Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block access from GUEST wireless to DD-WRT web admin GUI?

    Captive Portal
    3
    3
    8942
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miles267
      last edited by

      Am trying to figure out how to block access from captive portal guess wireless access point to the router's web admin UI.  For example, my guess wireless access point is running DD-WRT and it's IP is 192.168.1.2.

      I was able to setup a firewall rule to block access from my GUEST (OPT1) wireless access point (192.168.0.2) network to my PFSENSE router (192.168.0.1).  However if you're connected to the guest wireless AP and authenticate on the captive portal login screen, you can then http://192.168.1.2 and are prompted for the DD-WRT admin login.  I've been unable to figure out how to prevent a user connected to the guest wireless AP from even accessing 192.168.1.2 (HTTP 80).

      Also – for convenience I have the DD-WRT router set without any encryption (open, broadcasting SSID) but protected by the captive portal user account.  Has everyone found that this is safe enough?  My intent is not to encrypt the traffic but rather to 1.) make it simply for guests to find and connect to the AP without having to configure WPA/WPA2, etc. and 2.) ensure that no one can access the internet on the GUESTS network without authenticating via the captive portal.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        My guess would be that pfSense doesn't even see the access attempt you are trying to prevent and consequently can't do anything about it.

        I don't know DD-WRT but I would be surprised if it didn't have some means of blocking access to the administration interface.

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          Sorry, just dropped in here, and saw the question.

          I have myself several AP's using DD-WRT on a OPT1 interface, captive portal enabled on OPT1.
          Of course, I wouldn't like it that my 'clients' could hammer on my AP's.

          Can I presume that the IP of your AP = 192.168.1.2 ?

          Open the web interface of your DD-WRT
          Goto Administartion => Shell
          Paste this code into the "fire wall" block.
          Save.

          #!/bin/sh
          /usr/sbin/iptables -N logdrop
          /usr/sbin/iptables -F logdrop
          /usr/sbin/iptables -A logdrop -j LOG
          /usr/sbin/iptables -A logdrop -j DROP
          /usr/sbin/iptables -I INPUT -i br0 -s 192.168.1.0/24 -p tcp --dport 80 -j logdrop
          /usr/sbin/iptables -I INPUT -i br0 -s 192.168.1.0/24 -p tcp --dport 22 -j logdrop
          /usr/sbin/iptables -I INPUT -i br0 -s 192.168.1.0/24 -p tcp --dport 23 -j logdrop
          ## end
          

          With this code, YOU can administer your AP from the LAN interface (192.168.0.0/24) - [DO NOT forget to ADD to Services => Captive Portal => Allowed IP addresses => Direction = Both IP = 192.168.1.2 and hit Save. - This way the AP itself can now communicate with the net to play games, update the time, have a chat, and answer to YOU when you want to login from anywhere except 192.168.1.0/24 ]
          No one, coming form the subnet 192.168.1.0/24 can access the DD-WRT interfaces.

          No "help me" PM's please. Use the forum, thanks.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post