Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    API - Commands to remove and add rules

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Lekenby
      last edited by

      I am trying to work out a system to add a firewall rule. Basically I want to create a rule which adds unlimited access to a mac address. My idea would be to create a webpage of some sort, where users login, enter mac address into text box and press ok, and then it creates the rule.

      I will develop this futher, but I can work out how to do this, then I can work backwards.

      In the end, ill create an interface which users sign up for a montly subscription of £10, and each user account can add mac addresses of computers. If the payment is over 14 days late, the account will be deactivated and rules automatically removed.

      The whole system would be quite easy to do (seens as we develop backends etc), and if we can get a way to remove and add rules using a script (I suppose SSH), we would be happy to contribute the development back to the community.

      So let me summerise this post, I need to commands to -

      Add firewall rule consisting of:
      mac address, interface, all services on WAN, description = username signed up with

      delete firewall rules with specific text in description

      Anyone help?

      1 Reply Last reply Reply Quote 0
      • B
        Bern
        last edited by

        What if your users are behind a SOHO router or WAP? You'll only get one MAC hitting your firewall and it's happy days for their whole office for one subscription.

        1 Reply Last reply Reply Quote 0
        • L
          Lekenby
          last edited by

          More expense, and we want to charge by computer, otherwise they could add 50 and leave us with no BW

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            What bern is trying to say: your solution will not work if someone puts a router between your pfSense and his network.

            Also why are you trying to do this by hand?
            Why not just use the captive portal?

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • L
              Lekenby
              last edited by

              ah sorry, misunderstood his post. I see what you mean.
              Well say we charged £10 per office, how could we work that out?

              What we are trying to get round is this. One office has two computers, one has thirty. We don't want them to pay the same because the second business can afford more, and will use much more bandwidth.

              1 Reply Last reply Reply Quote 0
              • L
                Lekenby
                last edited by

                Ok, hang on, let me think of this another way
                We put a wireless router in each office, with all computers connected. Each of the routers is 192.168.2.1, with WAN port set as 10.162.0.whatever
                Then register mac addresses in the firewall, and allow access to internet via mac address
                Then non-payment, we just remove the mac address until payment, and all is well

                Is there a way I could make it route to a webpage, kind of like the captive portal, saying payment not recieved or access denied to internet when the mac is not registered in the firewall?

                1 Reply Last reply Reply Quote 0
                • jahonixJ
                  jahonix
                  last edited by

                  You have to get rid of identifying your customers by their MAC addresses.
                  If there's a (WLAN-) router between you and their office computers then all you see is the MAC of that one router. You won't be able to identify or even count single hosts behind it.

                  You should listen carefully to what GruensFroeschli wrote. He's right usually!

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    As jahonix said: try not to use the MAC as something to bill/identify your customers.
                    ANYONE can sniff on your network, fake their MAC and have pretty fast full access.

                    IMO you're better off if you assign each office a subnet and restrict by IP/subnet.
                    To control access you could use the Captive Portal and/or a FreeRADIUS server.
                    You allow per customer only his own subnet/IP's. If he uses other IP's of other customers he's simply blocked.

                    To counter NAT-able devices this thread might help you:
                    http://forum.pfsense.org/index.php/topic,10392.0.html

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.