Help with getting devices on differnt subnets to see each other
-
Well, you have a problem. Captive portal has nothing to do with what the firewall will allow from OPT1 to LAN. That traffic is still governed by the firewall rules on OPT1.
Captive portal can make it easier to filter on MAC addresses, but MAC addresses can be spoofed so that adds no real security.
The OPT1 firewall rules can filter on IP address, but anyone can just statically assign an IP address so that provides no real security.
It sounds like you are trying to make OPT1 both a trusted and an untrusted network. That simply cannot be.
That said, allowing access to "certain hosts" and allowing access to those hosts with users who successfully authenticate to AD are two completely different things.
If you can leave your Wi-Fi secured with WPA2 why would you make the network open?
I am also unclear on what you're trying to accomplish. First you talk about "locking down access from OPT1 to LAN" then talk about "connect through my internet connection." What is it, exactly, precisely, in detail, that you're trying to do?
-
I had capitive portal turned on
And that, my good friend @johnpoz, is why I decided to stop worrying about things that don't really matter to the question at-hand. Would have been two pages of crap about the nuances of firewall rule order when in actuality OP had CP enabled, without saying so, on OPT1.
-
Hi I'm happy for users who auth through captive portal to have access to my internet and also some users who auth to also be able to access my Lan.
Just wondering if there was a way that someone could bypass the captive portal and use my internet or connect to my lan.
I don't want my users to also need to enter a wifi password if possible as well as auth through captive portal.
if there is a risk they can bypass the captive portal somehow then I guess it's a silly idea and I will forget about it, just wondering at this stage that's all.Cheers
Jamie -
With WPA2 there's little need for captive portal in a casual environment now is there.
-
Thanks Derelict, I appreciate your advice and help :-)