Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules and Captive Portal

    Scheduled Pinned Locked Moved Captive Portal
    6 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kdesktop
      last edited by

      Hi.

      Is there an easy, fast and efficient way to apply this Firewall Rule for this local group created and authenticated by pfSense Captive Portal?

      What i need is, if a user from group "Fix Department" log, the rule is applied and facebook is blocked, otherwise, if a user from group "Admin" login, the rule is ignored.

      EDIT: pfSense 2.1 - Squid - Captive Portal with pfSense local group users

      Tnx

      1 Reply Last reply Reply Quote 0
      • S
        simone
        last edited by

        Hi,
        I'm interested too about this argument.
        Has the thread been redirected?

        Simo

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          @simone:

          Hi,
          I'm interested too about this argument.
          Has the thread been redirected?

          Simo

          Since 2014 ?
          This thread has died silently.

          Btw : it is impossible to consult some sort of "database with all users that are member of a group" so a rule in a firewall can apply, or not.
          What do you think what happens when you attach this rule on a 1 Gbit network ? The workload would be …. what is bigger then huge multiplied by enormous ?
          And how should a firewall know when it looks at an IP packet that comes in, that it belongs to user "Freddo", member of that group ? All it sees is the source IP, MAC, some sequential info, packet type and the state. And that it.

          But, of course, the solution has been found for many years already.
          You just discovered one of the reasons why a captive portal should not be activated on the LAN interface, it should be used on a dedicated interface - NIC. With it's own firewall rules.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • S
            simone
            last edited by

            Hi,
            thank you for your reply.
            I get used with these concepts by working with Paloalto appliances:

            https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id

            and in my opinion, even if it is resource consuming it is a good thing to have.

            I didn't anything yet through cli, so is it not possible to do a user-mapping script (maybe involving the AD and doing some session caching)?

            Thanks a lot,
            best regards,

            Simone

            1 Reply Last reply Reply Quote 0
            • L
              lindsay
              last edited by

              Well it is doable. (ident and more groups.)
              Just install ident client on clients, and configure e2guardian
              e2guardian.
              I find it more difficult to set up on pfsense then in smoothwall but i guess it is only a matter of time.

              Fiberline 500/500Mbps
              Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                @simone:

                ….
                    https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id
                ....

                So, before accessing your network that support this User-ID, the user should have this User-Id ….

                I guess I place my bets on an alias that lists all Facebook IP's (IPv4 at least, and with IPv6 at best) - a list that would refresh every xx hours or so. Just some script file and the the cron package.

                Or, this one : https://forum.pfsense.org/index.php?topic=134352.msg737158#msg737158 - I'm sure it could block all DNS resolving easily by returning 127.0.0.1 or ::1 if a "facebook.com" passes by.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.