Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client managed to access internet wtihout passing through cp, how that possible?

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hadi57
      last edited by

      hi

      i was surprised to see a client working with 2 pc's, one laptop accessing the internet authenticating with cp, and the other desktop using the internet without cp.  the client have the following setup:

      my cable going out of ps box –-> switch --> to his appartment ---> linksys ap wan port ---> 1) desktop lan, 2) laptop wlan.

      i checked the ap setup it was using dhcp, so the desktop getting 192.168.1.2 as ip, and 192.168.1.1 as gw, and 192.163.1.254 as dns (my ps box lan ip) while the laptop using the ip issued by ps box and authenticating nicely to cp.

      my setup: us robotics dsl router ip: 192.168.1.1 and my ps box is 192.168.1.2 on the wan side.

      how to deal with such case?

      hadi57

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        You can't deal with that. He will be seen at the pfSense coming from the same IP with the same macadress (the one of his router) so there is no way to see that this are 2 different hosts. It's the same situation with everybodys homenetwork. The ISP can't see if the customer runs only 1 client or a complete network behind his public IP. That's the way NAT works.

        1 Reply Last reply Reply Quote 0
        • H
          hchady
          last edited by

          there is another way to access internet without authentication through CP if you run Squid

          if you put in your internet explorer settings the adress of the proxy with the port you access to the internet directly…
          it is a known behavior I think

          Chady

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            The CP authenticates an IP/MAC combination so if both do not change for different hosts as they are natted or use a proxy (in front of the CP) there is no way to detect different hosts. There has been a similiar discussion at the m0n0 list earlier where broken AP firmware showed it's own MAC instead of clients MACs.

            1 Reply Last reply Reply Quote 0
            • H
              hadi57
              last edited by

              hi

              thanks for the quick reply, i am thinking of:

              1. using ignore unknown clients in dhcp
              2. change the ip of my dsl router

              i think his desktop is going directly to my dsl router since it has the same ip of his ap gateway, that's why the desktop surf much slower than the laptop which is ps box as gateway unlike the desktop using the ap as gateway . so may be changing my dsl router's ip helps, ill try that one

              and btw ya chady i am running squid in transparent mode, i try what u said, i think it doesn't work.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.