Captive Portal : Allow domain



  • Hello everybody,
    I have search the answer on the forum but i dont find it…

    My problem is :
    I have a pfsense Server, i want to allow sites in the captive portal in Allowed Hostames...
    It works well but i can't allow allow domain, (*.website.com for exemple) ... i can enter un site like test1.website.com but i can't allow all the domain... and it's not possible to enter all hotnames of a website and subdomain...

    Anyone know the solution please?
    Thanks a lot



  • Hi,

    pfsense 2.2.6 ?

    If yes, see https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
    Use the ipfw … commands and see what Ip's you can find in table 3 and 4.
    Are among these, the IP's of your sites ?

    Mine are correct and up to date.



  • Hi,

    Thanks for your answer. My pfsense version is 2.1.5 .

    When i use :  ipfw -x zone table 3 list (and list 4), yes i see the IP adress with mask /32 of the name server i have entered.
    For exemple, i have entered yahoo.com in the CP in Allowed Hostames, and with the IPFW command in table 3 and 4 i see the IP of yahoo servers…

    But is it possible with the command ipfw  to allow for exemple : *.mydomain.com to avoid to enter all IP adress of my servers?

    Thanks.



  • @jeje18:

    Thanks for your answer. My pfsense version is 2.1.5 .

    …. which has a bug concerning what you are doing : adding authorized domain names to the portal.
    A newer version solved that.

    @jeje18:

    When i use :  ipfw -x zone table 3 list (and list 4), yes i see the IP adress with mask /32 of the name server i have entered.
    For exemple, i have entered yahoo.com in the CP in Allowed Hostames, and with the IPFW command in table 3 and 4 i see the IP of yahoo servers…

    Your problem is solved.
    yahoo.com exposes 3 IPv4, yes, but when you connect to them, you are redirected probably somewhere else afterwards, to one of its 'clones'.
    Half of what's being showed on a basic yahoo.com page comes from yet other IP's ….. etc.
    This won't work ....

    @jeje18:

    But is it possible with the command ipfw  to allow for exemple : *.mydomain.com to avoid to enter all IP adress of my servers?

    Domain names are human readable representations if an IP address  (or more then one for that matter).
    The firewall being used for the captive portal works with IP's and MAC's, not domain names.
    "Internet trafic" has nothing to do with domain names.



  • Hi,

    Well, i understand what you say but :

    • I have updated the server and i still cannot put *.domain.com for exemple in the allowed hostnames…
    • i understand when you say that is the DNS which give the IP address but my problem is :
      If i want acces all the domain test.com which has 150 serveurs that i don't know, when my user will enter server159.test.com, it will not be autorised because i dont have enter it in the CP...

    If i understand, it's not possible in PF that as possible on other firewall to allow domain name in whitelist...

    My goal is that: allow some websites whitout autentification ... and that others are reachable after authentification by the CP...


  • LAYER 8 Netgate

    @jeje18:

    Hi,

    Well, i understand what you say but :

    • I have updated the server and i still cannot put *.domain.com for exemple in the allowed hostnames…
    • i understand when you say that is the DNS which give the IP address but my problem is :
      If i want acces all the domain test.com which has 150 serveurs that i don't know, when my user will enter server159.test.com, it will not be autorised because i dont have enter it in the CP...

    If i understand, it's not possible in PF that as possible on other firewall to allow domain name in whitelist...

    My goal is that: allow some websites whitout autentification ... and that others are reachable after authentification by the CP...

    You can't do that. CP is not allowing the "domain name" it is allowing the IP addresses that are the result of looking up the domain name. If you enter "*.yahoo.com" exactly what hostnames is the process supposed to look up? Every legal combination of characters allowed in a hostname? That would literally take eons upon eons.

    You will have to allow all the addresses or use a different solution that does operate on domain names like a proxy. CP is not the correct tool if you can't list the actual hostnames/FQDNs to look up or the specific IP addresses.



  • Ok, i understand ! it's logic.
    i will see if it's possible whith a proxy…
    Thanks you to all.


Log in to reply