How does CP block internet access?

rovshango · May 5, 2015, 5:10 AM

Dear pfSense users, admins and all,

I am using pfSense and I love it.
Here is my scenario:
We have custom designed and developed CP landing page which asks for specific credentials (which are benign provided by SMS). After successful login user can access Internet for 60 min, as set limit. Firstly, I have to mention that LAN port also provides IP address as DHCP server is on it.

So my question is HOW DOES CP BLOCKS USERS (SOURCE ADDRESS) TO ACCESS INTERNET UNLESS HE/SHE PASSED SUCCESSFULLY LOGIN.

Thank you all in advance.

Gertjan · May 5, 2015, 9:05 AM

You should have a look at the ipfw rules.

Goto SSH access.
Enter

ipfw zone list

to get the 'context'(s) of your portal(s) - note: more then 1 portal can exist.
Mine is

2: sis0

which is the interface (OPT1) on which I run the Portal (of course, I'm NOT using LAN for this)

Now its time to get the rules:

ipfw -x 2 show

All you need now is some basic understanding about what a "ipfw firewall" is.

Basically:

...
65318 2817852  553246341 pipe tablearg ip from table(1) to any in
65319 2701090 2391214552 pipe tablearg ip from any to table(2) out
...

All authenticated portal users are loaded into table 1 and 2 (their IP and MAC).

If a portal user isn't authenticated, the portal user will hit one of these two rules:

...
65531   32792    2594776 fwd 127.0.0.1,8003 tcp from any to any dst-port 443 in
65532   19579    1611232 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
...

(== http and https and gets redirected to out portal page).

If rule

65534  102444    7525149 deny ip from any to any

```is reached, they hit the wall.

rovshango · May 5, 2015, 9:29 AM

Hi,

Thank you for detailed reply.
I just have problem with "ipfw zone list", it gives me this output:

ipfw: Context is mandatory: No such file or directory

Gertjan · May 5, 2015, 9:55 AM

@rovshango:

I just have problem with "ipfw zone list", it gives me this output:
ipfw: Context is mandatory: No such file or directory

When people are posting without mentioning their pfSense version, by default, we always talk about the latest stable version.
So, mine is, of course, 2.2.2
Your's isn't …. consequences are ... well ... beyond my imagination.

Have a look at the pfSense manual : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting ;)

rovshango · May 5, 2015, 9:57 AM

Oh, I am so sorry. I should mentioned it before. Mine is 2.1.5-RELEASE
And I found correct command.