL experience, no captive portal experience with working https and your building a captive portal system using something your new to pfsense.. And they are paying you for this?? Or is this some hotel that your uncle owns with like 3 rooms? And your computer guy in the family??
-
We have a pfsense system in the hotel that was made by the son of a technician that is working there.. He seperated the office and wifi, the only problem is that non guest around the hotel are using the wifi and like to have it guests only, from the 75Mbps I never reach higher then 10Mbps in the night.
Its needed to block this.. And his son doesn't work on the old machine anymore, so if this machine dies nobody knows anything..I also haven't found another solution for this and again an upgrade could be help full and also if I could make a proxy later on.
I know my knowledge is minimum, but asking and searching I mostly get things working..
I don't give up that easy, and I always like to learn new stuff.Your help is much appreciated :)
EDIT: from my LAN i can ping to domainname.com still when using http it redirects to https site.. https gives me an error that i cant go on..
DNS forward is set (it should) as decribed in the link earlier.. I am just not sure what i am missing.your link i followed it, it gave me an error that i need to execpt the cert first..
-
Is there a password that's only given to guests? If the WiFi is open, you can't stop others from using it. You might also want to change the password frequently.
-
the situation now is that everyone can use the wifi, guests and non guests.. the idea is to give the guests a username and pass when they check in that rotates every week/month so it block others out.. this way the internet speed is faster and more "protected" from non guests.
I know there are other ways like having guest accept the error, just i like to have things work properly then half work, till now I am almost there from working good, just when guests use https:// i get the error "ssl_error_bad_cert_domain" this because i visit a site other then what the domain is.. when this is solved everything work with the right ssl cert.. -
I could be wrong, but I don't see this as being a pfSense issue.
-
I believe I have it working, I was working the wrong way on to this, and tried most things though a wired connection while they only can connect through WIFI.
When connecting with a laptop and opening a page it sometimes takes a few moments before the inlog page shows up.The only thing I have now is that when i connect it gives me the wrong DNS any idea how to solve that?
system give me (example) 192.168.3.100 while it should be 192.168.3.254 -
"your link i followed it, it gave me an error that i need to execpt the cert first.."
You mean the link to a pfsense forum thread? Then you got something messed up with your CA's on your machine that is for sure.. As to your clients getting the wrong dns, well then you have something else handing out dhcp or your dhcp is not correct plain and simple. Or you set the dns on the client directly?
-
I fixed it.. it was the router that was giving the wrong DNS.. I did not have anything else to work with then this router. adding the right DNS IP solved the issue.
Thank you for your help john :)
Now I have everything working, even on win10 it will automatic gives you the inlog page when you connect to the WIFI like on mobile devices with the proper SSL cert and without asking people to import ANY cert.
I think I will make a topic on how I did this so others can use it as well..
next on the list squid proxy :)
-
"I did not have anything else to work with then this router. adding the right DNS IP solved the issue."
What router??
-
I do not have a wireless accesspoint to test the wireless devices like laptops and phones, for this I uses a router with WIFI (WNRT-627) I know pfsense has DHCP I just had nothing else lying around. with this Captive Portal is working as it should.. I still need to ask a friend to share a mac to see if this works as well. had a topic mac devices could not connect
-
If your using a old wifi router, then you should use it just as AP. Any wifi router can be just an access point.
Give its lan an IP on your network, turn off its dhcp server and connect it to your network via one of its lan port = AP..
-
I did at the end, seems everything is working properly now.. proxy is working, CP.. not sure what else i need on this :)
-
so you want to use the proxy and the cp at the same time? Are you wanting to use transparent proxy or explicit?
-
Transparent proxy, what I read and heard to save at least some bandwitdh, it sounds like it's not the best idea to do this..
-
No its not really. To be honest if the reason you want to use proxy is save some bandwidth.. Prob not going to get much bang for your buck.. Pretty much most of the net these days is dynamic and doesn't bode well for cached copy on your proxy. While clients cache themselves anyway so most of the stuff that can be cached and use is already done on the client.
If what your wanting to use if for is filtering of bad stuff, ok – but if this is a guest wifi for a hotel, why would it be your place to say what porn they can or can not watch, etc..
Captive portal sure ok, you don't want the homeless guy outside sucking up all your bandwidth which is for your guest to use, etc. And you can use the portal page to remind your guests of stuff going on in the hotel, how to get info etc. So that sort of thing I don't think any one that is using free hotel wifi would complain about.
But if what you want to do is just limit the non guest from using your wifi, its much easier to just set a PSK and change it everyday or few days and just make it easy for your guest to get without the homeless guy outside just looking at it on your bulletin board. I have been to hotels where the psk is on the little envelope they put your key in, etc.
