Is there a "CP for DumME Guide"?



  • I have been banging away with a Watchguard 700 and pfSense 2.2. So far everything is rock solid, so time to move on. I have placed Ubiquiti Bullets all through a RV Park, and need to setup up a hotspot for the users. In my mind, I want to provide a login page allowing a person to enter in their lot space (for instance, 07) and then plug in a voucher that will work either for one day, 7 days or 30 days (I just figured I would print out batches for the duration), and away they go.

    From an administrative way, I thought that by the person logging in, that would create a dhcp entry (helped with a nice little php script) and allow me to better monitor. I thought I would follow the guides, but after I created a zone, people were still able to access the AP without going through the CP. Also, I have been trying to understand how to allow certain machines to be exempted from having to even log in through the CP (specifically, my alias for my admin machines).

    Would anyone give a little guidance on how to get this properly working?

    Thanks!



  • @kcallis:

    after I created a zone, people were still able to access the AP without going through the CP.

    Also, I have been trying to understand how to allow certain machines to be exempted from having to even log in through the CP (specifically, my alias for my admin machines).

    Having access to your accespoint has nothing to do with a CP. If you want users to use login credentials you have access to your network you should use enterprise authentication on your AP.

    For excluding your administrative hosts from the CP insert them under the Allow IP adress tab.



  • @EMWEE:

    @kcallis:

    after I created a zone, people were still able to access the AP without going through the CP.

    Also, I have been trying to understand how to allow certain machines to be exempted from having to even log in through the CP (specifically, my alias for my admin machines).

    Having access to your accespoint has nothing to do with a CP. If you want users to use login credentials you have access to your network you should use enterprise authentication on your AP.

    For excluding your administrative hosts from the CP insert them under the Allow IP adress tab.

    I have WPA2 for the access points. As it stands right now, a person comes to the office and we give them the WPA2 passphrase. What I am trying to have in place is that when the person comes to the office and pay what ever fee, they will receive a card that has the WPA2 passphrase along with the voucher token.


  • LAYER 8 Netgate

    Is your access point an access point or is it a router?  CP works by passing MAC addresses, IP addresses, or MAC/IP Address pair.  If all your wi-fi clients are behind a NAT router, the first one to log in lets them all in.  If it's a router without NAT the portal cannot see the MAC addresses of the various clients so you have to use IP address only.



  • I ran across several youtube videos and for a moment, things looked like it was working well. I have a Ubiquiti Bullet 2HP that is connected to my Watchguard X700. On the Bullet, I have DNS pointed to the Watchguard and before setting DNS Forwarder. Since I have moved over to 2.2.1, I guess I am now doing DNS Resolver.

    So I did a CP Zone and then setup vouchers as well. The first time I logged in with username, and once I was authenticated, it looked like everything was good to go. The first problem that I ran into was the fact that I could no longer access the net and would timeout. I restarted my computer and attempted to connect the the AP again. This time, I would not get to the homepage, but would just time out. The first time, although I was connected to the AP with my tablet, it would tell me to connect to the hotspot, but that only worked the first time. Finally, I had to delete the Zone. So where am I going wrong with my setup?



  • Hi.

    Let me guess : you are "doing CP on LAN instead of OPT1" ?

    I have no 'passphrase' for my AP (all in bridge mode of course) - CP authenticate is being done by forcing https on pfSense (CP) with valid certificats.
    AP's run with a minimal setup. Easy to maintain. Internal firewall rules in each AP forbid remote admining, excdept when the source IP is from LAN.
    All my AP's (mostly DD-WRT) use a startup script :

    #!/bin/ash
    insmod ebtables
    insmod ebtable_filter
    ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT
    ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT
    ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT
    ebtables -t filter -A FORWARD -j DROP
    

    Note "00:0f:b5:fe:4e:e7" is the MAC of my OPT1 pfsense captive Portal NIC - this enforces that clients can only connect to the gateway, NO OTHER SHARING is permitted. Of course, AP Isolation is activated.

    My CP setup is pretty simple. This ensure me that I have a system that rocks …

    Remember : guest, clients, strangers, what ever, its a good thing to give them an Internet access, but never ever let them on your LAN.



  • My AP is on the OPT1 interface. All of the clients get their address from the OPT1 interface.



  • Maybe my issue is with the DNS resolver??? I have my access point using DNS on the pfSense machine. Under the DNS Servers in the OPT1 DHCP server, I have left the DNS servers blank, and under General Setup, I have the google servers listed? What is suppose to be the proper setup? Since moving into using DNS Resolver, I think I have screwed everything up…


  • Banned

    Point the DHCP clients to the pfSense box for DNS.



  • That is what I have in play. The clients are getting their address from the pfSense, so I am assuming that I have things incorrect on the pfSense.


  • Banned

    You just told us above that "Under the DNS Servers in the OPT1 DHCP server, I have left the DNS servers blank". Point the clients explicitly to the interface address of the captive portal. Don't leave things blank. Pointing people to Google DNS (which is not whitelisted in the portal) via some heuristics black magic behind the scenes will NOT work.



  • May be I am not being clear.  From the Bullet stand point, the AP uses dhcp relay for the clients to get address from pfSense. The Bullet's DNS servers (or actually server) is pointed to 192.168.100.1 (both gateway as well as DNS/DHCP).

    [

    ![Bullet Bridge.png](/public/imported_attachments/1/Bullet Bridge.png)
    ![Bullet Bridge.png_thumb](/public/imported_attachments/1/Bullet Bridge.png_thumb)
    ![DHCP Wifi server.png](/public/imported_attachments/1/DHCP Wifi server.png)
    ![DHCP Wifi server.png_thumb](/public/imported_attachments/1/DHCP Wifi server.png_thumb)
    ![DNS Resolver.png](/public/imported_attachments/1/DNS Resolver.png)
    ![DNS Resolver.png_thumb](/public/imported_attachments/1/DNS Resolver.png_thumb)
    ![General Setup.png](/public/imported_attachments/1/General Setup.png)
    ![General Setup.png_thumb](/public/imported_attachments/1/General Setup.png_thumb)


  • Banned

    1/ For the last time, since I already pointed that out twice and it's getting a bit ridiculous. Do NOT leave the DNS Servers in WiFi's DHCP configuration blank. Point the clients explicitly to 192.168.100.1.
    2/ Your Outgoing Network Interfaces configuration for the DNS resolver is completely wrong. You will get no resolution whatsoever via the internal interfaces. Leave that at All.



  • Thank you for the last time! I forgot to apply the changes and so I never did I get have that change working… As for the DNS Resolver, I have both the Outgoing and Ingoing all set as ALL... Or am I missing something else?

    ![DNS Resolver.png](/public/imported_attachments/1/DNS Resolver.png)
    ![DNS Resolver.png_thumb](/public/imported_attachments/1/DNS Resolver.png_thumb)


  • LAYER 8 Netgate

    @kcallis:

    May be I am not being clear.  From the Bullet stand point, the AP uses dhcp relay for the clients to get address from pfSense. The Bullet's DNS servers (or actually server) is pointed to 192.168.100.1 (both gateway as well as DNS/DHCP).

    This makes zero sense.  If your bullet is in bridge mode there is absolutely no reason to use a dhcp relay.  That function is to get across layer 3/broadcast domain boundaries and pfSense DHCP doesn't even support it yet.  A layer 2 device will not gave a gateway.  Or at least if it does it's only for access to the AP interface itself, and will have nothing to do with client traffic.

    It also makes no difference what the bullet is using for DNS.  That will only impact what the BULLET ITSELF uses to resolve names, unless you have everything set layer 3 and your clients are really using the bullet to resolve names, which would be wrong.

    Put EVERYTHING you want to go to the clients on the pfSense DHCP server.  If your clients are using something else for a DHCP server you're doing it wrong.



  • After doing all sorts of things, it would seem that all that I needed to do was make a rule allowing UDP port 53 on the OPT1 and everything became mellow. I am not sure why I would have to do a rule on the OPT1 but not on the LAN, but it is working.


Log in to reply