Can CP do this

sh_man

I have the following setup for a conference we are running next week.

Version  1.0.1-SNAPSHOT-03-08-2007
built on Thu Mar 15 19:59:48 EDT 2007
Platform cdrom

WAN (ADSL)
LAN
WAN2 (OPT1) (ADSL)
LAN2 (OPT2) -> Wireless AP (cheap Edimax one) -> PC's

Want to put CP on LAN2 and have LAN2 route out through WAN2

Works OK without CP - at least I think it does.

When put CP on with local auth and disable mac filtering, nothing really happens. The PC's connecting to the AP can still get out without having to authenticate.

Rebooted a number of times and nothing changes.

I guess I have probably got something wrong or I am trying to get it to do something it wont!!

Any ideas 'cos I have run out of time to get it to work this way.

hoba

Please show us all your settings that you have at the cp config page. Also show us the firewallrules for this interface.

sh_man

Thought it would be easier to put the relevant bits from the config.xml.

Note that MineheadOfficeAllowed is an alias to a number of IP addresses on the opt2 interface.

Thanks for any help you can give.

<captiveportal><page><timeout><interface>opt2</interface>
  <maxproc><idletimeout>240</idletimeout>
  <auth_method>local</auth_method>
  <reauthenticateacct><httpsname><certificate><private-key><logoutwin_enable><nomacfilter><redirurl><radiusip><radiusip2><radiusport><radiusport2><radiusacctport><radiuskey><radiuskey2><radiusvendor>default</radiusvendor>

• <user><name>siteaccess</name>
    <fullname><expirationdate><password>Encrypted password here</password></expirationdate></fullname></user>
    <enable></enable></radiuskey2></radiuskey></radiusacctport></radiusport2></radiusport></radiusip2></radiusip></redirurl></nomacfilter></logoutwin_enable></private-key></certificate></httpsname></reauthenticateacct></maxproc></timeout></page></captiveportal>

• <rule><type>pass</type>
    <interface>opt2</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os>- <source>

<address>MineheadOfficeAllowed</address>

• <destination><network>lan</network></destination>
    <descr>Let allowed traffic in to office network</descr></os></statetimeout></max-src-states></max-src-nodes></rule>

• <rule><type>pass</type>
    <interface>opt2</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>

• <source>
    <network>opt2</network>

• <destination><network>opt2ip</network>
    <port>53</port></destination>
    <descr>Let connections in to the firewall</descr></os></statetimeout></max-src-states></max-src-nodes></rule>

• <rule><type>pass</type>
    <interface>opt2</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>

• <source>
    <network>opt2</network>

• <destination><network>opt2ip</network>
    <port>pfSense Port</port></destination>
    <descr>Let connections in to the firewall</descr></os></statetimeout></max-src-states></max-src-nodes></rule>

• <rule><type>pass</type>
    <interface>opt2</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os>- <source>
    <network>opt2</network>

• <destination><network>lan</network></destination>
    <log><descr>Let speakers traffic out</descr>
    <gateway>WAN2 GW</gateway></log></os></statetimeout></max-src-states></max-src-nodes></rule>

hoba

Can you try to use "default" as gateway in your last rule and see if this makes a difference?

sh_man

You guessed it. Works properly if the default gateway is used. :-\

Shame - I want the traffic going over the second WAN. I have a VPN going back to our office over the main WAN and I want to keep that as the only traffic over that ADSL and have everything else going over the second WAN.

As I have run out of time, I'll come up with another way of controlling access to the web from that net - but if there is a simple fix I'll be interested as I need this setup at number of times a year for events.

hoba

Maybe this is easily fixable, not sure, but we now know what's causing it at least.

sullrich

Please try a recent snapshot.  This might be fixed now that dummynet and the pfil ordering is corrected.

sh_man

Would do but as it is a CD version I am using the .iso.gz (2007-Mar-25 14:03:52) and it currently fails to mount the file system part way through the boot.

Don't know whether this is linked with the nice warning at the top of the forum, something I have done incorrectly or a bug.