I it possible to display captive portal while static arp enabled?
i have an open AP no security
captive portal ip is 192.168.2.254 connected to opt1
dhcp range is 192.168.2.100-250
static ip range is 192.168.2.10-99
my goal is i want to show the portal to unknown clients while deny unknown clients and static arp enabled?
or is there another way on firewall rules?
If you have static ARP enabled, then it is not possible for any "unknown" client to talk to the firewall at all. It will only talk to the IPs you entered as DHCP mappings and only if those specific IP:MAC pairings match.
If you disable static ARP, and add your "good" MACs to the captive portal bypass list, then they would go through without getting prompted to login to the portal. Other devices would pull IPs and get the portal login.
is there a way that it will never give IP to those client that unable to authenticate or not in the list of good mac ?
You're asking for the impossible.
In order to get to the portal to authenticate, they need an IP address. You can't both show them the portal and deny them an IP address.
Thanks for that, I was just thinking if there are clients that is not authorized to login and were able to get an IP address this will result to to IP leases loss due to the number of clients trying to connect on the portal.
If you have enough people attempting to connect to your APs that you run out of leases, then you need to setup better security on your APs (as I mentioned in the other thread you started).
That level of protection is done at Layer 2 (AP or switch) not at the firewall.
thanks for the reply now i'm enlightened… ^_^