particular configuration on pfsense
-
hi everyone, I don't understand how to make this configuration:
I have three pfsense, each manages a separate wifi access, with captive and freeradius for accounting and authorization.
each account has a traffic share
my problem is the following:
how can I set up the pfsense so that the traffic to a specific destination outside the corporate network is reachable independently of the authentication and that the generated traffic is not counted by the freeradius?every suggestion is open, thanks
-
You can add IPs to the 'Allowed IP Addresses' list in the captive portal. That will allow clients to access them without authenticatinh in the portal.
Steve
-
@stephenw10
ok, but how do I tell the radius not to count the traffic to these destinations in its users traffic quota? -
If they do not login then obviously it will not see that data. I'm unsure what would happen in the situation where they have logged in already and then visit the site. I could imagine it does not send the accounting traffic to Radius if it by-passes the CP. Have you tested it?
Steve
-
@stephenw10
i try it tomorrow! i hope it works well, thanks! -
Interesting question.
Consider the firewall tables, the ones that handle the accounting, the ipfw rules and tables.
The ZONE__allowed_up and ZONE__allowed_down tables are higher up, means used earlier, as the two tables tables ZONE__auth_down and ZNE__auth_up. The latter contain the authenticated users (their IP/MAC) and the pipe numbers used to count traffic bytes.
The first tow tables, ZONE_allowed_up and ZONE_allowed_down contain the "pass through" IP's and resolved "host names to IP's".
Running manually radius (stop freeradius in the GUI and start it on the command line with radiusd -X) shows that only traffic from the 'authenticated ' tables are use to count actual traffic.Btw, I'm using a SQL database as a freeradius administration scratch pad, and it it contains, among others, the pipe that is sued for traffic counting, called nasportid. This is the pipe number that counts the traffic.
So, it really looks like that visiting these :
these can be considered as a free ride.
-
Yeah, that's what I would imagine happens but I'm not sure I've ever seen anyone test it. It will good to see a result.
Steve
-
@stephenw10
fantastic it works perfectly!
then ... in CP ALLOWED HOSTNAMES I added the destination www.salini-impregilo.com
in freeradius I removed the e.tomei user
in / var / log / radacct / datacounter / daily I have eliminated max-octets-e.tomei and used-octets-e.tomei
in freeradius the user was recreated with a 10
Mb quotaI am attaching some screenshots they are not well ordered but they serve the purpose
first test with a virgin phone
access to wifi-koysha OFFICE without entering credentials
the salini-impregilo.com website is perfectly accessible and accessiblesecond test with the same phone
I opened the android alert and completed logging into the SSID
I opened youtube and started a video ... which after 61 seconds stopped ... with 3Mb of share quite difficult
I reopened www.salini-impregilo.com and I can consult it and open the links within the domain!
