• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Captive portal then Proxy server

Scheduled Pinned Locked Moved Captive Portal
9 Posts 4 Posters 8.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    dsagud
    last edited by Jan 2, 2012, 1:42 PM

    Hi!

    I'm using Proxy server for Virtual machine internet.
    I see that i can't use Captive portal when I'm using proxy. Can someone tell me how to configure Captivate portal and then proxy server?

    Authenticate -> then user use proxy server.

    thanks

    1 Reply Last reply Reply Quote 0
    • D Offline
      dsagud
      last edited by Jan 2, 2012, 11:36 PM

      I see that no one knows the answer :)

      1 Reply Last reply Reply Quote 0
      • C Offline
        chanrio13
        last edited by Jan 3, 2012, 9:48 AM

        i use Lusca (squid) proxy transparent together with CP in my Wireless Network without any problem

        1 Reply Last reply Reply Quote 0
        • D Offline
          dhatz
          last edited by Jan 3, 2012, 6:24 PM

          Indeed, I recently did some testing with redirecting CP users' web traffic to an external (i.e. not running inside pfsense) transparent proxy cache, and it seemed to work fine.

          I think the issue here is the order in which CP users' traffic is seen by the two packet filters involved: ipfw and pf.

          I inquired about this a couple of weeks ago http://forum.pfsense.org/index.php/topic,44131.0.html but never got any feedback …

          1 Reply Last reply Reply Quote 0
          • E Offline
            eri--
            last edited by Jan 4, 2012, 9:05 AM

            It should work just fine.
            There is only one catch that users might get to the squid port directly because the rules are a bit permissive for the host directly.
            But if you add Firewall Rules to block users from reaching the proxy port directly and only run transparent proxy it should work just fine.

            If you want user to authenticate and still use the proxy(not transparent) its a bit more involved.

            1 Reply Last reply Reply Quote 0
            • D Offline
              dhatz
              last edited by Jan 4, 2012, 5:01 PM

              Is there any documentation somewhere, about the path IP packets follow through ipfw & pf, when Captive Portal is enabled on an interface?

              I'm looking for something like this:

              Thanks in advance.

              1 Reply Last reply Reply Quote 0
              • E Offline
                eri--
                last edited by Jan 4, 2012, 5:52 PM

                I am not sure where that schematics come from but its not like that in pfSense, which is customized FreeBSD.

                Its more like:

                On LAN side/source/CP interface traffic

                
                packet incoming ---->{ [For host CP enabled ip, allow]---> [authenticate if not doen already] ipfw(4)} ----->[Go through firewall rules pf(4) incoming]--->[Go through firewall rules pf(4) outgoing]
                
                

                On WAN side/return/reply traffic

                
                [Go through firewall rules pf(4) incoming]--->[Go through firewall rules pf(4) outgoing]-->[Go through CP rules ipfw(4)]-->packet outgoing
                
                

                CP rules are at layer2 and firewall rules are at layer3++.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dhatz
                  last edited by Jan 4, 2012, 6:12 PM Jan 4, 2012, 6:10 PM

                  Thx for clarification, I was also wondering about the pfil.[inbound,outbound] setting

                  sysctl net.inet.ip.pfil

                  net.inet.ip.pfil.inbound=pf, ipfw*
                  net.inet.ip.pfil.outbound=pf, ipfw*

                  which I asked about in http://forum.pfsense.org/index.php/topic,44131.0.html some weeks ago.

                  PS: The schematic came from http://www.deadloop.com/2010/04/who-comes-first-ipfw-or-pf.html which seems currently unavailable…

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    eri--
                    last edited by Jan 4, 2012, 10:02 PM

                    Replied to you on that other post for you wonder and forum history.

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received