staff account without ticket #solved
-
Goodmorning everyone.
I have a portal that works with pre-printed tickets to be given to visitors. I would like to avoid the paperwork for the staff by allowing them to have free internet access. How can I make it happen?
For now I have thought about adding a DHCP reservation for those MACs. Then I add them as allowed IP addresses in the captive portal settings. I wonder if there is a correct configuration or is each one free to do as best he can?
Thanks for your answers. -
Add their device's MAC addresses to the MAC page and your fine.
Or : add static DHCP leases, and add their IP addresses on the "Allowed IP addresses" page (more work - same result). -
Quite right. Yours is faster. Thank you.
-
Or maybe your staff should be on a backend network not going through the portal at all.
-
With Derelict here, why would not just put staff on their own network other than your guest network?
-
@johnpoz I have misspoken. I meant for the "staff" the available sysadmins who eventually do the maintenance.
-
-
@Gertjan Sure. It is a low budget network but with separate subnets for employees and visitors. Now when, (for example), I or a possible maintainer arrive to update the firmware of the access points, I would like to make him avoid the turn of the tickets with the code.
-
That's my job also : updating the firmware and settings of the APs.
My LAN is 192.168.1.1/24 - pfSense is using 192.168.1.1 - the default address.
My captive portal network lives on 192.168.2.1./24 - AP1 has 192.168.2.2 AP2 192.168.2.3 etc. The DHCP starts at 192.168.2.10 -> 192.168.2.254.
I can access the AP's just fine from any PC connected on my LAN (my LAN firewall rules are ... the default settings == a pass all rule).
So, again, admins should use LAN, non trusted people (captive portals users) should use a separate LAN (== OPT1 or captive portal's) interface. Such a setup makes live so simple ... In case of problems, admins keep total control. No need to shut down the portal.
admins should test-drive the portal access of course - using a login code or voucher. -
@Gertjan I prefer to keep subnets well isolated from each other, you never know ...
To say that between the two evils you choose the lesser one (apart from turning everything off and cutting the network cable of course ahhaha). -
@currentUsername said in staff account without ticket #solved:
I prefer to keep subnets well isolated from each other, you never know ...
Well, yeah, of course.
But : still, LAN uses the default firewall rules, because one should trust admins ^^
All other interface should have restrictions == adequate firewall rules. For example, captive portal users can't access pfSense - the GUI, can't access the resources on LAN, etc.My captive portal rules :
-
@Gertjan Here in Europe there are a lot of restrictions for administrators. So if server only from the KVM console, if client only from the distribution switch in server room move us a cable and welcome to our home. So you keep control in the old way and respect the Privacy Guarantor lurking with fines of thousands of euros. Yeah, I'm too old to remember all these firewall rules (of course I'm kidding).
-
@currentUsername said in staff account without ticket #solved:
Here in Europe there are a lot of restrictions for administrators.
Europe ?
Europe seems easy to me. All around me I have this special breed : French, as there are many of them in France. That's where I live.
I love it.
There are rules, yes. Among one of them is my favourite : "There are laws, but they exist for the others, not for me..."No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan said in staff account without ticket #solved:
"There are laws, but they exist for the others, not for me..."
That is a great saying... What is the actual saying in French? I don't think google translate does it justice.
"Il y a des lois, mais elles existent pour les autres, pas pour mo"
Phrases like that normally always loose something in translation...
if client only from the distribution switch in server room move us a cable and welcome to our home.
Well for starters a "client" should not have access to said switch in the first place (should be in a locked room). But even if they did, you should have NAC setup on such a network anyway, etc. etc..
If your allowing "guest" network to get to anything to update firmware - your doing it WRONG!!! Be it they auth, or have a mac/ip bypass.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@Gertjan Doctor, it's more serious than you imagine. I am from Italy.
-
@johnpoz said in staff account without ticket #solved:
"Il y a des lois, mais elles existent pour les autres, pas pour mo"
That's .. euh... not said like that.
You shouldn't / couldn't find it elsewhere, it's mine
More some sort of private joke, as the cultural chock (more like massif impact) still persists after being in France after 30 years ...
Remember : I'm Dutch.
Still, people really do live in this country - a bit noisy, though. -
If its yours - I might steal it, I like it a lot ;)
But it would sound better if said in French I think ;) Love to use it on a call when dealing with some of my French speaking colleagues ;)
