particular configuration on pfsense


  • hi everyone, I don't understand how to make this configuration:

    I have three pfsense, each manages a separate wifi access, with captive and freeradius for accounting and authorization.

    each account has a traffic share

    my problem is the following:
    how can I set up the pfsense so that the traffic to a specific destination outside the corporate network is reachable independently of the authentication and that the generated traffic is not counted by the freeradius?

    every suggestion is open, thanks

  • Netgate Administrator

    You can add IPs to the 'Allowed IP Addresses' list in the captive portal. That will allow clients to access them without authenticatinh in the portal.

    Steve


  • @stephenw10
    ok, but how do I tell the radius not to count the traffic to these destinations in its users traffic quota?

  • Netgate Administrator

    If they do not login then obviously it will not see that data. I'm unsure what would happen in the situation where they have logged in already and then visit the site. I could imagine it does not send the accounting traffic to Radius if it by-passes the CP. Have you tested it?

    Steve


  • @stephenw10
    i try it tomorrow! i hope it works well, thanks!


  • Interesting question.

    Consider the firewall tables, the ones that handle the accounting, the ipfw rules and tables.
    The ZONE__allowed_up and ZONE__allowed_down tables are higher up, means used earlier, as the two tables tables ZONE__auth_down and ZNE__auth_up. The latter contain the authenticated users (their IP/MAC) and the pipe numbers used to count traffic bytes.
    The first tow tables, ZONE_allowed_up and ZONE_allowed_down contain the "pass through" IP's and resolved "host names to IP's".
    Running manually radius (stop freeradius in the GUI and start it on the command line with radiusd -X) shows that only traffic from the 'authenticated ' tables are use to count actual traffic.

    Btw, I'm using a SQL database as a freeradius administration scratch pad, and it it contains, among others, the pipe that is sued for traffic counting, called nasportid. This is the pipe number that counts the traffic.

    So, it really looks like that visiting these :

    0e24b745-b258-416e-90e1-e55400ff96b3-image.png

    these can be considered as a free ride.

  • Netgate Administrator

    Yeah, that's what I would imagine happens but I'm not sure I've ever seen anyone test it. It will good to see a result.

    Steve


  • @stephenw10
    fantastic it works perfectly!
    then ... in CP ALLOWED HOSTNAMES I added the destination www.salini-impregilo.com
    in freeradius I removed the e.tomei user
    in / var / log / radacct / datacounter / daily I have eliminated max-octets-e.tomei and used-octets-e.tomei
    in freeradius the user was recreated with a 10IMG_2362_resize.JPG Mb quota

    I am attaching some screenshots they are not well ordered but they serve the purpose

    first test with a virgin phone
    access to wifi-koysha OFFICE without entering credentials
    the salini-impregilo.com website is perfectly accessible and accessible

    second test with the same phone
    I opened the android alert and completed logging into the SSID
    I opened youtube and started a video ... which after 61 seconds stopped ... with 3Mb of share quite difficult
    I reopened www.salini-impregilo.com and I can consult it and open the links within the domain!IMG_2356_resize.JPG IMG_2357_resize.JPG IMG_2358_resize.JPG IMG_2359_resize.JPG IMG_2365_resize.JPG IMG_2366_resize.JPG IMG_2364_resize.JPG