Captive portal then Proxy server

dsagud · Jan 2, 2012, 1:42 PM

Hi!

I'm using Proxy server for Virtual machine internet.
I see that i can't use Captive portal when I'm using proxy. Can someone tell me how to configure Captivate portal and then proxy server?

Authenticate -> then user use proxy server.

thanks

dsagud · Jan 2, 2012, 11:36 PM

I see that no one knows the answer :)

chanrio13 · Jan 3, 2012, 9:48 AM

i use Lusca (squid) proxy transparent together with CP in my Wireless Network without any problem

dhatz · Jan 3, 2012, 6:24 PM

Indeed, I recently did some testing with redirecting CP users' web traffic to an external (i.e. not running inside pfsense) transparent proxy cache, and it seemed to work fine.

I think the issue here is the order in which CP users' traffic is seen by the two packet filters involved: ipfw and pf.

I inquired about this a couple of weeks ago http://forum.pfsense.org/index.php/topic,44131.0.html but never got any feedback …

eri-- · Jan 4, 2012, 9:05 AM

It should work just fine.
There is only one catch that users might get to the squid port directly because the rules are a bit permissive for the host directly.
But if you add Firewall Rules to block users from reaching the proxy port directly and only run transparent proxy it should work just fine.

If you want user to authenticate and still use the proxy(not transparent) its a bit more involved.

dhatz · Jan 4, 2012, 5:01 PM

Is there any documentation somewhere, about the path IP packets follow through ipfw & pf, when Captive Portal is enabled on an interface?

I'm looking for something like this:

Thanks in advance.

eri-- · Jan 4, 2012, 5:52 PM

I am not sure where that schematics come from but its not like that in pfSense, which is customized FreeBSD.

Its more like:

On LAN side/source/CP interface traffic


packet incoming ---->{ [For host CP enabled ip, allow]---> [authenticate if not doen already] ipfw(4)} ----->[Go through firewall rules pf(4) incoming]--->[Go through firewall rules pf(4) outgoing]

On WAN side/return/reply traffic


[Go through firewall rules pf(4) incoming]--->[Go through firewall rules pf(4) outgoing]-->[Go through CP rules ipfw(4)]-->packet outgoing

CP rules are at layer2 and firewall rules are at layer3++.

dhatz · Jan 4, 2012, 6:12 PM

Thx for clarification, I was also wondering about the pfil.[inbound,outbound] setting

sysctl net.inet.ip.pfil

net.inet.ip.pfil.inbound=pf, ipfw*
net.inet.ip.pfil.outbound=pf, ipfw*

which I asked about in http://forum.pfsense.org/index.php/topic,44131.0.html some weeks ago.

PS: The schematic came from http://www.deadloop.com/2010/04/who-comes-first-ipfw-or-pf.html which seems currently unavailable…

eri-- · Jan 4, 2012, 10:02 PM

Replied to you on that other post for you wonder and forum history.