[FIXED] Captive Portal blocks all after login too (was Cap.Por. blocks…......)



  • Hi,

    i've noticed that captive portal blocks everything except http requests. There is a way to get all ports working after a login? I was looking to firewall rules and it shouldn't block ports after that a login is done.

    IPFW rules after i logged from browser

    
    00030 skipto 50000 ip from any to any in via re1 keep-state
    00500 allow pfsync from any to any
    00500 allow carp from any to any
    00500 allow ip from 192.168.0.74 to any out via re0
    00501 allow ip from any to 192.168.0.74 in via re0
    01000 skipto 50000 ip from any to any not layer2 not via re0
    01001 allow ip from any to any layer2 not via re0
    01100 allow ip from any to any layer2 mac-type 0x0806
    01100 allow ip from any to any layer2 mac-type 0x888e
    01100 allow ip from any to any layer2 mac-type 0x88c7
    01100 allow ip from any to any layer2 mac-type 0x8863
    01100 allow ip from any to any layer2 mac-type 0x8864
    01100 allow ip from any to any layer2 mac-type 0x8863
    01100 allow ip from any to any layer2 mac-type 0x8864
    01100 allow ip from any to any layer2 mac-type 0x888e
    01101 deny ip from any to any layer2 not mac-type 0x0800
    01102 skipto 20000 ip from any to any layer2
    01200 allow udp from any 68 to 255.255.255.255 dst-port 67 in
    01201 allow udp from any 68 to 192.168.0.74 dst-port 67 in
    01202 allow udp from 192.168.0.74 67 to any dst-port 68 out
    01203 allow icmp from 192.168.0.74 to any out icmptypes 8
    01204 allow icmp from any to 192.168.0.74 in icmptypes 0
    01300 allow udp from any to 192.168.0.74 dst-port 53 in
    01300 allow udp from any to 192.168.0.74 dst-port 53 in
    01301 allow udp from 192.168.0.74 53 to any out
    01301 allow udp from 192.168.0.74 53 to any out
    01302 allow tcp from any to 192.168.0.74 dst-port 8000 in
    01302 allow tcp from any to 192.168.0.74 dst-port 8000 in
    01303 allow tcp from 192.168.0.74 8000 to any out
    01303 allow tcp from 192.168.0.74 8000 to any out
    10000 skipto 50000 ip from 192.168.0.14 to any in
    10000 skipto 50000 ip from any to 192.168.0.14 out
    19902 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
    19903 allow tcp from any 80 to any out
    19904 deny ip from any to any
    20000 deny ip from 192.168.0.14 to any not MAC any 00:a0:d1:be:4a:2e layer2 in
    20000 deny ip from any to 192.168.0.14 not MAC 00:a0:d1:be:4a:2e any layer2 out
    29900 allow ip from any to any layer2
    65535 allow ip from any to any
    
    

    as far i understand these rules
    10000 skipto 50000 ip from 192.168.0.14 to any in
    10000 skipto 50000 ip from any to 192.168.0.14 out

    should let me to get a working imap, ssh or everything-i-want working but this didn't happen :\

    I'm using pfSense 1.2.2, but i've the problem with pfSense 1.2.0 too! I've squid with transparent proxy, squidguard and havp packages installed

    suggestions?



  • I've done some tests and i see that disabling squid as trasparent proxy blocks web too, so i think that the problem is that captive portal blocks the traffic at all and web works only because pf act before ipfw redirecting web requests to the proxy in trasparent mode

    Poking around in /etc/inc/captiveportal.inc i've founded the rule
    add 19904 set 1 deny all from any to any

    Dropping it all starts to working correctly but only web requestes needs to be authenticated, because if i start thunderbird i can download my mails from imap server, but i think that it's correct dropping that rule.

    After that i do auth, i can navigate normally without trasparent proxy if i drop that rule.

    NOTE:

    trying to do a simple dns lookup give this result on LAN (using packet capture feature)
    13:17:10.940925 IP 192.168.0.14.2887 > 151.99.125.2.53: UDP, length 28
    13:17:13.494964 IP 192.168.0.14.2888 > 151.99.125.2.53: UDP, length 28
    13:17:15.497696 IP 192.168.0.14.2889 > 151.99.125.2.53: UDP, length 28

    but nothing on wan

    (i've executed two times the command, one with packet capture setted on lan and the second with it setted on wan)



  • no one can help?



  • not resolved yet :\

    i've reinstalled the system another time but i get exactly the same problem :\



  • UPDATE!!!

    finally … i've done a lot of tests and finally i founded the problem!

    Dropping the in/out parameter from the ipfw rules let the connections to works right!

    I've removed from captive portal index.php page (located in /usr/local/captiveportal) and /etc/inc/captiveportal.inc page the in/out suffix from client rules

    /etc/inc/captiveportal.inc

    
    771:            /* insert ipfw rule to allow ip thru */
    772:            if ($ipent['dir'] == "from") {
    773:                mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from " . $ipent['ip'] . " to any");
    774:                mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to " . $ipent['ip']);
    775:            } else {
    776:                mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to " . $ipent['ip']);
    777:                mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from " . $ipent['ip'] . " to any");
    778:            }
    
    

    /usr/local/captiveportal/index.php

    
    279:        if ($peruserbw && !empty($bw_up) && is_numeric($bw_up)) {
    280:            $bw_up_pipeno = $ruleno + 40500;
    281:            exec("/sbin/ipfw add $ruleno set 2 pipe $bw_up_pipeno ip from $clientip to any");
    282:            exec("/sbin/ipfw pipe $bw_up_pipeno config bw {$bw_up}Kbit/s queue 100");
    283:        } else {
    284:            exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any");
    285:        }
    286:        if ($peruserbw && !empty($bw_down) && is_numeric($bw_down)) {
    287:            $bw_down_pipeno = $ruleno + 45500;
    288:            exec("/sbin/ipfw add $ruleno set 2 pipe $bw_down_pipeno ip from any to $clientip");
    289:            exec("/sbin/ipfw pipe $bw_down_pipeno config bw {$bw_down}Kbit/s queue 100");
    290:        } else {
    291:            exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip");
    292:        }
    
    


  • last update :)

    Applying this fix you didn't need anymore another network interface to run captive portal on, you can use LAN too



  • Just wanna ask a question;

    I have a similer problem but the situation is something like this:

    I have fixed computer's that are on the pass through macs list of the CP
    Those computer's are also on the static pool of the DHCP
    Firewall rules do apply to THOSE machines.

    But when I try to connect with a dinamic client, only the firewall rules apply which I set before turning CP on. (80 443 and msn live login port)
    They can't use the webcam on msn nor play WOW.

    The symptoms are, New rules (which works for ONLY static's) defined after CP turning on.
    Old rules works for auth'ing clients, but not the New ones.

    Any idea's?


Log in to reply