I'm trying to come up with a way to setup a network where [non-web] Internet access isn't blocked but only using certain ports/protocols; e.g; users can connect freely but only over a VPN tunnel (UDP500/4500/1194/9993/etc) and web traffic is redirected to internal resources but as some sort of guidance like, not to unlock access like a true captive portal.
In other words, I want it to there be no need to launch a browser to allow traffic but if there's web traffic, walled-garden it.
My idea was to use NAT+HAProxy with a wildcard match and use a 302/303 redirect to the correct site. The problem is that if I want to load additional pages from a site, the wildcard match would match them as well and I'd create a loop, so I'm back at the captive portal. :(
My question is: a portal with no authentication, a splash page portal, can it allow traffic without web requests? Or is it an absolute must like it is on a regular portal?? Must the splash page be invoked? Is there such a thing like port whitelisting, like there's domain- or MAC address-whitelisting?
Thanks for your help. :)
Gertjan last edited by Gertjan
Is there such a thing like port whitelisting, like there's domain- or MAC address-whitelisting?
Short answer : Noop.
Long answer : you can answer your question and do something about it if you know how a captive portal works. See here for a start.
I'm pretty sure that the firewall used on pfSense, ipfw, can also handle rules that pass destination ports - or to be more precise : a table with destination ports.
Between ipfw firewall rule 02216 and 2117 ( ^^ ) you should add something like :
allow dst-port from any to table(YOUR-CP-ZONE_table_with_ports) in allow dst-port from table(YOUR-CP-ZONE_table_with_ports) to any out
(not tested !!)
and fill these two tables with the white listed port numbers.
Sorry : I just realise that if you understood what I said just above, you wouldn't have asked the question in the first place.
So, take my first, fast answer as the only possible answer.
Or place a feature request. (special needs need special coding).
Easiest way for what it sounds like you're trying to do is possible with just a basic firewall rule and NAT. Allow out what you want, and if calls go to other ports like 80/443 then redirect it to whatever target you want to sink it to. Could do something similar with a proxy and squidguard as well if the calls are all expected to be made via a browser, just don't try to actually decrypt the traffic or it's gonna cause all kinds of havok.
@JobaTheNoob Actually… 🤨 that's kind of genius. Like a block-basically-anything sort of ruleset in Squidguard, right? And then, have Squidguard set the redirect. That's awesome!
Maybe I can work around setting a proxy using pfBlockerNG+Unbound, it's like a Squidguard--well, not really but it does one of part of what Squidguard does. If the proxy is really necessary, fine too, it's sitting on a open unencrypted network after all…
Thanks man, that was awesome.
A few ways to go about it, but I've used some similar tricks internally to send imap/smtp traffic for a mail server directly to it, but calls to a webmail portal get passed over haproxy for a ssl frontend.
Even without squid you could say Allow sources > any over select ports, then sources > any 80/443 NAT port-forward redirect to <internal web page with info here>, then drop all others.