Captive Portal + PPPoE server at the same time



  • Hi guys.

    I´m using PFsense BETA4 and I´d like to use Captive Portal and PPPoE server together so my clients will be separated from each other (pppoe tunnel) and must authenticate in CP.

    Is it possible?

    Thanx in advance.



  • I seriously doubt it …  :-[



  • @Richthofen:

    I´m using PFsense BETA4 and I´d like to use Captive Portal and PPPoE server together so my clients will be separated from each other (pppoe tunnel) and must authenticate in CP.

    Possible.

    => If you can accept another approach.

    I'm filtering for ports 138,138,445 etc already on the OPT1 'Wifi' Interface.
    But, on this interface I have a switch - and behind that 'many' AP's.
    So, clients share all the same IP netmask - and could 'interact' with each other easily.
    (One could discus about the fact that that is their problem ;-) ) - they share the stuff)

    But, I thought I had to streamline things, so I used AP's Linksys WRT54G(S) with a modified firmware.
    Activated ebtables in the WRT54G(S)'s and I entered this:

    #Accept DHCP to go everywhere (meaning: broadcasting without special MAC info)... 
    ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-destination-port 67:68 -j ACCEPT 
    ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto udp --ip-destination-port 67:68 -j ACCEPT 
    
    #Accept also arp-ing... 
    ebtables -t broute -A BROUTING -i eth1 -p arp -j ACCEPT 
    
    #For the rest, allow [b]only [/b]our gateway MAC (please insert yours) as a destination... 
    ebtables -t broute -A BROUTING -i eth1 -d ! 00:01:02:03:04:05  -j redirect --redirect-target DROP
    

    Note: eth1 = WLAN interface on AP
    Note: 00:01:02:03:04:05 is the MAC of the OPT1 interface - the 'gateway' for all the clients.

    Done. No more com possible between clients. Period.
    DHCP broadcasts are still visible to all, but the rest of the (radio) communication is just client<->AP<->pfSense.

    [edit] By the way: these AP's (with the Sveasoft firmware, to name the house) offer already 'Client Isolation', but that only works for all the clients connected to one AP - not from 'seeing' each other if they are connected to 2 different AP's. As already said, I have many AP's all over the place.



  • @Gertjan:

    Possible.

    I stand corrected.  Nice work.



  • Hi

    I´m using Samsung SWL-3300 AP´s. Is there a modified firmware to allow this solution on such hardware?

    Thnx



  • :) and for a Cisco Aeronet 1100 ?  :D



  • @Richthofen:

    … Samsung SWL-3300 AP´s...

    &
    @lylian:

    :) and for a Cisco Aeronet 1100 ?  :D

    What you actually need is:

    1. telnet (SSH) acces, and
    2. ebtables has to be present in the firmware.


  • i will try tomorrow…very good job .... :) ...i'll become after


Log in to reply