Strategy for expiring a PASS-THROUGH mac ?
I had a thread going on this, but since no one joined in, I thought that I might start a new one with a proposed strategy based on what I've learned so far. Please forgive me if this post is obtuse to your way of thinking, I have very little time for any single task associated with running this WISP. Therefore I tend to latch on to patch up solutions until I have the opportunity to refine them.
There are two main things at play with pass-thru macs; the firewall state (ipfw) and the config.xml (along with the associated config.cache) file. At least, so far as I've been able to discover with limited time. Experimentation has shown me that it's easy to change the firewall state with the ipfw command without ill effects to the pfsense box (provided it's done correctly, of course). The more knotty issue is the config.xml file. Changing this file does NOT change the captive portal state. To do that you need to reload the config.cache. A little reading on here has indicated that some people get into trouble trying to do that on the fly. Therefore it SEEMS necessary to reboot the system after changing the file (obviously this is not really true, but I haven't had time to dig into the code to find the modalities used to reload the captive portal without completely disconnecting everyone logged in using pincodes and what have you).
So in order to automatically expire a pass-thru mac WITHOUT restarting the captive portal, you can do the following:
Set up a script which will read a flat text file (or whatever information source you deem appropriate) to learn which MACs are coming due for expiration. Have this script run in a crontab. It will execute an ipfw command at the appropriate time to shut off access to the MAC address(es) in question.
Either extend the above script, or set up a new one (my preference, since I can hook it into a customer service interface that way more easily) to edit the lines out of the config.xml file which pertain to the mac address. For example:
Can be located and deleted by the second script. Then just reboot the machine in the middle of the night, or whenever the fewest people will be inconvenienced.
Anyway, if anyone has an easier approach to this (keeping in mind the the solution needs to fit the needs of a growing business) please chime in. I'm all ears. :D