First, what kind of firewall are you using? In the Cisco world the only way I know you could make this work would be to have your DMZ and LAN be the same security level and allow traffic from same sec levels to pass. But at that point you dont have a DMZ, you have two LANs. ... Your config sounds very interesting, do you have a compelling reason as to why it is set that way?
To have your DMZ and your internal LAN on the same subnet is NOT advisable. You would be exposing your LAN to a whole host of vulnerabilities that having a DMZ is supposed to mitigate. That being said, if your FW is NAT'ing the DMZ before it lets the traffic pass, your security concerns are less but it is still not best practices. If you NAT your DMZ traffic before it comes into your LAN, PF will NOT like you very much. My suggestion would be to give your DMZ a new IP range so that it is different from your internal LAN and let your FW manage access to network resources. After all, managing access is the sole purpose of a FW's existence. Make sure your FW is not NAT'ing any traffic to/from your DMZ to/from your LAN. After that, configure PF to assign a role to the user based on some type of criterion that you can use to delineate users; such as AD membership or SSID, or anything else. Pick the users you want to be approved and set them to be guests pending approval and the rest be allowed to continue through the captive portal, or vice versa. That should get you started, but be aware there is a whole host of questions you will need to answer along the way. PF, like any other highly extensible product, has a lot of places you can tweak and change things. Good luck. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Blason R [[email protected]] Sent: Tuesday, June 17, 2014 1:18 PM To: [email protected] Subject: Re: [PacketFence-users] Can I configure Guest Wi-fi using Packetfence? Well let me elaborate. As I explained I have firewall with 3 legs and one is DMZ and have Ruckus AP configured catering same range as userlan which is [192.168.10.x] due to this fact I can not allow Guest to use my internet as once they login they will get access to my LAN completely hence wanted to know if any other method can be followed? One I can think of is to move ruckus into new network and then control that range on the firewall. What ideas you guys can share? I am specifically looking for captive portal where once the gust comes is a portal will be presented and head of that office can grant the internet access. But for me a captive portal should be enabled On Tue, Jun 17, 2014 at 7:10 PM, Sallee, Jake <[email protected]<mailto:[email protected]>> wrote: The short answer to your question is, "yes". However you need to understand, that is a conditional "yes". Conditional in the fact that PF is an open source package that can do ANYTHING so long as you know how to accomplish it. So; if your question is, "Can I use PF to create a captive portal that I can use to relegate access to my wired/wireless network based on rules that I define?" The answer is, absolutely! That is the purpose for PF's existence. Exactly HOW you go about doing that depends entirely on your environment and your requirements and goals. Your next step would be to think about how you want to deploy PF in your environment. Do you want to use in-line enforcement (good for small deployments), or vlan enforcement (best for medium to stupidly large deployments)? Do you want to use 802.1x, or MAB? Etc. When you are positing questions to the list please remember to keep them as detailed and succinct as possible. This will help us be able to assist you faster. This list is mostly users helping users, and as such we all have our jobs to do. Keeping your questions detailed and specific will help us greatly. If we read a message that contains only a vague question most of the time it seems like it will take way too much of our time to answer it correctly. This is time most of our employers would like us to spend on the activities that they pay us for, not handing out free tech support on their dime. Please always feel free to ask questions, we welcome your input. And, as a general rule of etiquette, it is always appreciated to show you have at least attempted to solve the issue on your own. This will help us not try things you have already done as well as show that you are not to lazy to RTFM or use google. And lastly, always provide the appropriate logs that correspond to your issue. Inverse has done an excellent job putting very descriptive messages in the logs and 99.9% of the time the answer is there so long as you know how to interpret it. Good luck, and welcome to the PF community. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU<http://WWW.UMHB.EDU> 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Blason R [[email protected]<mailto:[email protected]>] Sent: Monday, June 16, 2014 11:05 PM To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] Can I configure Guest Wi-fi using Packetfence? Well sorry for not being so descriptive. Well I have firewall with 3 legs i.e Internet,DMZ and User LAN and I need to provide guest wifi to the visitors.My guest wifi is on User lan and wondering if Packetfence can be used as a captive portal and provide access using that? On Mon, Jun 16, 2014 at 6:54 PM, Louis Munro <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: On 2014-06-15, at 14:46 , Blason R <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: > Hey Guys, > > Packetfence being a NAC wondering if anyone has deployed a guest wi-fi using > Packetfence or is it really possible to deploy such topology using > packetfence? Just about everyone has done it. You would need to be more specific about your requirements if you want more advice. Regards, -- Louis Munro [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> :: www.inverse.ca<http://www.inverse.ca><http://www.inverse.ca> +1.514.447.4918 *125 :: +1 (866) 353-6153 Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu><http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org><http://www.packetfence.org>) ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
