Captive Portal: no login screen



  • Hi everyone - looked everywhere but even in irc noone could help so you all are my last hope :)

    Summary: The captive portal authentication page is not shown.

    System:

    • 1.2.3-RELEASE [just updated] on a dedicated server (as a vm),
    • no installed packages (I read that squid etc. could interfere with CP, so I deinstalled it)
    • 3 Interfaces (LAN, WLAN, WAN) and the CP is enabled on WLAN
    • DSL Router –-- pfsense WAN - pfsense WLAN ------- Laptop as testing configuration (so no AccessPoint is involved)
    • I can enable/disable firewall rules (so routing is working) but the redirect tothe CP login-page does not work
    • the status page of the CP doesn't show any activity
    • and for testing purposes I set all firewall rules to * * * ALLOW nevertheless - no CP page is shown
    • it doesn't matter which authentication i chose RADIUS or "local user" -both doesn't work
    • tail var/log/lighttpd.error.log shows no problems
    • reboot/update to 1.2.3/1.2.2 does not help

    so what am i doing wrong? Should there be any Firewall-rules for the CP?

    Details:

    
    $ ipfw list
    00002 allow ip from any to any in recv re1
    00003 allow ip from any to 192.168.1.0/24 in recv re2
    00004 allow tcp from 192.168.3.0/24 to { 192.168.1.254 or dst-ip
    192.168.3.254 or dst-ip 192.168.4.254 } in recv re2
    00005 allow ip from 192.168.3.0/24 to { 192.168.1.254 or dst-ip
    192.168.3.254 or dst-ip 192.168.4.254 } dst-port 53 in recv re2
    00006 allow tcp from 127.0.0.0/8 to 192.168.3.0/24 in recv re2
    00007 allow tcp from any to not 192.168.0.0/16 dst-port 80 in recv re2
    00008 allow ip from any to any in recv re2
    00009 allow ip from any to any in recv re0
    00010 allow ip from 192.168.1.0/24 to any in recv re0
    00011 allow ip from any to any in recv re1
    00012 allow ip from any to 192.168.1.0/24 in recv re2
    00013 allow tcp from 192.168.3.0/24 to { 192.168.1.254 or dst-ip
    192.168.3.254 or dst-ip 192.168.4.254 } in recv re2
    00014 allow ip from 192.168.3.0/24 to { 192.168.1.254 or dst-ip
    192.168.3.254 or dst-ip 192.168.4.254 } dst-port 53 in recv re2
    00015 allow tcp from 127.0.0.0/8 to 192.168.3.0/24 in recv re2
    00016 allow tcp from any to not 192.168.0.0/16 dst-port 80 in recv re2
    00017 allow ip from any to any in recv re2
    00018 allow ip from any to any in recv re0
    00019 allow ip from 192.168.1.0/24 to any in recv re0
    00030 skipto 50000 ip from any to any in via re0 keep-state
    00030 skipto 50000 ip from any to any in via re1 keep-state
    00500 allow pfsync from any to any
    00500 allow carp from any to any
    01000 skipto 50000 ip from any to any not layer2 not via re2
    01001 allow ip from any to any layer2 not via re2
    01100 allow ip from any to any layer2 mac-type 0x0806
    01100 allow ip from any to any layer2 mac-type 0x888e
    01100 allow ip from any to any layer2 mac-type 0x88c7
    01100 allow ip from any to any layer2 mac-type 0x8863
    01100 allow ip from any to any layer2 mac-type 0x8864
    01100 allow ip from any to any layer2 mac-type 0x8863
    01100 allow ip from any to any layer2 mac-type 0x8864
    01100 allow ip from any to any layer2 mac-type 0x888e
    01101 deny ip from any to any layer2 not mac-type 0x0800
    01102 skipto 20000 ip from any to any layer2
    01200 allow udp from any 68 to 255.255.255.255 dst-port 67 in
    01201 allow udp from any 68 to 192.168.3.254 dst-port 67 in
    01202 allow udp from 192.168.3.254 67 to any dst-port 68 out
    01203 allow icmp from 192.168.3.254 to any out icmptypes 8
    01204 allow icmp from any to 192.168.3.254 in icmptypes 0
    01300 allow udp from any to 192.168.3.254 dst-port 53 in
    01300 allow udp from any to 192.168.1.254 dst-port 53 in
    01301 allow udp from 192.168.3.254 53 to any out
    01301 allow udp from 192.168.1.254 53 to any out
    01302 allow tcp from any to 192.168.3.254 dst-port 8000 in
    01302 allow tcp from any to 192.168.1.254 dst-port 8000 in
    01303 allow tcp from 192.168.3.254 8000 to any out
    01303 allow tcp from 192.168.1.254 8000 to any out
    10000 skipto 50000 ip from any to 192.168.1.251 in
    10000 skipto 50000 ip from 192.168.1.251 to any out
    10001 skipto 50000 ip from any to 192.168.1.2 in
    10001 skipto 50000 ip from 192.168.1.2 to any out
    19902 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
    19903 allow tcp from any 80 to any out
    19904 deny ip from any to any
    29900 allow ip from any to any layer2
    65535 allow ip from any to any
    
    
    
    $ cat /tmp/rules.debug
    # System Aliases
    loopback = "{ lo0 }"
    lan = "{ re0  }"
    wan = "{ re1   }"
    enc0 = "{ enc0 }"
    WLAN = "{ re2 }"
    # User Aliases
    NetzInternGrafik = "{ 192.168.2.0/24 }"
    NetzInternVerwaltung = "{ 192.168.1.0/24 }"
    NetzwerkWLAN = "{ 192.168.3.0/24 }"
    m10 = "{ 192.168.2.10 }"
    m2 = "{ 192.168.1.2 }"
    m5 = "{ 192.168.1.5 }"
    m6 = "{ 192.168.1.6 }"
    m7 = "{ 192.168.1.7 }"
    m8 = "{ 192.168.1.254 192.168.3.254 192.168.4.254 }"
    m9 = "{ 192.168.1.9 }"
    
    set loginterface re1
    set loginterface re0
    set loginterface re2
    set optimization normal
    
    set skip on pfsync0
    scrub all random-id  fragment reassemble
    altq on re1 hfsc bandwidth 1500Kb queue { qwanRoot }
    altq on re0 hfsc bandwidth 10000Kb queue { qlanRoot }
    
    queue qwanRoot bandwidth 1500Kb priority 0 hfsc { qwandef, qwanacks,
    qVOIPUp, qP2PUp, qOthersUpH, qOthersUpL }
    queue qlanRoot bandwidth 10000Kb priority 0 hfsc { qlandef, qlanacks,
    qVOIPDown, qP2PDown, qOthersDownH, qOthersDownL }
    queue qwandef bandwidth 1% priority 1 qlimit 500 hfsc (  default
    realtime 1% )
    queue qlandef bandwidth 1% priority 1 qlimit 500 hfsc (  default
    realtime 1% )
    queue qwanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
    queue qlanacks bandwidth 25% priority 7 hfsc (  realtime 10% )
    queue qVOIPUp bandwidth 25% priority 7 hfsc (  realtime 32Kb )
    queue qVOIPDown bandwidth 25% priority 7 hfsc (  realtime 32Kb )
    queue qP2PUp bandwidth 1% priority 1 qlimit 500 hfsc (  red ecn
    upperlimit 1000Kb realtime 1Kb )
    queue qP2PDown bandwidth 1% priority 1 qlimit 500 hfsc (  red ecn
    upperlimit 100Kb realtime 1Kb )
    queue qOthersUpH bandwidth 25% priority 4 hfsc (  red ecn realtime 1Kb )
    queue qOthersDownH bandwidth 25% priority 4 hfsc (  red ecn realtime 1Kb )
    queue qOthersUpL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn
    realtime 1Kb )
    queue qOthersDownL bandwidth 1% priority 2 qlimit 500 hfsc (  red ecn
    realtime 1Kb )
    
    nat-anchor "pftpx/*"
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    # FTP proxy
    rdr-anchor "pftpx/*"
    
    # Outbound NAT rules
    nat on $wan from 192.168.0.0/16 to !192.168.0.0/16 -> (re1) port 1024:65535
    
    #SSH Lockout Table
    table <sshlockout>persist
    
    # Load balancing anchor - slbd updates
    rdr-anchor "slb"
    
    # FTP Proxy/helper
    table <vpns>{    }
    no rdr on re0 proto tcp from any to <vpns>port 21
    rdr on re0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
    no rdr on re2 proto tcp from any to <vpns>port 21
    rdr on re2 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
    
    # IMSpector rdr anchor
    rdr-anchor "imspector"
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    block in all tag unshaped label "SHAPER: first match rule"
    pass in on  $wan from any  to 192.168.1.0/24 tos lowdelay  keep state
    tagged unshaped tag qVOIPUp
    pass out on $lan from any to 192.168.1.0/24 tos lowdelay keep state
    tagged qVOIPUp tag qVOIPDown
    pass in on  $lan from 192.168.1.0/24  to any tos lowdelay  keep state
    tagged unshaped tag qVOIPDown
    pass out on $wan from any to any tos lowdelay keep state tagged
    qVOIPDown tag qVOIPUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5900:5930
    keep state tagged unshaped tag qOthersUpH
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5900:5930
    keep state tagged qOthersUpH tag qOthersDownH
    pass in on  $wan proto ah from any  to 192.168.1.0/24  keep state tagged
    unshaped tag qOthersUpH
    pass out on $lan proto ah from any to 192.168.1.0/24 keep state tagged
    qOthersUpH tag qOthersDownH
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5900:5930
    keep state tagged unshaped tag qOthersDownH
    pass out on $wan proto tcp from any to any port 5900:5930 keep state
    tagged qOthersDownH tag qOthersUpH
    pass in on  $lan proto esp from 192.168.1.0/24  to any  keep state
    tagged unshaped tag qOthersDownH
    pass out on $wan proto esp from any to any keep state tagged
    qOthersDownH tag qOthersUpH
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 3389  keep
    state tagged unshaped tag qOthersDownH
    pass out on $wan proto tcp from any to any port 3389 keep state tagged
    qOthersDownH tag qOthersUpH
    pass in on  $wan proto esp from any  to 192.168.1.0/24  keep state
    tagged unshaped tag qOthersUpH
    pass out on $lan proto esp from any to 192.168.1.0/24 keep state tagged
    qOthersUpH tag qOthersDownH
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 500  keep
    state tagged unshaped tag qOthersUpH
    pass out on $lan proto udp from any to 192.168.1.0/24 port 500 keep
    state tagged qOthersUpH tag qOthersDownH
    pass in on  $lan proto ah from 192.168.1.0/24  to any  keep state tagged
    unshaped tag qOthersDownH
    pass out on $wan proto ah from any to any keep state tagged qOthersDownH
    tag qOthersUpH
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 1723  keep
    state tagged unshaped tag qOthersDownH
    pass out on $wan proto tcp from any to any port 1723 keep state tagged
    qOthersDownH tag qOthersUpH
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 3389  keep
    state tagged unshaped tag qOthersUpH
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 3389 keep
    state tagged qOthersUpH tag qOthersDownH
    pass in on  $lan proto gre from 192.168.1.0/24  to any  keep state
    tagged unshaped tag qOthersDownH
    pass out on $wan proto gre from any to any keep state tagged
    qOthersDownH tag qOthersUpH
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 1723  keep
    state tagged unshaped tag qOthersUpH
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 1723 keep
    state tagged qOthersUpH tag qOthersDownH
    pass in on  $wan proto gre from any  to 192.168.1.0/24  keep state
    tagged unshaped tag qOthersUpH
    pass out on $lan proto gre from any to 192.168.1.0/24 keep state tagged
    qOthersUpH tag qOthersDownH
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 500  keep
    state tagged unshaped tag qOthersDownH
    pass out on $wan proto udp from any to any port 500 keep state tagged
    qOthersDownH tag qOthersUpH
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6667:6670
    keep state tagged unshaped tag qOthersUpL
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 6667:6670
    keep state tagged qOthersUpL tag qOthersDownL
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6667:6670
    keep state tagged unshaped tag qOthersDownL
    pass out on $wan proto tcp from any to any port 6667:6670 keep state
    tagged qOthersDownL tag qOthersUpL
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5222  keep
    state tagged unshaped tag qOthersDownL
    pass out on $wan proto tcp from any to any port 5222 keep state tagged
    qOthersDownL tag qOthersUpL
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5223  keep
    state tagged unshaped tag qOthersDownL
    pass out on $wan proto tcp from any to any port 5223 keep state tagged
    qOthersDownL tag qOthersUpL
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 14534  keep
    state tagged unshaped tag qOthersUpL
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 14534 keep
    state tagged qOthersUpL tag qOthersDownL
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 14534  keep
    state tagged unshaped tag qOthersDownL
    pass out on $wan proto tcp from any to any port 14534 keep state tagged
    qOthersDownL tag qOthersUpL
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 51234  keep
    state tagged unshaped tag qOthersDownL
    pass out on $wan proto tcp from any to any port 51234 keep state tagged
    qOthersDownL tag qOthersUpL
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 51234  keep
    state tagged unshaped tag qOthersUpL
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 51234 keep
    state tagged qOthersUpL tag qOthersDownL
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 8767:8768
    keep state tagged unshaped tag qOthersDownL
    pass out on $wan proto udp from any to any port 8767:8768 keep state
    tagged qOthersDownL tag qOthersUpL
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 5190  keep
    state tagged unshaped tag qOthersUpL
    pass out on $lan proto udp from any to 192.168.1.0/24 port 5190 keep
    state tagged qOthersUpL tag qOthersDownL
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 5190  keep
    state tagged unshaped tag qOthersDownL
    pass out on $wan proto udp from any to any port 5190 keep state tagged
    qOthersDownL tag qOthersUpL
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5269  keep
    state tagged unshaped tag qOthersDownL
    pass out on $wan proto tcp from any to any port 5269 keep state tagged
    qOthersDownL tag qOthersUpL
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 8767:8768
    keep state tagged unshaped tag qOthersUpL
    pass out on $lan proto udp from any to 192.168.1.0/24 port 8767:8768
    keep state tagged qOthersUpL tag qOthersDownL
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5269  keep
    state tagged unshaped tag qOthersUpL
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5269 keep
    state tagged qOthersUpL tag qOthersDownL
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5190  keep
    state tagged unshaped tag qOthersDownL
    pass out on $wan proto tcp from any to any port 5190 keep state tagged
    qOthersDownL tag qOthersUpL
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5190  keep
    state tagged unshaped tag qOthersUpL
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5190 keep
    state tagged qOthersUpL tag qOthersDownL
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5222  keep
    state tagged unshaped tag qOthersUpL
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5222 keep
    state tagged qOthersUpL tag qOthersDownL
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5223  keep
    state tagged unshaped tag qOthersUpL
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5223 keep
    state tagged qOthersUpL tag qOthersDownL
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5900  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5900 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5900  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 5900 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 3283  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 3283 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 3283  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 3283 keep state tagged
    qlandef tag qwandef
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 3283  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto udp from any to any port 3283 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 3283  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto udp from any to 192.168.1.0/24 port 3283 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 2340  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 2340 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 2340  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 2340 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 5900  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto udp from any to 192.168.1.0/24 port 5900 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 5900  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto udp from any to any port 5900 keep state tagged
    qlandef tag qwandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6666:6668
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 6666:6668 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6666:6668
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 6666:6668
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 137:139
    keep state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 137:139 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 137:139
    keep state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 137:139 keep state
    tagged qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 445  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 445 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 445  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 445 keep state tagged
    qlandef tag qwandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 554  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 554 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 554  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 554 keep
    state tagged qwandef tag qlandef
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 161  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto udp from any to 192.168.1.0/24 port 161 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 161  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto udp from any to any port 161 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 161  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 161 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 161  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 161 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 7788  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 7788 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 7788  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 7788 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 6881:6999
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto udp from any to any port 6881:6999 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 6881:6999
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto udp from any to 192.168.1.0/24 port 6881:6999
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 5632  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto udp from any to 192.168.1.0/24 port 5632 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 5632  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto udp from any to any port 5632 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6881:6999
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 6881:6999
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6881:6999
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 6881:6999 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5999  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5999 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5999  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 5999 keep state tagged
    qlandef tag qwandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 7668  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 7668 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 7668  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 7668 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5631  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5631 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5631  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 5631 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 1352  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto udp from any to 192.168.1.0/24 port 1352 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 1352  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto udp from any to any port 1352 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 1352  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 1352 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 1352  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 1352 keep state tagged
    qlandef tag qwandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 3306  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 3306 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 3306  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 3306 keep
    state tagged qwandef tag qlandef
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 119  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto udp from any to 192.168.1.0/24 port 119 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 119  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto udp from any to any port 119 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 119  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 119 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 119  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 119 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 143  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 143 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 143  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 143 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 28864:28865
     keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 28864:28865
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5500:5503
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 5500:5503 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5500:5503
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5500:5503
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 4329  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 4329 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 28864:28865
     keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 28864:28865 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 8038:8039
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 8038:8039
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 8000:8100
    keep state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 8000:8100 keep state
    tagged qlandef tag qwandef
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 6346  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto udp from any to any port 6346 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 6346  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto udp from any to 192.168.1.0/24 port 6346 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 8038:8039
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 8038:8039 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 4329  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 4329 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6699:6701
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 6699:6701 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6346  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 6346 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 8311  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 8311 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 8311  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 8311 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 8888:8889
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 8888:8889
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6346  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 6346 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 5190  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 5190 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6699:6701
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 6699:6701
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6699  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 6699 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6699  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 6699 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 5190  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 5190 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 8000:8100
    keep state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 8000:8100
    keep state tagged qwandef tag qlandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 6346  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 6346 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 443  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 443 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 443  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 443 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 80  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 80 keep state
    tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 80  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 80 keep state tagged
    qlandef tag qwandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 25  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 25 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 25  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 25 keep state
    tagged qwandef tag qlandef
    pass in on  $wan proto icmp from any  to 192.168.1.0/24  keep state
    tagged unshaped tag qwandef
    pass out on $lan proto icmp from any to 192.168.1.0/24 keep state tagged
    qwandef tag qlandef
    pass in on  $lan proto icmp from 192.168.1.0/24  to any  keep state
    tagged unshaped tag qlandef
    pass out on $wan proto icmp from any to any keep state tagged qlandef
    tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 110  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 110 keep
    state tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 110  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 110 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto udp from any  to 192.168.1.0/24 port 53  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto udp from any to 192.168.1.0/24 port 53 keep state
    tagged qwandef tag qlandef
    pass in on  $lan proto udp from 192.168.1.0/24  to any port 53  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto udp from any to any port 53 keep state tagged
    qlandef tag qwandef
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 1044:1045
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 1044:1045
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 4661:4665
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 4661:4665 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 4661:4665
    keep state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 4661:4665
    keep state tagged qP2PUp tag qP2PDown
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 6346  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 6346 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 1044:1045
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 1044:1045 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 412  keep
    state tagged unshaped tag qP2PUp
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 412 keep
    state tagged qP2PUp tag qP2PDown
    pass in on  $wan proto tcp from any  to 192.168.1.0/24 port 53  keep
    state tagged unshaped tag qwandef
    pass out on $lan proto tcp from any to 192.168.1.0/24 port 53 keep state
    tagged qwandef tag qlandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 53  keep
    state tagged unshaped tag qlandef
    pass out on $wan proto tcp from any to any port 53 keep state tagged
    qlandef tag qwandef
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 412  keep
    state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 412 keep state tagged
    qP2PDown tag qP2PUp
    pass in on  $lan proto tcp from 192.168.1.0/24  to any port 8888:8889
    keep state tagged unshaped tag qP2PDown
    pass out on $wan proto tcp from any to any port 8888:8889 keep state
    tagged qP2PDown tag qP2PUp
    pass in on  $lan from 192.168.1.0/24  to any  keep state tagged unshaped
    tag qP2PDown
    pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
    pass in on  $wan from any  to 192.168.1.0/24  keep state tagged unshaped
    tag qP2PUp
    pass out on $lan from any to 192.168.1.0/24 keep state tagged qP2PUp tag
    qP2PDown
    pass in on  $lan from 192.168.1.0/24  to any  keep state tagged unshaped
    tag qP2PDown
    pass out on $wan from any to any keep state tagged qP2PDown tag qP2PUp
    pass in on  $wan from any  to 192.168.1.0/24  keep state tagged unshaped
    tag qP2PUp
    pass out on $lan from any to 192.168.1.0/24 keep state tagged qP2PUp tag
    qP2PDown
    
    pass in quick on re2 proto tcp from any to 192.168.3.254 port { 8000
    8001 } keep state
    anchor "ftpsesame/*"
    anchor "firewallrules"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # snort2c
    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    # Block all IPv6
    block in quick inet6 all
    block out quick inet6 all
    # loopback
    anchor "loopback"
    pass in quick on $loopback all label "pass loopback"
    pass out quick on $loopback all label "pass loopback"
    
    # package manager early specific hook
    anchor "packageearly"
    
    # carp
    anchor "carp"
    
    # permit wan interface to ping out (ping_hosts.sh)
    pass quick proto icmp from 192.168.4.254 to any keep state
    
    # NAT Reflection rules
    
    # allow access to DHCP server on LAN
    anchor "dhcpserverlan"
    pass in quick on $lan proto udp from any port = 68 to 255.255.255.255
    port = 67 label "allow access to DHCP server on LAN"
    pass in quick on $lan proto udp from any port = 68 to 192.168.1.254 port
    = 67 label "allow access to DHCP server on LAN"
    pass out quick on $lan proto udp from 192.168.1.254 port = 67 to any
    port = 68 label "allow access to DHCP server on LAN"
    block in log quick on $wan proto udp from any port = 67 to
    192.168.1.0/24 port = 68 label "block dhcp client out wan"
    
    # LAN/OPT spoof check (needs to be after DHCP because of broadcast
    addresses)
    antispoof for re0
    antispoof for re2
    
    anchor "spoofing"
    # Support for allow limiting of TCP connections by establishment rate
    anchor "limitingesr"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
    # pass traffic from firewall -> out
    anchor "firewallout"
    pass out quick on re1 all keep state tagged qwandef queue (qwandef,
    qwanacks) label "let out anything from firewall host itself"
    pass out quick on re1 all keep state tagged qVOIPUp queue (qVOIPUp,
    qwanacks) label "let out anything from firewall host itself"
    pass out quick on re1 all keep state tagged qP2PUp queue (qP2PUp,
    qwanacks) label "let out anything from firewall host itself"
    pass out quick on re1 all keep state tagged qOthersUpH queue
    (qOthersUpH, qwanacks) label "let out anything from firewall host itself"
    pass out quick on re1 all keep state tagged qOthersUpL queue
    (qOthersUpL, qwanacks) label "let out anything from firewall host itself"
    pass out quick on re1 all keep state queue (qwandef, qwanacks) label
    "let out anything from firewall host itself"
    pass out quick on re0 all keep state tagged qlandef queue (qlandef,
    qlanacks) label "let out anything from firewall host itself"
    pass out quick on re0 all keep state tagged qVOIPDown queue (qVOIPDown,
    qlanacks) label "let out anything from firewall host itself"
    pass out quick on re0 all keep state tagged qP2PDown queue (qP2PDown,
    qlanacks) label "let out anything from firewall host itself"
    pass out quick on re0 all keep state tagged qOthersDownH queue
    (qOthersDownH, qlanacks) label "let out anything from firewall host itself"
    pass out quick on re0 all keep state tagged qOthersDownL queue
    (qOthersDownL, qlanacks) label "let out anything from firewall host itself"
    pass out quick on re0 all keep state queue (qlandef, qlanacks) label
    "let out anything from firewall host itself"
    pass out quick on re2 all keep state  label "let out anything from
    firewall host itself"
    pass out quick on $enc0 keep state label "IPSEC internal host to host"
    
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out quick on re2 proto icmp keep state ( tcp.closed 5 ) label "let
    out anything from firewall host itself"
    pass out quick on $WLAN all keep state ( tcp.closed 5 ) label "let out
    anything from firewall host itself"
    
    # make sure the user cannot lock himself out of the webGUI or SSH
    anchor "anti-lockout"
    pass in quick on re0 from any to 192.168.1.254 keep state label
    "anti-lockout web rule"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 22 label
    "sshlockout"
    
    anchor "ftpproxy"
    anchor "pftpx/*"
    
    # User-defined aliases follow
    table <m8>{  192.168.1.254 192.168.3.254 192.168.4.254 }
    
    # Anchors for rules that might be matched by queues
    anchor qwanRoot tagged qwanRoot
    load anchor qwanRoot from "/tmp/qwanRoot.rules"
    anchor qlanRoot tagged qlanRoot
    load anchor qlanRoot from "/tmp/qlanRoot.rules"
    anchor qwandef tagged qwandef
    load anchor qwandef from "/tmp/qwandef.rules"
    anchor qlandef tagged qlandef
    load anchor qlandef from "/tmp/qlandef.rules"
    anchor qwanacks tagged qwanacks
    load anchor qwanacks from "/tmp/qwanacks.rules"
    anchor qlanacks tagged qlanacks
    load anchor qlanacks from "/tmp/qlanacks.rules"
    anchor qVOIPUp tagged qVOIPUp
    load anchor qVOIPUp from "/tmp/qVOIPUp.rules"
    anchor qVOIPDown tagged qVOIPDown
    load anchor qVOIPDown from "/tmp/qVOIPDown.rules"
    anchor qP2PUp tagged qP2PUp
    load anchor qP2PUp from "/tmp/qP2PUp.rules"
    anchor qP2PDown tagged qP2PDown
    load anchor qP2PDown from "/tmp/qP2PDown.rules"
    anchor qOthersUpH tagged qOthersUpH
    load anchor qOthersUpH from "/tmp/qOthersUpH.rules"
    anchor qOthersDownH tagged qOthersDownH
    load anchor qOthersDownH from "/tmp/qOthersDownH.rules"
    anchor qOthersUpL tagged qOthersUpL
    load anchor qOthersUpL from "/tmp/qOthersUpL.rules"
    anchor qOthersDownL tagged qOthersDownL
    load anchor qOthersDownL from "/tmp/qOthersDownL.rules"
    
    # User-defined rules follow
    pass in quick on $wan reply-to (re1 192.168.4.251) from any to any keep
    state  queue (qwandef, qwanacks)  label "USER_RULE"
    block in quick on $WLAN from any to 192.168.1.0/24  label "USER_RULE"
    pass in quick on $WLAN proto tcp from 192.168.3.0/24 to <m8>keep
    state  label "USER_RULE"
    pass in quick on $WLAN proto { tcp udp } from 192.168.3.0/24 to <m8>port = 53 keep state  label "USER_RULE"
    pass in quick on $WLAN proto tcp from {  127.0.0.0/8 } to 192.168.3.0/24
    keep state  label "USER_RULE"
    pass in quick on $WLAN proto tcp from any to { ! 192.168.0.0/16 } port =
    80 keep state  label "USER_RULE"
    pass in quick on $WLAN from any to any keep state  label "USER_RULE"
    pass in quick on $lan from any to any keep state  queue (qlandef,
    qlanacks)  label "USER_RULE"
    pass in quick on $lan from 192.168.1.0/24 to any keep state  queue
    (qlandef, qlanacks)  label "USER_RULE: Default LAN -> any"
    
    # VPN Rules
    
    pass in quick on re0 inet proto tcp from any to $loopback port 8021 keep
    state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on re0 inet proto tcp from any to $loopback port 21 keep
    state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on re1 inet proto tcp from port 20 to (re1) port > 49000
    flags S/SA keep state label "FTP PROXY: PASV mode data connection"
    # enable ftp-proxy
    pass in quick on re2 inet proto tcp from any to $loopback port 8022 keep
    state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on re2 inet proto tcp from any to $loopback port 21 keep
    state label "FTP PROXY: Allow traffic to localhost"
    
    # IMSpector
    anchor "imspector"
    
    # uPnPd
    anchor "miniupnpd"
    
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log quick all label "Default deny rule"
    block out log quick all label "Default deny rule"</m8></m8></m8></sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></vpns></sshlockout> 
    
    
    $ cat /conf/config.xml
    
     <pfsense><version>3.0</version>
    	 <lastchange><theme>nervecenter</theme>
    	 <system><optimization>normal</optimization>
    		<hostname>m8</hostname>
    		<domain>town.m.de</domain>
    		<username>admin</username>
    		<password>$kjhzkgSUZSKjZSJhshJS/</password>
    		<timezone>Etc/GMT-1</timezone>
    		 <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
    		 <webgui><protocol>http</protocol>
    			<port>88</port>
    			 <certificate><private-key></private-key></certificate></webgui> 
    		<disablenatreflection>yes</disablenatreflection>
    		 <ssh><authorizedkeys></authorizedkeys></ssh> 
    		 <maximumstates><shapertype><dnsserver>192.168.1.251</dnsserver>
    		<dnsserver>192.168.1.2</dnsserver>
    		 <firmware><alturl><enable><firmwareurl>http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/.updaters</firmwareurl></enable></alturl></firmware></shapertype></maximumstates></time-update-interval></system> 
    	 <interfaces><lan><if>re0</if>
    			<ipaddr>192.168.1.254</ipaddr>
    			<subnet>24</subnet>
    			 <media><mediaopt><bandwidth>100</bandwidth>
    			<bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> 
    		 <wan><if>re1</if>
    			 <mtu><media><mediaopt><bandwidth>100</bandwidth>
    			<bandwidthtype>Mb</bandwidthtype>
    			<spoofmac>00:30:48:8f:56:ab</spoofmac>
    			 <disableftpproxy><ipaddr>192.168.4.254</ipaddr>
    			<subnet>24</subnet>
    			<gateway>192.168.4.251</gateway></disableftpproxy></mediaopt></media></mtu></wan> 
    		 <opt1><if>re2</if>
    			<descr>WLAN</descr>
    			 <bridge><ipaddr>192.168.3.254</ipaddr>
    			<subnet>24</subnet>
    			 <gateway><spoofmac>00:30:48:8f:56:aa</spoofmac>
    			 <mtu><enable></enable></mtu></gateway></bridge></opt1></interfaces> 
    	 <staticroutes><route><interface>lan</interface>
    			<network>192.168.2.0/24</network>
    			<gateway>192.168.1.250</gateway>
    			<descr>Netzwerk Grafik</descr></route></staticroutes> 
    	 <pppoe><username><password></password></username></pppoe> 
    	 <pptp><username><password><local></local></password></username></pptp> 
    	 <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond> 
    	 <dyndns><type>dyndns</type>
    		 <username><password></password></username></dyndns> 
    	 <dhcpd><lan><range><from>192.168.1.10</from>
    				<to>192.168.1.245</to></range></lan></dhcpd> 
    	 <pptpd><mode><redir><localip></localip></redir></mode></pptpd> 
    	 <ovpn><dnsmasq><enable><regdhcp><regdhcpstatic></regdhcpstatic></regdhcp></enable></dnsmasq> 
    	 <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> 
    	 <diag><ipv6nat></ipv6nat></diag> 
    	 <bridge><syslog><reverse><nentries>50</nentries></reverse></syslog> 
    	 <nat><ipsecpassthru><advancedoutbound><rule><source>
    					<network>192.168.0.0/16</network>
    
    				 <sourceport><descr>rule for LAN</descr>
    				 <target><interface>wan</interface>
    				 <destination><address>192.168.0.0/16</address></destination> 
    				 <natport></natport></target></sourceport></rule> 
    			 <enable></enable></advancedoutbound></ipsecpassthru></nat> 
    	 <filter><rule><type>pass</type>
    			<interface>wan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    				 <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>block</type>
    			<interface>opt1</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    				 <any><destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>opt1</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp</protocol>
    			<source>
    				<network>opt1</network>
    
    			 <destination><address>m8</address></destination></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>opt1</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp/udp</protocol>
    			<source>
    				<network>opt1</network>
    
    			 <destination><address>m8</address>
    
    				<port>53</port></destination></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>opt1</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp</protocol>
    			<source>
    
    <address>127.0.0.0/8</address>
    
    			 <destination><network>opt1</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>opt1</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.0.0/16</address>
    
    				 <not><port>80</port></not></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>opt1</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    				 <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>lan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><source>
    				 <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<descr>Default LAN -> any</descr>
    			<interface>lan</interface>
    			<source>
    				<network>lan</network>
    
    			 <destination><any></any></destination></rule></filter> 
    	 <shaper><schedulertype>hfsc</schedulertype>
    		 <queue><name>qwanRoot</name>
    			<associatedrule>0</associatedrule>
    			<priority>0</priority>
    			<parentqueue>on</parentqueue>
    			<bandwidth>1500</bandwidth>
    			<bandwidthtype>Kb</bandwidthtype></queue> 
    		 <queue><name>qlanRoot</name>
    			<associatedrule>0</associatedrule>
    			<priority>0</priority>
    			<parentqueue>on</parentqueue>
    			<bandwidth>10000</bandwidth>
    			<bandwidthtype>Kb</bandwidthtype></queue> 
    		 <queue><name>qwandef</name>
    			<attachtoqueue>qwanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<defaultqueue>true</defaultqueue>
    			<priority>1</priority>
    			<realtime>on</realtime>
    			<realtime3>1%</realtime3>
    			<bandwidth>1</bandwidth>
    			<bandwidthtype>%</bandwidthtype>
    			<qlimit>500</qlimit></queue> 
    		 <queue><name>qlandef</name>
    			<priority>1</priority>
    			<attachtoqueue>qlanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<defaultqueue>true</defaultqueue>
    			<realtime>on</realtime>
    			<realtime3>1%</realtime3>
    			<bandwidth>1</bandwidth>
    			<bandwidthtype>%</bandwidthtype>
    			<qlimit>500</qlimit></queue> 
    		 <queue><name>qwanacks</name>
    			 <ack><attachtoqueue>qwanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>7</priority>
    			<realtime>on</realtime>
    			<realtime3>10%</realtime3>
    			<bandwidth>25</bandwidth>
    			<bandwidthtype>%</bandwidthtype></ack></queue> 
    		 <queue><name>qlanacks</name>
    			 <ack><attachtoqueue>qlanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>7</priority>
    			<realtime>on</realtime>
    			<realtime3>10%</realtime3>
    			<bandwidth>25</bandwidth>
    			<bandwidthtype>%</bandwidthtype></ack></queue> 
    		 <queue><name>qVOIPUp</name>
    			<attachtoqueue>qwanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>7</priority>
    			<realtime>on</realtime>
    			<realtime3>32Kb</realtime3>
    			<bandwidth>25</bandwidth>
    			<bandwidthtype>%</bandwidthtype></queue> 
    		 <queue><name>qVOIPDown</name>
    			<attachtoqueue>qlanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>7</priority>
    			<realtime>on</realtime>
    			<realtime3>32Kb</realtime3>
    			<bandwidth>25</bandwidth>
    			<bandwidthtype>%</bandwidthtype></queue> 
    		 <queue><name>qP2PUp</name>
    			<attachtoqueue>qwanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>1</priority>
    			<red>on</red>
    			<ecn>on</ecn>
    			<realtime>on</realtime>
    			<realtime3>1Kb</realtime3>
    			<upperlimit>on</upperlimit>
    			<upperlimit3>1000Kb</upperlimit3>
    			<bandwidth>1</bandwidth>
    			<bandwidthtype>%</bandwidthtype>
    			<qlimit>500</qlimit></queue> 
    		 <queue><name>qP2PDown</name>
    			<attachtoqueue>qlanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>1</priority>
    			<red>on</red>
    			<ecn>on</ecn>
    			<realtime>on</realtime>
    			<realtime3>1Kb</realtime3>
    			<upperlimit>on</upperlimit>
    			<upperlimit3>100Kb</upperlimit3>
    			<bandwidth>1</bandwidth>
    			<bandwidthtype>%</bandwidthtype>
    			<qlimit>500</qlimit></queue> 
    		 <queue><name>qOthersUpH</name>
    			<attachtoqueue>qwanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>4</priority>
    			<red>on</red>
    			<ecn>on</ecn>
    			<realtime>on</realtime>
    			<realtime3>1Kb</realtime3>
    			<bandwidth>25</bandwidth>
    			<bandwidthtype>%</bandwidthtype></queue> 
    		 <queue><name>qOthersDownH</name>
    			<attachtoqueue>qlanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>4</priority>
    			<red>on</red>
    			<ecn>on</ecn>
    			<realtime>on</realtime>
    			<realtime3>1Kb</realtime3>
    			<bandwidth>25</bandwidth>
    			<bandwidthtype>%</bandwidthtype></queue> 
    		 <queue><name>qOthersUpL</name>
    			<attachtoqueue>qwanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>2</priority>
    			<red>on</red>
    			<ecn>on</ecn>
    			<realtime>on</realtime>
    			<realtime3>1Kb</realtime3>
    			<bandwidth>1</bandwidth>
    			<bandwidthtype>%</bandwidthtype>
    			<qlimit>500</qlimit></queue> 
    		 <queue><name>qOthersDownL</name>
    			<attachtoqueue>qlanRoot</attachtoqueue>
    			<associatedrule>0</associatedrule>
    			<priority>2</priority>
    			<red>on</red>
    			<ecn>on</ecn>
    			<realtime>on</realtime>
    			<realtime3>1Kb</realtime3>
    			<bandwidth>1</bandwidth>
    			<bandwidthtype>%</bandwidthtype>
    			<qlimit>500</qlimit></queue> 
    		 <rule><descr>DiffServ/Lowdelay/Download</descr>
    			<inqueue>qVOIPUp</inqueue>
    			<outqueue>qVOIPDown</outqueue>
    			<in-interface>wan</in-interface>
    			<out-interface>lan</out-interface>
    			<source>
    				 <any></any></rule></shaper></bridge></ovpn></lastchange></pfsense> 
    


  • On CP interface (I now have CP disabled since it's not working but when it worked it did so with these rules..) I have the following FW rules in place:

    PASS TCP/UDP  GUEST net  *  n.n.n.n.1  53 (DNS)  *
    BLOCK TCP/UDP  GUEST net  *  *  53 (DNS)  *
    BLOCK *  GUEST net  *  LAN net  *  *
    PASS *  GUEST net  *  *  *  *

    where n.n.n.n.1 is pfS GW address on that net.

    The idea is to allow only local DNS for clients (to not allow people to circumvent OpenDNS blockings if used) and to disallow LAN network and allow everything else (=Internet).

    If you only have the last rule it should work. Not sure if you would hit CP (if working) first or if FW would prevent even that contact if rule is absent, the latter would feel logical.

    Just like in the case with my pfS 1.2.3RC1 there must be something causing the malfunctioning, left overs from previously installed packages causing trouble even though they shouldn't or something; perhaps this is a random bug of some sort, I don't know, I'm mostly puzzled that noone seem to be able to outline a troubleshooting procedure that would pin these problems down. Perhaps there's more help in the pfS book.

    Cheers,



  • Having this same problem right now. If I manually go to https://192.168.1.1:8000 i can login and then things work. Captive portal should automatically redirect me there if I'm not logged in though.



  • hmm - not even that (accessing https://192.168.1.1:8000) works at my system…

    Does anybody know how to debug any further? What processes should run, what logfiles should i look into...?



  • I can't get Captive Portal to work…
    Never redirects me to the login page..
    I can surf directly...

    http://<gateway>:8000 works.. gives me the login page..
    Login work..

    But i can already surf so the login is superfluous...</gateway>



  • Just my 2 cents.

    1. Enable DNS Forwarding
    2. Under DHCP Server
      Gateway Address = LAN Address
      DNS 1 = LAN Address
      DNS 2 = Blank

    You may now renew using your dhclient or ipconfig /renew (on win).

    Also, try disabling squid proxy just for testing, and if there's an assigned proxy for your browser.

    Regards.



  • I tryd that.. dident help.. even did a hard reboot on my pfsense…
    :(



  • Can you share your hardware specs?

    And can you reinstall your pfsense?

    • use default configuration, but only editing your LAN and WAN. and get internet connection working

    • enable captive portal.

    • dont add any packages yet, and dont enable traffic shapings and all sorts of that, just the default.

    • if you get captive portal working, by then you'll add one by one what you need so that you will know whats interfering with CP.

    So far my new installation works perfectly
    – with or without radius

    packages

    • with bandwidthD
    • with IMSpector
    • with Dashboard


  • @axscode:

    Just my 2 cents.

    1. Enable DNS Forwarding
    2. Under DHCP Server
       Gateway Address = LAN Address
       DNS 1 = LAN Address
       DNS 2 = Blank

    You may now renew using your dhclient or ipconfig /renew (on win).

    Also, try disabling squid proxy just for testing, and if there's an assigned proxy for your browser.

    Regards.

    I had the same problem.The login page wouldn't appear and i had to manually navigate to http://ip:8000.
    The problem existed from the 1.2.3 RC's to the final version.
    As DNS servers on the DHCP I had DNS from Opendns.
    I removed the Open DNS servers from the DHCP page leaving it blank (the DNS forwarder is enabled) and everything works like a charm!!!

    Thanx axscode!!!



  • I use

    My pfsense has 7 Interfaces enabled..
    WAN  - DHCP from ISP
    WAN1  - DHCP from ISP
    WAN2  - DHCP from ISP
    WAN3  - DHCP from ISP
    WAN4  - DHCP from ISP
    LAN  - 192.168.1.0/24
    GUEST - 192.168.0.0/24 - Captive Portal Enabled - DHCP Enabled. No DNS, GW edited. Interface ip 192.168.0.1

    Guest Firewall Rules:
    Allow
    Proto:

    Source:
    Guest NET
    Port

    Desti

    Port

    Gateway
    LoadBalance

    (and yes i have tryd without loadbalance rule)

    Packages installed:
    bandwidthd
    phpSysInfo
    rate

    ipconfig /all from computer connected to GUEST:
      Anslutningsspecifika DNS-suffix . : burken.biz
      Beskrivning . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E
    Gigabit Ethernet NIC (NDIS 6.0)
      Fysisk adress . . . . . . . . . . : 00-23-8B-A8-DE-57
      DHCP activated. . . . . . . . . . : Ja
      Autokonfiguration activated. . . : Ja
      IPv4-adress . . . . . . . . . . . : 192.168.0.49(Standard)
      Nätmask . . . . . . . . . . . . . : 255.255.255.0
      Lånet erhölls . . . . . . . . . . : den 12 januari 2010 17:35:08
      Lånet upphör. . . . . . . . . . . : den 12 januari 2010 19:35:08
      Standard-gateway. . . . . . . . . : 192.168.0.1
      DHCP-server . . . . . . . . . . . : 192.168.0.1
      DNS-servrar . . . . . . . . . . . : 192.168.0.1
      NetBIOS över TCP/IP . . . . . . . : activated



  • @mrvanity, Glad to hear that it works for you..

    @Burken, I am sorry mate, havent tried CP on multiple WANs



  • @axscode:

    @Burken, I am sorry mate, havent tried CP on multiple WANs

    My setup consists on 2 wan connections and it works ok.
    (see my setup here)
    http://forum.pfsense.org/index.php/topic,16338.msg84899.html#msg84899



  • Well done mate. maybe you can share with burken some of your notes.



  • I dont think the multiple wan is the problem.
    I can just change so everyting goes out to the normal WAN interface.. I will still never get navigated to the login screen…

    I have 192.168.0.1 as DNS server..

    :(



  • One of the differences i see in your setup is that you use a wlan interface.
    My LAN interface ends up to a structure of ~50 AP's.
    If it is possible, try to use an ethernet AP and and test again..



  • I don't use WLAN.
    GUEST is FastEthernet-RJ45 to my neighbors computer.


Locked