Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Problems in CP after update to 2.0.2

    Captive Portal
    2
    8
    2741
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kolomalo last edited by

      Hello. I'll try to explain my problem.

      This is my networks

      10.1.0.0/16  Central with some servers
      10.2.0.0/16
      10.3.0.0/16
      10.4.0.0/16

      On 10.1 and 10.3 I have CP enabled to control the internet use, but to allow trafic from/to all my subnets I create ip rules on "allowed ip addresses" (on 10.3 site like: "both 10.1.0.0/16").

      This rules allways have working for me, but since update to 2.0.2, this rules stoped working and I need to enter manually the host server on "allowed hostnames". With this I open internet to that server and I don't want this (without auth).

      I've used gitsync, and problem still is here.

      Is this a bug?
      How can I restrict internet access without affect to my subnets trafffic??

      Thanks.

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Having those IPs in the list for 'both' should allow any IP in those subnets access through the portal without authentication, which may not be what you wanted. You probably just want to list those as 'to' (destination) and not 'both'.

        Either way, post the output of "ipfw show" and a screenshot of the Allowed IP Addresses tab and it might help spot the issue.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          Oh and the output of "ipfw table all list" too.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • K
            kolomalo last edited by

            @jimp:

            Having those IPs in the list for 'both' should allow any IP in those subnets access through the portal without authentication, which may not be what you wanted. You probably just want to list those as 'to' (destination) and not 'both'.

            Either way, post the output of "ipfw show" and a screenshot of the Allowed IP Addresses tab and it might help spot the issue.

            Hi jimp, thanks for answer.

            mmm with this config all worked ok for me, users has to authenticate on portal to go to internet, but traffic on subnets is ok, without need to authenticate. But makes sense what you say. I'll change this and to exec the commands.

            I'll come back

            1 Reply Last reply Reply Quote 0
            • K
              kolomalo last edited by

              ipfw show
              ipfw: getsockopt(IP_FW_GET): Protocol not available

              ????

              ipfw table all list
              ipfw: Warn: Failed to get the max tables number via sysctl. Using the compiled in defaults.
              The reason was: No such file or directory
              ipfw: getsockopt(IP_FW_TABLE_GETSIZE): Protocol not available

              ??? maybe i need to reinstall…

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                It will show that way if CP is disabled.

                enable CP, reproduce the problem, and then run the commands, and then you can disable CP again.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • K
                  kolomalo last edited by

                  @jimp:

                  It will show that way if CP is disabled.

                  enable CP, reproduce the problem, and then run the commands, and then you can disable CP again.

                  Okidoki!

                  ipfw show

                  65291    0      0 allow pfsync from any to any
                  65292    0      0 allow carp from any to any
                  65301  161  7298 allow ip from any to any layer2 mac-type 0x0806
                  65302    0      0 allow ip from any to any layer2 mac-type 0x888e
                  65303    0      0 allow ip from any to any layer2 mac-type 0x88c7
                  65304    0      0 allow ip from any to any layer2 mac-type 0x8863
                  65305    0      0 allow ip from any to any layer2 mac-type 0x8864
                  65307    5    340 deny ip from any to any layer2 not mac-type 0x0800
                  65310 1665 208814 allow ip from any to { 255.255.255.255 or 10.1.0.1 } in
                  65311 1495 687305 allow ip from { 255.255.255.255 or 10.1.0.1 } to any out
                  65312    0      0 allow icmp from { 255.255.255.255 or 10.1.0.1 } to any out icm                                                                ptypes 0
                  65313    0      0 allow icmp from any to { 255.255.255.255 or 10.1.0.1 } in icmp                                                                types 8
                  65314  407  43341 allow ip from table(3) to any in
                  65315  380  54319 allow ip from any to table(4) out
                  65316    0      0 pipe tablearg ip from table(5) to any in
                  65317    0      0 pipe tablearg ip from any to table(6) out
                  65318    3    176 allow ip from any to table(7) in
                  65319    0      0 allow ip from table(8) to any out
                  65320    0      0 pipe tablearg ip from any to table(9) in
                  65321    0      0 pipe tablearg ip from table(10) to any out
                  65322  302  54529 allow ip from table(1) to any in
                  65323  406 430771 allow ip from any to table(2) out
                  65531 1677 323817 fwd 127.0.0.1,8000 tcp from any to any in
                  65532 1605 288120 allow tcp from any to any out
                  65533  24  1722 deny ip from any to any
                  65534    0      0 allow ip from any to any layer2
                  65535    0      0 allow ip from any to any

                  clear

                  ipfw show

                  65291    0      0 allow pfsync from any to any
                  65292    0      0 allow carp from any to any
                  65301  220  10012 allow ip from any to any layer2 mac-type 0x0806
                  65302    0      0 allow ip from any to any layer2 mac-type 0x888e
                  65303    0      0 allow ip from any to any layer2 mac-type 0x88c7
                  65304    0      0 allow ip from any to any layer2 mac-type 0x8863
                  65305    0      0 allow ip from any to any layer2 mac-type 0x8864
                  65307    6    408 deny ip from any to any layer2 not mac-type 0x0800
                  65310 1716 212566 allow ip from any to { 255.255.255.255 or 10.1.0.1 } in
                  65311 1594 695797 allow ip from { 255.255.255.255 or 10.1.0.1 } to any out
                  65312    0      0 allow icmp from { 255.255.255.255 or 10.1.0.1 } to any out icmptypes 0
                  65313    0      0 allow icmp from any to { 255.255.255.255 or 10.1.0.1 } in icmptypes 8
                  65314  528  78883 allow ip from table(3) to any in
                  65315  500  66927 allow ip from any to table(4) out
                  65316    0      0 pipe tablearg ip from table(5) to any in
                  65317    0      0 pipe tablearg ip from any to table(6) out
                  65318  17    828 allow ip from any to table(7) in
                  65319    6    264 allow ip from table(8) to any out
                  65320    0      0 pipe tablearg ip from any to table(9) in
                  65321    0      0 pipe tablearg ip from table(10) to any out
                  65322  460  74395 allow ip from table(1) to any in
                  65323  627 682329 allow ip from any to table(2) out
                  65531 1746 327682 fwd 127.0.0.1,8000 tcp from any to any in
                  65532 1659 293691 allow tcp from any to any out
                  65533  29  2062 deny ip from any to any
                  65534    0      0 allow ip from any to any layer2
                  65535    0      0 allow ip from any to any

                  ipfw table all list

                  –-table(1)---
                  10.1.0.11/32 mac 00:16:35:67:e3:40 0 610 112786
                  10.1.0.89/32 mac 00:1d:09:0d:6d:68 0 150 16522
                  ---table(2)---
                  10.1.0.11/32 mac 00:16:35:67:e3:40 0 790 800053
                  10.1.0.89/32 mac 00:1d:09:0d:6d:68 0 260 354300
                  ---table(3)---
                  10.1.0.20/32 0 39 10934
                  10.1.0.60/32 0 0 0
                  10.1.0.79/32 0 0 0
                  10.1.0.221/32 0 18 1116
                  10.1.0.222/32 0 0 0
                  10.1.0.230/32 0 0 0
                  10.1.0.234/32 0 0 0
                  10.1.10.1/32 0 39 2972
                  10.1.10.2/32 0 3 321
                  10.1.10.9/32 0 0 0
                  10.1.10.11/32 0 654 181556
                  10.1.10.12/32 0 0 0
                  10.1.10.15/32 0 2 82
                  10.1.10.17/32 0 12 920
                  10.1.10.101/32 0 0 0
                  10.1.10.102/32 0 0 0
                  10.1.10.103/32 0 0 0
                  10.1.10.104/32 0 0 0
                  ---table(4)---
                  10.1.0.20/32 0 41 5836
                  10.1.0.60/32 0 0 0
                  10.1.0.79/32 0 0 0
                  10.1.0.221/32 0 18 1116
                  10.1.0.222/32 0 0 0
                  10.1.0.230/32 0 0 0
                  10.1.0.234/32 0 0 0
                  10.1.10.1/32 0 39 5355
                  10.1.10.2/32 0 0 0
                  10.1.10.9/32 0 0 0
                  10.1.10.11/32 0 576 68815
                  10.1.10.12/32 0 0 0
                  10.1.10.15/32 0 2 80
                  10.1.10.17/32 0 10 926
                  10.1.10.101/32 0 0 0
                  10.1.10.102/32 0 0 0
                  10.1.10.103/32 0 0 0
                  10.1.10.104/32 0 0 0
                  ---table(7)---
                  10.1.0.20/32 0 0 0
                  10.1.0.60/32 0 0 0
                  10.1.0.79/32 0 0 0
                  10.1.10.1/32 0 0 0
                  10.1.10.2/32 0 0 0
                  10.1.10.11/32 0 0 0
                  10.1.10.12/32 0 0 0
                  10.1.10.15/32 0 0 0
                  10.1.10.17/32 0 0 0
                  10.2.0.0/16 0 0 0
                  10.3.0.0/16 0 8 368
                  10.4.0.0/16 0 10 472
                  172.20.0.14/32 0 0 0
                  172.20.0.240/32 0 0 0
                  192.168.1.0/24 0 3 216
                  ---table(8)---
                  10.1.0.20/32 0 0 0
                  10.1.0.60/32 0 0 0
                  10.1.0.79/32 0 0 0
                  10.1.10.1/32 0 0 0
                  10.1.10.2/32 0 0 0
                  10.1.10.11/32 0 0 0
                  10.1.10.12/32 0 0 0
                  10.1.10.15/32 0 0 0
                  10.1.10.17/32 0 0 0
                  10.2.0.0/16 0 0 0
                  10.3.0.0/16 0 3 132
                  10.4.0.0/16 0 3 132
                  172.20.0.14/32 0 0 0
                  172.20.0.240/32 0 0 0
                  192.168.1.0/24 0 0 0

                  1 Reply Last reply Reply Quote 0
                  • K
                    kolomalo last edited by

                    see anything???

                    I'll try on 2.0.1…

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post