Captive portal and network security

jades

Hello,
I just started playing around with captive portal. I see that before and after a user connects using captive portal, they have access to other devices and servers on the network. I know that the workaround for this is to use opt1, but even if opt1 is used, is there a way to prevent devices on the opt1 network from seeing each other, whether or not the user authenticates?

jimp

You would need some kind of layer 2 security for that, as in on the switches if this is all wired.

There are different techniques that switches can use to do this kind of thing (Private VLANS/PVLANS and such) but there is no way a router or gateway device can prevent hardwired systems from seeing each other on a switch.

A wireless access point is different, however, there is an option in the access point config to disallow inter-client communication, because that all gets relayed through the AP.

Gertjan

As Jimp said, most "good" AP's can be told to disallow connections between their clients.
This is being called "client isolation".

But, if you have more then one AP then you need to toy with the firewalls of these AP's – I included also some ebtables stuff (is this level 2 comm ??)

This is what I've included in mine :
/sbin/insmod ebtables
/sbin/insmod ebtable_filter
/sbin/insmod ebtable_broute
/sbin/insmod ebt_ip
/sbin/insmod ebt_redirect
ebtables -t broute -A BROUTING -i eth1 -p ipv4 –ip-proto tcp --ip-destination-port 67:68 -j ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto udp --ip-destination-port 67:68 -j ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p arp -j ACCEPT
ebtables -t broute -A BROUTING -i eth1 -d ! 00:0f:b5:fe:6b:fb -j redirect --redirect-target DROP

What this all means is that DHCP broadcasting is allowed, as is arp messaging.
All other communication coming from ‘eth1’ (the wifi interface in my AP) which hasn’t as destination “00:0f:b5:fe:6b:fb” will be dropped.
“00:0f:b5:fe:6b:fb” is the MAC of my Opt1 interface in my pfSense box.
This brings all inter client communication to a halt.
They can’t administer my AP’s neither.

jades

Excellent. Do you have APs that you can suggest that have this ability? Long range is preferable, one of my clients that live in a town with no competition wants to try to resell high speed internet via wifi and is already testing it out with EnGenius long range APs. Bad results though. I expected bad results because the equipment is too cheap.

dicalder

Hi Jade,

I had the same problem. Two internal networks and one AP. My solution:

In Firewall->Aliases create a new Alias
Name: Alias-Name
Type: Network
Network(s): include all your internal networks per line

Next go to Firewall->Rules->Op2 create a new rule
Action: Pass
Interface: Op2
Protocol: Any
Source: Op2 subnet
Destination: check on NO, Type: Single host or alias, Address: Alias-Name

you are ready to go! No access to your internal networks from AP users.

sir_lunatic

Nomadix handles this in an interesting way. Their gateway does arp spoofing for every address it hears a arp request for or broadcast for. Wonder if this can be done with ebtables as well at the gateway. OR a rewrite of proxyarp.