Squid + Captive Portal Auth



  • Hey guys,

    Has anyone been able to successfully get Captive Portal + Squid proxy working correctly? I've seen many threads where people were complaining about Squid proxy being able to bypass their Captive Portal and old patches were made (and removed).

    I'm using Captive Portal to essentially limit bandwidth on a per uses basis, since I have WPAD setup I don't want people bypassing the captive portal by connecting directly to the proxy. Is it not possible to make the proxy work only for the people who have authenticated via captive portal or have their MAC address bypass set? I can see that there's a captive portal auth option but can't seem to get that working.

    Or if that somehow isn't possible, maybe we can put authenticated captive portal users on a separate DHCP pool which allows squid proxy? (time depends on their captive portal access / voucher)

    Thanks in advance :3



  • Same doubt here. We found a lot of information about the bug, the patches and recommendations to remove them. The GUI still have the line telling about the bug (if the feature was removed, I don't understand this line telling about something that was a bug and was removed).

    Well, a network with captive portal and squid proxy accepts that clients access Internet without authenticate yourselves on CP.

    Here we have wpad because many browsers use this as default behavior (auto detect proxy configuration). On networks with CP enabled we have to send on wpad the "DIRECT" action elsewere clients bypass the authentication. In that way client access everything directly an the CP can filter. We have to enable transparent proxy on that network and not permit squid to listen on interface of pfSense, elsewere a client with manual configuration can bypass CP.

    I hope some day this proble could be solved. If I've understood it is necessary the creation of some firewall rules.



  • It was not a bug, the patch modified captive portal rules to block access to squid local ports.

    Core team denies this kind of modifications since 2.3.

    I've pushed a manual patch to captive on a forum topic that you can apply using system patches or you can point squid deny page to captive portal.



  • I've pushed a manual patch to captive on a forum topic that you can apply using system patches or you can point squid deny page to captive portal.

    I could not find the patch you mentioned anywhere, I've searched though your last posts…



  • @robertolw:

    I've pushed a manual patch to captive on a forum topic that you can apply using system patches or you can point squid deny page to captive portal.

    I could not find the patch you mentioned anywhere, I've searched though your last posts…

    It's on the redmine "issue" page under comments and on git

    https://redmine.pfsense.org/issues/5594

    https://github.com/pfsense/pfsense-packages/pull/1210