Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can CP do this

    Captive Portal
    3
    8
    2911
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sh_man last edited by

      I have the following setup for a conference we are running next week.

      Version  1.0.1-SNAPSHOT-03-08-2007
      built on Thu Mar 15 19:59:48 EDT 2007
      Platform cdrom

      WAN (ADSL)
      LAN
      WAN2 (OPT1) (ADSL)
      LAN2 (OPT2) -> Wireless AP (cheap Edimax one) -> PC's

      Want to put CP on LAN2 and have LAN2 route out through WAN2

      Works OK without CP - at least I think it does.

      When put CP on with local auth and disable mac filtering, nothing really happens. The PC's connecting to the AP can still get out without having to authenticate.

      Rebooted a number of times and nothing changes.

      I guess I have probably got something wrong or I am trying to get it to do something it wont!!

      Any ideas 'cos I have run out of time to get it to work this way.

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        Please show us all your settings that you have at the cp config page. Also show us the firewallrules for this interface.

        1 Reply Last reply Reply Quote 0
        • S
          sh_man last edited by

          Thought it would be easier to put the relevant bits from the config.xml.

          Note that MineheadOfficeAllowed is an alias to a number of IP addresses on the opt2 interface.

          Thanks for any help you can give.

          <captiveportal><page><timeout><interface>opt2</interface>
            <maxproc><idletimeout>240</idletimeout>
            <auth_method>local</auth_method>
            <reauthenticateacct><httpsname><certificate><private-key><logoutwin_enable><nomacfilter><redirurl><radiusip><radiusip2><radiusport><radiusport2><radiusacctport><radiuskey><radiuskey2><radiusvendor>default</radiusvendor>

          • <user><name>siteaccess</name>
              <fullname><expirationdate><password>Encrypted password here</password></expirationdate></fullname></user>
              <enable></enable></radiuskey2></radiuskey></radiusacctport></radiusport2></radiusport></radiusip2></radiusip></redirurl></nomacfilter></logoutwin_enable></private-key></certificate></httpsname></reauthenticateacct></maxproc></timeout></page></captiveportal>

          • <rule><type>pass</type>
              <interface>opt2</interface>
              <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
              <os>- <source>

          <address>MineheadOfficeAllowed</address>

          • <destination><network>lan</network></destination>
              <descr>Let allowed traffic in to office network</descr></os></statetimeout></max-src-states></max-src-nodes></rule>

          • <rule><type>pass</type>
              <interface>opt2</interface>
              <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
              <os><protocol>tcp/udp</protocol>

          • <source>
              <network>opt2</network>

          • <destination><network>opt2ip</network>
              <port>53</port></destination>
              <descr>Let connections in to the firewall</descr></os></statetimeout></max-src-states></max-src-nodes></rule>

          • <rule><type>pass</type>
              <interface>opt2</interface>
              <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
              <os><protocol>tcp/udp</protocol>

          • <source>
              <network>opt2</network>

          • <destination><network>opt2ip</network>
              <port>pfSense Port</port></destination>
              <descr>Let connections in to the firewall</descr></os></statetimeout></max-src-states></max-src-nodes></rule>

          • <rule><type>pass</type>
              <interface>opt2</interface>
              <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
              <os>- <source>
              <network>opt2</network>

          • <destination><network>lan</network></destination>
              <log><descr>Let speakers traffic out</descr>
              <gateway>WAN2 GW</gateway></log></os></statetimeout></max-src-states></max-src-nodes></rule>

          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            Can you try to use "default" as gateway in your last rule and see if this makes a difference?

            1 Reply Last reply Reply Quote 0
            • S
              sh_man last edited by

              You guessed it. Works properly if the default gateway is used. :-\

              Shame - I want the traffic going over the second WAN. I have a VPN going back to our office over the main WAN and I want to keep that as the only traffic over that ADSL and have everything else going over the second WAN.

              As I have run out of time, I'll come up with another way of controlling access to the web from that net - but if there is a simple fix I'll be interested as I need this setup at number of times a year for events.

              1 Reply Last reply Reply Quote 0
              • H
                hoba last edited by

                Maybe this is easily fixable, not sure, but we now know what's causing it at least.

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich last edited by

                  Please try a recent snapshot.  This might be fixed now that dummynet and the pfil ordering is corrected.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sh_man last edited by

                    Would do but as it is a CD version I am using the .iso.gz (2007-Mar-25 14:03:52) and it currently fails to mount the file system part way through the boot.

                    Don't know whether this is linked with the nice warning at the top of the forum, something I have done incorrectly or a bug.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post