Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal and network security

    Scheduled Pinned Locked Moved
    Captive Portal
    5
    6
    4.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jades
      last edited by

      Hello,
      I just started playing around with captive portal. I see that before and after a user connects using captive portal, they have access to other devices and servers on the network. I know that the workaround for this is to use opt1, but even if opt1 is used, is there a way to prevent devices on the opt1 network from seeing each other, whether or not the user authenticates?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You would need some kind of layer 2 security for that, as in on the switches if this is all wired.

        There are different techniques that switches can use to do this kind of thing (Private VLANS/PVLANS and such) but there is no way a router or gateway device can prevent hardwired systems from seeing each other on a switch.

        A wireless access point is different, however, there is an option in the access point config to disallow inter-client communication, because that all gets relayed through the AP.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          As Jimp said, most "good" AP's can be told to disallow connections between their clients.
          This is being called "client isolation".

          But, if you have more then one AP then you need to toy with the firewalls of these AP's – I included also some ebtables stuff (is this level 2 comm ??)

          This is what I've included in mine :
          /sbin/insmod ebtables
          /sbin/insmod ebtable_filter
          /sbin/insmod ebtable_broute
          /sbin/insmod ebt_ip
          /sbin/insmod ebt_redirect
          ebtables -t broute -A BROUTING -i eth1 -p ipv4 –ip-proto tcp --ip-destination-port 67:68 -j ACCEPT
          ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto udp --ip-destination-port 67:68 -j ACCEPT
          ebtables -t broute -A BROUTING -i eth1 -p arp -j ACCEPT
          ebtables -t broute -A BROUTING -i eth1 -d ! 00:0f:b5:fe:6b:fb -j redirect --redirect-target DROP

          What this all means is that DHCP broadcasting is allowed, as is arp messaging.
          All other communication coming from ‘eth1’ (the wifi interface in my AP) which hasn’t as destination “00:0f:b5:fe:6b:fb” will be dropped.
          “00:0f:b5:fe:6b:fb” is the MAC of my Opt1 interface in my pfSense box.
          This brings all inter client communication to a halt.
          They can’t administer my AP’s neither.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • J
            jades
            last edited by

            Excellent. Do you have APs that you can suggest that have this ability? Long range is preferable, one of my clients that live in a town with no competition wants to try to resell high speed internet via wifi and is already testing it out with EnGenius long range APs. Bad results though. I expected bad results because the equipment is too cheap.

            1 Reply Last reply Reply Quote 0
            • D
              dicalder
              last edited by

              Hi Jade,

              I had the same problem. Two internal networks and one AP. My solution:

              In Firewall->Aliases create a new Alias
              Name: Alias-Name
              Type: Network
              Network(s): include all your internal networks per line

              Next go to Firewall->Rules->Op2 create a new rule
              Action: Pass
              Interface: Op2
              Protocol: Any
              Source: Op2 subnet
              Destination: check on NO, Type: Single host or alias, Address: Alias-Name

              you are ready to go! No access to your internal networks from AP users.

              1 Reply Last reply Reply Quote 0
              • S
                sir_lunatic
                last edited by

                Nomadix handles this in an interesting way. Their gateway does arp spoofing for every address it hears a arp request for or broadcast for. Wonder if this can be done with ebtables as well at the gateway. OR a rewrite of proxyarp.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post