• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Captive Portal for single subnet only

Scheduled Pinned Locked Moved Captive Portal
6 Posts 2 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dayjo
    last edited by Aug 10, 2014, 9:52 PM Jul 2, 2014, 7:56 AM

    So I've been able to get the Captive Portal working with local auth + vouchers on my test box. Easy - Love it.

    But I really want to do something a bit weird. Ive got a dumb switch to work with so I can't do any fancy VLAN'ing or Port based authentication

    Setup
    WAN PPPOE
    LAN 172.17.0.0/16
    OPT1 192.168.1.0/24
    IPSEC 192.168.0.0/24

    What I want is for everyone on the LAN to be able to connect to the internet through the WAN and all LAN but not the IPSEC or OPT1 network connections unless they authenticate through the portal first. (I have hardware devices on a separate switch than need direct connection through IPSEC and regularly need access over it myself)

    from what i gather I need to modify some setting in the /etc/inc/captiveportal.inc file -> but this is huge and i really don't know what I'm looking for.

    another additional but off topic
    I currently use OPENVPN with Duo Authentication to do the dual factor authentication - I haven't tested it on my test box yet because I dont have everything in place to be able to test it - however, is it possible to use this authentication server? (This is shown on a dropdown along with local database in System -> Usermanager -> Settings -> Authentication Server) That way my captive portal can have two factor authentication on it!!

    1 Reply Last reply Reply Quote 0
    • D
      dayjo
      last edited by Aug 10, 2014, 9:51 PM

      hi all - still looking for this

      specifically having a captive portal to a single subnet

      so access to the internet as a whole but firewalled off from a subnet on the lan (different vlan so its routed through pfsense)

      almost the opposite of what currently happens

      Cheers!

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Aug 12, 2014, 2:48 AM

        I think the easiest way to do this is going to be another pfSense between your main router and the protected subnet.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          dayjo
          last edited by Aug 14, 2014, 2:32 AM

          as that would probably work - I'd rather avoid placing additional boxes in my network for what really is a small task - I feel there is going to be some configuration setting where it by default finds its local subnet allows that and blocks everything else. But without spending weeks looking through and actually understanding the code in it I have no clue.

          I want to just comment that out and swap the order so it blocks 192.168.1.0/24 and allows everything else, until you sign in then allow everything while the captive portal session is open.

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Aug 14, 2014, 4:52 AM Aug 14, 2014, 4:33 AM

            This could probably be done by modifying the ipfw rules for the captive portal.  They're in /etc/inc/captiveportal.inc in function captiveportal_init_rules.

            It would survive a reboot but you'd have to merge changes from upgrades, etc.  Something like:

            pass traffic not destined for protected subnet

            add 65531 pass ip from any to not 192.168.1.1/24 in

            redirect non-authenticated clients to captive portal when accessing protected subnet

            add 65532 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in

            Something like that.

            Seems like it would be pretty trivial to add a 'Not' checkbox to the allowed IP rules and submit it as a feature.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              dayjo
              last edited by Aug 25, 2014, 8:22 AM

              This function I've placed in what I think you are recommending - however are these rule numbers the order they are performed in or basically arbitrary?

              …....

              $cprules = "add 65291 allow pfsync from any to any\n";
              $cprules .= "add 65292 allow carp from any to any\n";

              $cprules .= <<<eod<br># layer 2: pass ARP
              add 65301 pass layer2 mac-type arp,rarp

              pfsense requires for WPA

              add 65302 pass layer2 mac-type 0x888e,0x88c7

              PPP Over Ethernet Session Stage/Discovery Stage

              add 65303 pass layer2 mac-type 0x8863,0x8864

              layer 2: block anything else non-IP(v4/v6)

              add 65307 deny layer2 not mac-type ip,ipv6

              EOD;

              $rulenum = 65310;
              $ipcount = 0;
              $ips = "";
              foreach ($cpips as $cpip) {
              if($ipcount == 0) {
              $ips = "{$cpip} ";
              } else {
              $ips .= "or {$cpip} ";
              }
              $ipcount++;
              }
              $ips = "{ 255.255.255.255 or {$ips} }";
              $cprules .= "add {$rulenum} pass ip from any to {$ips} in\n";
              $rulenum++;
              $cprules .= "add {$rulenum} pass ip from {$ips} to any out\n";
              $rulenum++;
              $cprules .= "add {$rulenum} pass icmp from {$ips} to any out icmptype 0\n";
              $rulenum++;
              $cprules .= "add {$rulenum} pass icmp from any to {$ips} in icmptype 8 \n";
              $rulenum++;
              /* Allowed ips */
              $cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any in\n";
              $rulenum++;
              $cprules .= "add {$rulenum} pipe tablearg ip from any to table(4) in\n";
              $rulenum++;
              $cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any out\n";
              $rulenum++;
              $cprules .= "add {$rulenum} pipe tablearg ip from any to table(4) out\n";
              $rulenum++;

              /* Authenticated users rules. */
              $cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n";
              $rulenum++;
              $cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n";
              $rulenum++;

              $listenporthttp =
              $config['captiveportal'][$cpzone]['listenporthttp'] ?
              $config['captiveportal'][$cpzone]['listenporthttp'] :
              $config['captiveportal'][$cpzone]['zoneid'];

              if (isset($config['captiveportal'][$cpzone]['httpslogin'])) {
              $listenporthttps = $listenporthttp + 1;
              $cprules .= "add 65531 fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in\n";
              }

              $cprules .= << <eod<br>**# pass traffic not destined for protected subnet 1
              add 65532 pass all from any to not 192.168.1.0/24 in

              redirect non-authenticated clients to captive portal

              add 65533 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in

              let the responses from the captive portal web server back out

              add 65534 pass tcp from any to any out

              block everything else

              add 65535 deny all from any to any

              EOD;

              /* generate passthru mac database */
              $cprules .= captiveportal_passthrumac_configure(true);
              $cprules .= "\n";

              /* allowed ipfw rules to make allowed ip work */
              $cprules .= captiveportal_allowedip_configure();

              /* allowed ipfw rules to make allowed hostnames work */
              $cprules .= captiveportal_allowedhostname_configure();

              /* load rules */
              $cprules = "flush\n{$cprules}";
              file_put_contents("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", $cprules);
              mwexec("/sbin/ipfw -x {$cpzone} -q {$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", true);
              //@unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules");
              unset($cprules, $tmprules);

              if ($reinit == false)
              unlock($captiveportallck);
              }

              I'm thinking that this isn't going to pick up if i have multiple protected subnets - not a huge problem but would be nice to know / get the syntax for this correct to start with.

              **# pass traffic not destined for protected subnet 1
              add 65532 pass all from any to not 192.168.1.0/24 in
              **# pass traffic not destined for protected subnet 2
              add 65533 pass all from any to not 10.0.0.0/24 in

              Sorry only saw this today - must have missed the notification! Will try it tomorrow (Australia time)******</eod<br></eod<br>

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received