Schedules breaks captive portal?
-
Apologize if I have posted this in the wrong section…
I have been using pfsense for the last 8/9 months, it runs on a Dell Dimension 2350 2Ghz, 1 GB Ram with 3 Lan and 1 Wlan interfaces, this box deals with fw'ing for both my personal network as well as a small hotspot. I am always upgrading to the latest snapshot whenever one becomes available - current installed build 1.2-RC2 built on Sat Oct 6 17:11:24 EDT 2007.
skype wireless phone, HTC Tornado phone/pda
l
l l
<wlan iface-192.168.30.1="">l
xx.xx.xx.17 xx.xx.xx.18 l
internet-netgear dg834gt-<wan iface-pfsense-lan="" iface="">-192.168.10.1>--gigaswitch--Lan pc's, sip, nas etc
modem in bridge mode l
l
<dmz iface-192.168.20.1=""><captiveportal>l
l
Linksys WRT54GL (AP1)- AP+WDS mode - transparent bridge
l l
l l___
l l___ wireless clients (avg 5 users)
WDS Link across street
l
l
Linksys WRT54GL (AP2)- WDS mode - transparent bridge
l
l
wireless clients (avg 10 users)This setup works perfectly, each client gets an IP from the pfsense box and I have "Disable concurrent logins" ticked in the captival portal tab for the Dmz iface.
Now I wanted to tweak my network even more, firstly I wanted to limit P2P, I've used snort but sadly that only blocks incomming, I've used traffic shaper and lowered P2P traffic to 10Kbps and even less on trial, this sadly reduces legit sip/voip clients voice quality dramatically.
So I thought the more logical way to do this is grab a list of bittorent, emule etc servers and create a alias called P2P and dump all servers in that alias. I then created a new fw rule on Dmz to ( block ) (source - DMZ) (port - *) (destination - P2P) (port - *) (gateway - *). This works perfectly from what I can tell in fw logs & NTOP....NOW the problem begins when I want to create a schedule, what I wanted to do was allow wireless clients to be able to use P2P at times specified i.e 12am - 7am daily.
So I created a schedule >> Name Time Range(s) Description
P2PBLOCK Mon - Sun 7:00-23:59and then I edited the fw rule to include schedule >>
( block ) (source - DMZ) (port - *) (destination - P2P) (port - *) (gateway - *) (schedule - P2PBLOCK)
I rebooted the firewall and connected to one of the 2 AP's, I was then able to browse the internet without authenticating at all, if I remove the schedule for the rule, it works fine, I am presented with the captival portal login page, with schedule enabled is bypasses it completly.
I've had a look at /status.php and I noticed this
Configuring firewall... ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding enabled, default to accept, logging disabled ipfw: rule 2: setsockopt(IP_FW_DEL) : Invalid argument ipfw: rule 3: setsockopt(IP_FW_DEL) : Invalid argument .
I also have tried changing the rule so it sits as a WAN fw rule, but still the same thing
So I guess my question is, do I have the concept of how the schedule works wrong or am I going about this the wrong way, is it a bug or isnt schedule & CP compatible or known issue :) ?
pfsense 1.2-RC2 built on Sat Oct 6 17:11:24 EDT 2007
installed software:
NTOP
Snort
IMSpectorI've also tested on a spare box and tried to replicate the hardware and ap's as I have on my production setup, I get the same problem.
Sorry for the long ass message and messed up ascii diagram ;D
Slam
EDIT: Some more testing w/out the schedule enabled in the P2P blocking rule, if i add more ip's to the list of aliases, this also kills off authentication of CP and wireless clients can browse freely, so I think more likely than not, my config or approach is screwed up!</captiveportal></dmz></wan></wlan>
-
I have tested the schedules with the very last 1.2rc2 build yesterday. It works as it should if you have all of the necessary cron items in your config.xml. But i cannot say if the captive portal breaks the schedules, i didn´t work with the captive portal.
Greeting
Heiko -
Hello, it seems I have the nessesary cron's in my config.xml
<cron><minute>0</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 newsyslog <minute>1,31</minute> <hour>0-5</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 adjkerntz -a <minute>1</minute> <hour>*</hour> <mday>1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout <minute>1</minute> <hour>1</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/local/bin/checkreload.sh <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/etc/ping_hosts.sh <minute>*/140</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/local/sbin/reset_slbd.sh</cron>
If anyone has had success with the same setup as me, could you please let me if its working for you, then I can check my setup again and make sure I havent overlooked anything.
Thanks
Slam
-
Hm, where it is…
<minute>0,15,30,45</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/etc/rc.filter_configure_sync -
Hm, where it is…
<minute>0,15,30,45</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/etc/rc.filter_configure_syncI guess it never got added when I upgrade to latest snapshots, I've added those particular lines to my config.xml and skimmed through the default config.xml just to make sure nothing else didnt make it during upgrade.
I still have no luck with what I want to achieve, the firewall keeps killing off any rules that make users authenticate via captive portal, when either a) I add more IP's to aliases or b) when I set a schedule to the fw rule.
I think its time I did a complete clean install (again) and this time start my config from scratch in case I've picked up something bad importing my backup config, if the problem persists I'll report back, hopefully someone call tell me if I am doing this all wrong.
Thanks Heiko
Slam
-
Schedule rules are different from other rules, which use pf. Schedule rules use ipfw, as does the captive portal. There is some sort of issue with interoperability between schedules and CP. I think it's just that you can't block the ports CP requires (8000/8001) using schedule rules or CP will not function. All other rules do not affect CP. But I haven't had time to fully quantify the issue yet.
-
Ah, nice to know.