One-way captive portal exception

matthewmdn

I am using captive portal to lock down access to our IPSEC site-to-site to production systems.

The setup looks like this

::pfSense firewall::
–--------------------------------
LAN===IPSEC===Production

Captive portal is enabled on the LAN interface

My question is, can I create an exception where a host (say by IP) can connect back to my LAN (where captive portal is on) without letting clients on the LAN connecting to that host unauthenticated with the portal?

If I add an exception for the host in production, clients can also reach that host without going through the captive portal.
I want clients on the LAN to always have to auth in the captive portal, but some hosts in production to be able to get back to the LAN without authenticating.

The captive portal help article says the exception will work in the direction specified, but the allowed IP page doesn't have a direction option.
I am running pfsense 2.2.4

Any ideas would be greatly appreciated.
-Matthew

doktornotor

See… the CP does NOT belong on your trusted LAN. It also doesn't prevent LAN-LAN communication in any way, that doesn't ever hit the firewall. Put untrusted hosts on a separate interface with CP.

Derelict

I don't think you can do what you want. You can easily make the connection one-way with firewall rules, but that would be in effect whether or not they had gone through the captive portal.

Put whatever assets you need to access behind an interface other than the CP interface as has been suggested.

I am using captive portal to lock down access to our IPSEC site-to-site to production systems.

Why even all want to solve this problem out with the pfsense CP and not with the Radius Server?

With a Radius Server you are able to secure the IPSec VPN connection easily with certificates
and this is a more common way as the one over the CP.

It would be also running by an external box in the DMZ or together with an VPN Server inside in
the DMZ as well.

matthewmdn

Thanks for the reply guys.
I think you may be correct that I just can't use the CP the way I want, but I'm not sure I explained what I was doing. Having the CP on the LAN is OK in this scenario since it is a separate router/firewall for the tunnel to production.

The way we were doing this previously is with a Cisco ASA. Instead of a captive portal, the ASA allows you to send an auth request as a firewall rule. Instead of allow or deny you set the rule to auth, and it authenticates the traffic.

If I can't get the CP to work, does pfSense have anything like this that I haven't found yet. Essentially I want to auth (through radius, Im using duo security for dual factor) clients access to certain subnets regardless of type of traffic for a period of time. The pfs captive portal does this beautifully accept that I can't create a directional exception.

matthewmdn

@BlueKobold
I am trying to avoid a seperate VPN connection for each user. I have a site-to-site IPSEC tunnel between our office and Colo. I want users to have to dual-factor auth to get to production resources over that site-to-site VPN tunnel.

Derelict

Just curious…

How do the clients and DC2 on the Dev LAN know to send traffic to pfSense or the ASA? What is their default gateway?

matthewmdn

@Derelict:

Just curious…

How do the clients and DC2 on the Dev LAN know to send traffic to pfSense or the ASA? What is their default gateway?

I just use static routes on my Layer 3 devices. I should have specified that the switch is actually doing internal routing before it gets to one firewall or the other. It's actually even more complicated than that. I was just trying to diagram the issue to simplify for this question.

Sorry about that.

matthewmdn

updated diagram

Derelict

What on that diagram is the asset you want those clients to have access to whether or not they are through the portal?

@BlueKobold
I am trying to avoid a seperate VPN connection for each user. I have a site-to-site IPSEC tunnel between our office and Colo. I want users to have to dual-factor auth to get to production resources over that site-to-site VPN tunnel.

Yes for sure and I was meaning it in exactly that direction also!
But it dosen´t matter in which way you want to realize it, please refer the network schematic I draw,
on one side you need installed Radius certificates on the clients that should be able to use the VPN
connection or on all clients, then all VPN clients from the VPN network on the other side are able to
use it.

Alternate to this you could trying to set up a AD and only the clients with an account on that AD are able to
enter the VPN network on the other side!

Or alternatively to that you could set up an AD with installed LDAP roll and you might not are
on the need for the Radius Server and the certificate installations and only with an LDAP account
they would be able to connect to the production network.

There are many solutions and ways out there to solve this right and secure for you,
but for sure not each of them is easy to go.

matthewmdn.jpg_thumb

matthewmdn

@Derelict:

What on that diagram is the asset you want those clients to have access to whether or not they are through the portal?

It's the other way around actually. I would like vlan10-11 have access to anything on vlan20-21, but vlan20-21 have to auth with dual-factor to get to vlan10-11

matthewmdn

@BlueKobold
I am using Radius on the captive portal because that is how I tie in duo security dual factor authentication. I'm not sure a radius certificate would work in this instance, but I will look into it. I am trying to bypass the captive portal in one direction only.

If I was to have one of our programmers look at adding the directional option to the allowed IP address section of captive portal, what file would I need to look at editing?

Thanks

matthewmdn

Can anyone tell me what file that rule gets written to when I add an exception for allowed IP?
Thanks again for all the replies. You guys are really encouraging.

Gertjan

Consider https://your-pfsense-box/services_captiveportal_ip.php?zone=cpzone1
where cpzone1 is your captive portal instance.

This file, find it here : /usr/local/www/services_captiveportal_ip.php handles the IP-through-portal-interface.
Inspecting it (its basic PHP) will bring you to /etc/inc/captiveportal.inc

Point your programmer to function captiveportal_init_rules($reinit = false) (env. line 479)

Give him also this https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting which permits you to see how rules are setup in 'ipfw' (the firewall the portal uses - not to be confounded with the firewall rules you set up in the GUI on the portal 'interface' )

matthewmdn

So I found that if you use allowed hostname instead of allowed IP, you can specify a direction for the exception.

You can only do one host at a time, but I think that is OK for my purposes.

Doing some further testing, then going to put it into production.

Thanks all for your answers. I'll reply back if it doesn't work as expected.