[FIXED] Captive Portal blocks all after login too (was Cap.Por. blocks…......)
-
Hi,
i've noticed that captive portal blocks everything except http requests. There is a way to get all ports working after a login? I was looking to firewall rules and it shouldn't block ports after that a login is done.
IPFW rules after i logged from browser
00030 skipto 50000 ip from any to any in via re1 keep-state 00500 allow pfsync from any to any 00500 allow carp from any to any 00500 allow ip from 192.168.0.74 to any out via re0 00501 allow ip from any to 192.168.0.74 in via re0 01000 skipto 50000 ip from any to any not layer2 not via re0 01001 allow ip from any to any layer2 not via re0 01100 allow ip from any to any layer2 mac-type 0x0806 01100 allow ip from any to any layer2 mac-type 0x888e 01100 allow ip from any to any layer2 mac-type 0x88c7 01100 allow ip from any to any layer2 mac-type 0x8863 01100 allow ip from any to any layer2 mac-type 0x8864 01100 allow ip from any to any layer2 mac-type 0x8863 01100 allow ip from any to any layer2 mac-type 0x8864 01100 allow ip from any to any layer2 mac-type 0x888e 01101 deny ip from any to any layer2 not mac-type 0x0800 01102 skipto 20000 ip from any to any layer2 01200 allow udp from any 68 to 255.255.255.255 dst-port 67 in 01201 allow udp from any 68 to 192.168.0.74 dst-port 67 in 01202 allow udp from 192.168.0.74 67 to any dst-port 68 out 01203 allow icmp from 192.168.0.74 to any out icmptypes 8 01204 allow icmp from any to 192.168.0.74 in icmptypes 0 01300 allow udp from any to 192.168.0.74 dst-port 53 in 01300 allow udp from any to 192.168.0.74 dst-port 53 in 01301 allow udp from 192.168.0.74 53 to any out 01301 allow udp from 192.168.0.74 53 to any out 01302 allow tcp from any to 192.168.0.74 dst-port 8000 in 01302 allow tcp from any to 192.168.0.74 dst-port 8000 in 01303 allow tcp from 192.168.0.74 8000 to any out 01303 allow tcp from 192.168.0.74 8000 to any out 10000 skipto 50000 ip from 192.168.0.14 to any in 10000 skipto 50000 ip from any to 192.168.0.14 out 19902 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in 19903 allow tcp from any 80 to any out 19904 deny ip from any to any 20000 deny ip from 192.168.0.14 to any not MAC any 00:a0:d1:be:4a:2e layer2 in 20000 deny ip from any to 192.168.0.14 not MAC 00:a0:d1:be:4a:2e any layer2 out 29900 allow ip from any to any layer2 65535 allow ip from any to anyas far i understand these rules
10000 skipto 50000 ip from 192.168.0.14 to any in
10000 skipto 50000 ip from any to 192.168.0.14 outshould let me to get a working imap, ssh or everything-i-want working but this didn't happen :\
I'm using pfSense 1.2.2, but i've the problem with pfSense 1.2.0 too! I've squid with transparent proxy, squidguard and havp packages installed
suggestions?
-
I've done some tests and i see that disabling squid as trasparent proxy blocks web too, so i think that the problem is that captive portal blocks the traffic at all and web works only because pf act before ipfw redirecting web requests to the proxy in trasparent mode
Poking around in /etc/inc/captiveportal.inc i've founded the rule
add 19904 set 1 deny all from any to anyDropping it all starts to working correctly but only web requestes needs to be authenticated, because if i start thunderbird i can download my mails from imap server, but i think that it's correct dropping that rule.
After that i do auth, i can navigate normally without trasparent proxy if i drop that rule.
NOTE:
trying to do a simple dns lookup give this result on LAN (using packet capture feature)
13:17:10.940925 IP 192.168.0.14.2887 > 151.99.125.2.53: UDP, length 28
13:17:13.494964 IP 192.168.0.14.2888 > 151.99.125.2.53: UDP, length 28
13:17:15.497696 IP 192.168.0.14.2889 > 151.99.125.2.53: UDP, length 28but nothing on wan
(i've executed two times the command, one with packet capture setted on lan and the second with it setted on wan)
-
no one can help?
-
not resolved yet :\
i've reinstalled the system another time but i get exactly the same problem :\
-
UPDATE!!!
finally … i've done a lot of tests and finally i founded the problem!
Dropping the in/out parameter from the ipfw rules let the connections to works right!
I've removed from captive portal index.php page (located in /usr/local/captiveportal) and /etc/inc/captiveportal.inc page the in/out suffix from client rules
/etc/inc/captiveportal.inc
771: /* insert ipfw rule to allow ip thru */ 772: if ($ipent['dir'] == "from") { 773: mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from " . $ipent['ip'] . " to any"); 774: mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to " . $ipent['ip']); 775: } else { 776: mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to " . $ipent['ip']); 777: mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from " . $ipent['ip'] . " to any"); 778: }/usr/local/captiveportal/index.php
279: if ($peruserbw && !empty($bw_up) && is_numeric($bw_up)) { 280: $bw_up_pipeno = $ruleno + 40500; 281: exec("/sbin/ipfw add $ruleno set 2 pipe $bw_up_pipeno ip from $clientip to any"); 282: exec("/sbin/ipfw pipe $bw_up_pipeno config bw {$bw_up}Kbit/s queue 100"); 283: } else { 284: exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any"); 285: } 286: if ($peruserbw && !empty($bw_down) && is_numeric($bw_down)) { 287: $bw_down_pipeno = $ruleno + 45500; 288: exec("/sbin/ipfw add $ruleno set 2 pipe $bw_down_pipeno ip from any to $clientip"); 289: exec("/sbin/ipfw pipe $bw_down_pipeno config bw {$bw_down}Kbit/s queue 100"); 290: } else { 291: exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip"); 292: } -
last update :)
Applying this fix you didn't need anymore another network interface to run captive portal on, you can use LAN too
-
Just wanna ask a question;
I have a similer problem but the situation is something like this:
I have fixed computer's that are on the pass through macs list of the CP
Those computer's are also on the static pool of the DHCP
Firewall rules do apply to THOSE machines.But when I try to connect with a dinamic client, only the firewall rules apply which I set before turning CP on. (80 443 and msn live login port)
They can't use the webcam on msn nor play WOW.The symptoms are, New rules (which works for ONLY static's) defined after CP turning on.
Old rules works for auth'ing clients, but not the New ones.Any idea's?