Freaking Captive Portal!
-
Ok… I have a rather simple but complex network! I have managed to make all the features work as I want by using many servers! I want to have things flow in this manner! >> DHCP >> Captive Portal >> Squid >> Snort >> Then Normal PFSense Firewall and Routing!
This is the simple layout of the data flow! But now this is the funky part! I have wireless and cable lan through multipal devices but all on the same subnet! The only NAT is on the main PFSense Box! The issue is the Captive Portal! If connected to the cable lan segment no issues! Look at the attached map and try to tell me why the Capture Portal is not working across the complete network! I can do all normal network standards DHCP across the whole network but no CP!
I've set up a single CP box on one subnet talking to a squid box on another subnet to the router box on another box! I haver used VLAN's Single boxes nothing works across the complete network….
-
Look in the system logs. Do you see a message about not being able to acquire a mac address? If so you need to turn off the Mac checking feature since you are routing across another network.
-
I have tested with MAC filtering on & off! If the CP is running on cable hooked to the same switch it works! When I get out on the network or try to access across the wireless even when attached to the came switch in the same building it fails! I am lost on this! I will fire it up again and watch the logs!
-
looks like you have bridged the network cards on the captive server pc ???
captive portal won't work then
the wan and the lan neet to be at diverend networksalso if you use wrt54g with Sveasoft firmware
then the macadresses of youre clients are lost so they can't make use a the captive portal -
also if you use wrt54g with Sveasoft firmware
then the macadresses of youre clients are lost so they can't make use a the captive portalYes, I remeber discussions at the m0n0 mailinglist about 3rd party firmwares for these devices. Some didn't pass along the macadresses and broke the CP. Try searching the m0n0 mailinglist for known working firmwares.
-
Interesting points but the wan and or lan have no bridging turned on…. I am not us WRT54G's in this setup! A combination of Netgear WG602 and 3Com Wireless Gear! I am passing my macs fine! I will test with VLANs to the mains running individual CP Machines for each Primary link and subnet! Instead of all VLans and Subnets to one CP Machine....
Basically a CP for each Subnet Stand Alone.... I will test over the next few days......... :-(
-
wel i see on youre pic
on the captive server 172.17.0.1 on lan and
172.17.0.2 on lan
so thats the same network
and i see 172.17.0.2 again on the squid server so thats fireworks -
I will place Squid on different subnet and see how that goes….
-
I forgot to say that even with the just CP running it failed across the complete system! The Suid server was not even online!
-
the problem is not that squid and CP have the same ip (well that too)
but that your LAN and your WAN are not allowed to be within the same network. (subnet) -
the problem comes from your wifi bridge and wifi node. I guess that you are not using a WDS capable access point.
when you use wireless bridges, the server see different IP adresses, but only 1 mac adress (the mac of the bridge).
You have 2 possibilities that can work in your case.
1- use transparent bridges in your primary bridge + any other access point. note that not all bridge are trasparent.
2- the easier and better solution is to use WDS capable access points. WDS protocol works exactely like LAN, so it is completely transparent. so you need to use linksys WRT54G like access points with a special firmware.
If you have a large scale network, the cheapeast way (and the better) is to use buffalo WHR-HP-G54 access point with a 3rd parity firmware (DD-WRT). these AP have a very good signal (and cost only 46 euros on german sites, you can also find them on www.dd-wrt.com with the ddwrt firmware already flashed).
once you have these access points, you should remplace your main wifi bridge by a WHR-HP-G54 and put it in Access point mode simply
your 1st wifi node (another whr-hp-g54) should comunicate with the main bridge by WDS (WDS is easy to setup) and the 2nd wifi node should also use WDS to comunicate with the 1st node.now the primary AP,the 1st and the 2nd wifi node are connected via WDS, so if you connect wirely or wirelessly to any of these AP, you should obtain the same results exactely if you are connected to your main switch.
I am using a similar configuration as yours in Lebanon and in France, and it works great !!
Chady
-
All nodes are working in WWD Mode…. They are point to multi point links! All are fixed point wireless! Your points about the mac address are true! Off a single one node the arp as a single mac with multipal ip addresses! Intresting thoughts...
-
point to multipoint node don't work in your case.
the solution is WDS !! or you should use on each node a transparent wirless brigde and another access point -
I have done a massive reconfigure of the network! Added VLans and confirmed that all is in WDS mode! I added servers and new subnets and I will fire up the capture portal tonight and give it a test!
Client >>> CP Server >>> routing to new subnet with Squid Server >>> Squid to PFSense Router and out the door! We shall see I will post the results….
