Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with getting devices on differnt subnets to see each other

    Scheduled Pinned Locked Moved Firewalling
    25 Posts 3 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      Well, you have a problem.  Captive portal has nothing to do with what the firewall will allow from OPT1 to LAN.  That traffic is still governed by the firewall rules on OPT1.

      Captive portal can make it easier to filter on MAC addresses, but MAC addresses can be spoofed so that adds no real security.

      The OPT1 firewall rules can filter on IP address, but anyone can just statically assign an IP address so that provides no real security.

      It sounds like you are trying to make OPT1 both a trusted and an untrusted network.  That simply cannot be.

      That said, allowing access to "certain hosts" and allowing access to those hosts with users who successfully authenticate to AD are two completely different things.

      If you can leave your Wi-Fi secured with WPA2 why would you make the network open?

      I am also unclear on what you're trying to accomplish.  First you talk about "locking down access from OPT1 to LAN" then talk about "connect through my internet connection."  What is it, exactly, precisely, in detail, that you're trying to do?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        I had capitive portal turned on

        And that, my good friend @johnpoz, is why I decided to stop worrying about things that don't really matter to the question at-hand.  Would have been two pages of crap about the nuances of firewall rule order when in actuality OP had CP enabled, without saying so, on OPT1.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J Offline
          jwalhous
          last edited by

          Hi I'm happy for users who auth through captive portal to have access to my internet and also some users who auth  to also be able to access my Lan.
          Just wondering if there was a way that someone could bypass the captive portal and use my internet or connect to my lan.
          I don't want my users to also need to enter a wifi password if possible as well as auth through captive portal.
          if there is a risk they can bypass the captive portal somehow then I guess it's a silly idea and I will forget about it, just wondering at this stage that's all.

          Cheers
          Jamie

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            With WPA2 there's little need for captive portal in a casual environment now is there.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J Offline
              jwalhous
              last edited by

              Thanks Derelict, I appreciate your advice and help :-)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.