Can CP do this

sh_man · Mar 23, 2007, 10:47 PM

I have the following setup for a conference we are running next week.

Version 1.0.1-SNAPSHOT-03-08-2007
built on Thu Mar 15 19:59:48 EDT 2007
Platform cdrom

WAN (ADSL)
LAN
WAN2 (OPT1) (ADSL)
LAN2 (OPT2) -> Wireless AP (cheap Edimax one) -> PC's

Want to put CP on LAN2 and have LAN2 route out through WAN2

Works OK without CP - at least I think it does.

When put CP on with local auth and disable mac filtering, nothing really happens. The PC's connecting to the AP can still get out without having to authenticate.

Rebooted a number of times and nothing changes.

I guess I have probably got something wrong or I am trying to get it to do something it wont!!

Any ideas 'cos I have run out of time to get it to work this way.

hoba · Mar 24, 2007, 2:31 AM

Please show us all your settings that you have at the cp config page. Also show us the firewallrules for this interface.

sh_man · Mar 24, 2007, 10:15 AM

Thought it would be easier to put the relevant bits from the config.xml.

Note that MineheadOfficeAllowed is an alias to a number of IP addresses on the opt2 interface.

Thanks for any help you can give.

<captiveportal><page><timeout><interface>opt2</interface>
<maxproc><idletimeout>240</idletimeout>
<auth_method>local</auth_method>
<reauthenticateacct><httpsname><certificate><private-key><logoutwin_enable><nomacfilter><redirurl><radiusip><radiusip2><radiusport><radiusport2><radiusacctport><radiuskey><radiuskey2><radiusvendor>default</radiusvendor>

<user><name>siteaccess</name>
<fullname><expirationdate><password>Encrypted password here</password></expirationdate></fullname></user>
<enable></enable></radiuskey2></radiuskey></radiusacctport></radiusport2></radiusport></radiusip2></radiusip></redirurl></nomacfilter></logoutwin_enable></private-key></certificate></httpsname></reauthenticateacct></maxproc></timeout></page></captiveportal>
<rule><type>pass</type>
<interface>opt2</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os>- <source>

<address>MineheadOfficeAllowed</address>

<destination><network>lan</network></destination>
<descr>Let allowed traffic in to office network</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt2</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<network>opt2</network>
<destination><network>opt2ip</network>
<port>53</port></destination>
<descr>Let connections in to the firewall</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt2</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<network>opt2</network>
<destination><network>opt2ip</network>
<port>pfSense Port</port></destination>
<descr>Let connections in to the firewall</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt2</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os>- <source>
<network>opt2</network>
<destination><network>lan</network></destination>
<log><descr>Let speakers traffic out</descr>
<gateway>WAN2 GW</gateway></log></os></statetimeout></max-src-states></max-src-nodes></rule>

hoba · Mar 24, 2007, 6:11 PM

Can you try to use "default" as gateway in your last rule and see if this makes a difference?

sh_man · Mar 24, 2007, 8:22 PM

You guessed it. Works properly if the default gateway is used. :-\

Shame - I want the traffic going over the second WAN. I have a VPN going back to our office over the main WAN and I want to keep that as the only traffic over that ADSL and have everything else going over the second WAN.

As I have run out of time, I'll come up with another way of controlling access to the web from that net - but if there is a simple fix I'll be interested as I need this setup at number of times a year for events.

hoba · Mar 24, 2007, 8:40 PM

Maybe this is easily fixable, not sure, but we now know what's causing it at least.

sullrich · Mar 25, 2007, 2:03 AM

Please try a recent snapshot. This might be fixed now that dummynet and the pfil ordering is corrected.

sh_man · Mar 25, 2007, 9:31 PM

Would do but as it is a CD version I am using the .iso.gz (2007-Mar-25 14:03:52) and it currently fails to mount the file system part way through the boot.

Don't know whether this is linked with the nice warning at the top of the forum, something I have done incorrectly or a bug.