Re: [pfSense Support] Captive portal not redirecting after succesful login
Il 08/07/2011 12:22, Giacomo Di Ciocco ha scritto: After succesful login i'm not being redirected to the website i was about to visit, when i send the form the browser stays in waiting response..., however from the pfsense web interface i can see the user succesfully logged in, and if i reinitiate the connection to the website i was about to visit it works, other background connection attemps, ie. irc get their way just after pressing form's send button. Any hint ? Thank you, Giacomo. -- Giacomo Di Ciocco Phone: (+39) 0577319407 Fax: (+39) 0577318498 Mobile phone: (+39) 3483867757 Email: ad...@nectarine.info ___ Ship to: Giacomo Di Ciocco Via del Pozzo 3/A C/O BRT Telecomunicazioni S.R.L. 53035 Monteriggioni (SI) Italy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive portal not redirecting after succesful login
Il 08/07/2011 12:22, Giacomo Di Ciocco ha scritto: Hello everyone, this is my pfsense version: 2.0-RC3 (i386) built on Thu Jul 7 00:25:19 EDT 2011 After reboot radiusd gets stuck with 100% CPU load. Tried to update to latest version built on Jul 8, it wasnt succesful, i had to reinstall 2.0-RC1 and recover config.xml. Did the upgrade, this time was succesful. radiusd was not recognizing client, client entry was there, edited and saved, works fine. I'm now wondering how to allow clients to reach any dns server, hints ? Best regards, Giacomo. -- Giacomo Di Ciocco Phone: (+39) 0577319407 Fax: (+39) 0577318498 Mobile phone: (+39) 3483867757 Email: ad...@nectarine.info ___ Ship to: Giacomo Di Ciocco Via del Pozzo 3/A C/O BRT Telecomunicazioni S.R.L. 53035 Monteriggioni (SI) Italy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal
Hi Dwane, in my oppinion, there's not much documentation on that topic available. But it's working that way: 1. Receives an IP Packet 2. Blocks it until authenticated / Answers with HTML Website if Port 80 is talked to 3. Receives credentials from User 4. Authenticates with internal Database / Radius Server 5. Stores logon Information ( MAC-Adress / IP Adress / Timestamp) internally to revoke access after an configured time 6. Allows Access to requested resource and opens an popup window to logout. regards Christian Am 08.10.2010 16:25, schrieb Atkins, Dwane P: We are wondering if there is any information available that explains in detail how the Captive Portal on pfsense works? We know it’s function, but we are wondering what is happening behind the scene? Any documentation would be nice. Thank you Dwane - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal
On Wed, Aug 25, 2010 at 7:19 AM, Hans Maes h...@bitnet.be wrote: Hi, I'm running a few (6 at the moment) pfsense 1.2.3-RELEASE boxes on a rather large scale wireless network, as border routers and firewalls between the internet uplinks and the rest of the network. (network background info: +600 subnets, +150 router nodes, 6 internet uplinks, about 1000 unique mac-address clients per 24h, www.wirelessbelgie.be , non-profit organisation running on volunteers ) The traffic shaper is active on the pfsense boxes to allow different internet speeds to different subnets on the network. I'm currently using very large alias lists to manage the +600 private subnets in the traffic shaper. We are currently looking at switching to a captive portal + traffic shaper + freeradius, so we can set speeds based on user/pass combination in stead of IP subnet. Tests are successful up till now, and we are going to switch this into production pretty soon. However, I have one problem: The network contains a lot of 'dumb' devices (ipcams, sound encoders, serial2ip, ...) which also need internet access, but have no clue on how to log in to the captive portal. I cannot use mac-authentication with the captive portal and the radius server because there are routers in between the pfsense boxes and the devices. From what I see now the only way to allow these devices access to the internet is to add them to the Allowed IP list in the captive portal. But managing this list seperately on every box would be a lot of work. I would prefer to use an alias containing all my allowed ip's which I can then update through the fetch alias list from url package. First Question: Is there any way to use aliases in the captive Allowed IP list, or to automate managing this list in any way ? No way to use aliases. Scripting with curl can automate management. Second question: Are the devices in the allowed list allowed to pass through the captive portal right away, or do they need to open an HTTP connection first to 'trigger' the captive portal logic ? They're automatically allowed through. Third Question: I'm currently running 1.2.3 but switching to 2.0 would be possible, if this would help me in this situation. What would you guys recommend for this situation, 1.2.3 or 2.0 ? Don't think there would be much difference in this particular scenario for you. 2.0 may let you push the CP function further upstream since it can run on multiple interfaces, giving you fewer boxes to manage. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Multi-Interface Capabilities
On Fri, Jul 30, 2010 at 11:12 AM, Atkins, Dwane P atki...@uthscsa.edu wrote: In the release notes for pfsense 2.0, it is mentioned that multi –interface capabilities will be a new feature. Is there a link or can someone better explain the terminology to us? Does this mean that if we have one interface on a pfsense 2.0 server, we can have multiple Vlans trunked to that port. Or does it mean that it supports multiple Network interface cards? In a nutshell, it works the same as it does now except rather than a drop down to pick the interface, limiting you to one interface, it's a select box where you can pick one or as many interfaces as you want and it will run on all of those. That's working nicely, we've deployed it in production for some ISPs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal + load balancer clarification
On 28 Ιουλ 2010, at 3:25, Chris Buechler cbuech...@gmail.com wrote: On Tue, Jul 27, 2010 at 5:48 PM, Nikos Zaharioudakis nza...@gmail.com wrote: Greetings everybody and thank you for a so nice product ! :-) I have a small clarification question though. I need to share 2 or more dsl lines behind a pfsense box (it's going to be a virtual machine, but let's keep it simple) I will have to use the captive portal for some kind of authenticated access and the use of the load balancer is a must. I have read that the combination of both captive portal the balancer is not functioning in 1.2.3 release series. ( Is it still true? ) No. Pre-1.2.3, any rule with a gateway would bypass the portal. It'll work fine in 1.2.3. Another question that comes to mind is that if I have 3+ dsl lines I have to create a policy for all combinations of up / down dsl lines, right. No, you just need either a failover and/or balancing pool containing the interfaces desired. Their status will take care of itself. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I appreciate your prompt reply I would post a howto afterwards Thnx a lot once again Nikos - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal + load balancer clarification
On Tue, Jul 27, 2010 at 5:48 PM, Nikos Zaharioudakis nza...@gmail.com wrote: Greetings everybody and thank you for a so nice product ! :-) I have a small clarification question though. I need to share 2 or more dsl lines behind a pfsense box (it's going to be a virtual machine, but let's keep it simple) I will have to use the captive portal for some kind of authenticated access and the use of the load balancer is a must. I have read that the combination of both captive portal the balancer is not functioning in 1.2.3 release series. ( Is it still true? ) No. Pre-1.2.3, any rule with a gateway would bypass the portal. It'll work fine in 1.2.3. Another question that comes to mind is that if I have 3+ dsl lines I have to create a policy for all combinations of up / down dsl lines, right. No, you just need either a failover and/or balancing pool containing the interfaces desired. Their status will take care of itself. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal redirect problem
Thank you. 2010/5/28 Chris Buechler cbuech...@gmail.com: On Fri, May 28, 2010 at 11:53 AM, Cristian Del Carlo cristian.delca...@gmail.com wrote: Hi, I installed for testing PFsense 2.0 on a ALIX.2D13 and I try the captive portal function. The problem is that the server did not redirect correctly to the authentication page, firefox print a message like this This page does not redirect correctly. Firefox has detected that the server is redirecting the request for this page so that it can never be completed. and the user is not redirected in the authentication page. That was fixed today. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal redirect problem
On Fri, May 28, 2010 at 11:53 AM, Cristian Del Carlo cristian.delca...@gmail.com wrote: Hi, I installed for testing PFsense 2.0 on a ALIX.2D13 and I try the captive portal function. The problem is that the server did not redirect correctly to the authentication page, firefox print a message like this This page does not redirect correctly. Firefox has detected that the server is redirecting the request for this page so that it can never be completed. and the user is not redirected in the authentication page. That was fixed today. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal, bypass for certain sites
Did you read the configuration options from the captive portal? On my 2.0 machines that means that you can bypass certain IP's for the captive portal; and even use MAC-bypass to bypass machines based on their MAC. Does that answer the question? On Thu, March 25, 2010 11:08 am, Michel Servaes wrote: Hi, I have an Alix board, with pfsense on it. I could use proxy, but I feel this is quite a load on the system (even when setting things to 0). So to avoid people visiting internet, I was thinking on using captive portal... But for some sites, (fixed ip-adresses) it shouldn't try to authenticate... can this be achieved by using some kind of ruleset ?? I do have a VLAN capable switch - but again, some ip-adresses need to be passed (they logon to a citrix site). Kind regards, Michel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- /\ Best regards, | re...@freebsd.org \ / Remko Lodder | re...@efnet Xhttp://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal, bypass for certain sites
Remko Lodder wrote: On my 2.0 machines that means that you can bypass certain IP's for the captive portal; and even use MAC-bypass to bypass machines based on their MAC. Related to that, could anybody tell me whether in 2.0 you still need to do a web request before the MAC-bypass rule gets applied for your IP address ? This was one of the drawbacks of 1.x's captive portal when using 'stupid' devices (eg a wireless ipcam) on a captive portal'ed wireless subnet. (I guess I should just install 2.0 and try it out myself, but spare time is in short supply lately) Thanks! Hans (Sorry to steal this topic, but it is more or less on topic :-) ) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal, bypass for certain sites
On Thu, Mar 25, 2010 at 11:23 AM, Remko Lodder re...@elvandar.org wrote: Did you read the configuration options from the captive portal? On my 2.0 machines that means that you can bypass certain IP's for the captive portal; and even use MAC-bypass to bypass machines based on their MAC. Does that answer the question? No, that's not what I meant :) I mean - I don't want to install heavy proxy add-on onto my Alix board... to block the whole internet (if you didn't logon). Basically I want to block complete internet, but our own site (to logon to citrix). (this is a single IP, so that shouldn't be too much work for me) on several client computers behind the pfsense... Furthermore I want to only allow certain client computers (but that can be achieved by adding their mac-adresses), without having to go through captive portal. And if possible (that would be the cherry on the pie) - I want to block only during the weekends. But I don't think I can add an HTTP/HTTPS rule to circumvent the captive portal, can I ? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal, bypass for certain sites
On Thu, Mar 25, 2010 at 5:25 PM, Michel Servaes mic...@mcmc.be wrote: On Thu, Mar 25, 2010 at 11:23 AM, Remko Lodder re...@elvandar.org wrote: Did you read the configuration options from the captive portal? On my 2.0 machines that means that you can bypass certain IP's for the captive portal; and even use MAC-bypass to bypass machines based on their MAC. Does that answer the question? No, that's not what I meant :) Actually it is, just use the IP bypass for that site's IP. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive portal failure with subnets on LAN interface
Perhaps it should be optional, I came across this with redirection as well,
where the interface IP is hardcoded even if you select ''any'' there.
(which doesnt work if you have Squid on a different machine and redirect all
http traffic towards the squid box :-))
Cheerio,
Remko
On Feb 23, 2010, at 4:26 PM, Nigel Metheringham wrote:
I'm looking at pfsense 1.2.3.
We have a requirement to push several subnets through a captive portal, so
expected pfsense to be able to do this (with the Disable MAC filtering
option).
However any clients, other than on the local LAN network, that attempt to
route through the pfsense box get no packets back at all - no redirect to the
portal web page, nothing.
This is due to the following pf rule being used to push packets to the
captive portal stuff:-
pass in quick on $lan from 192.168.50.0/24 to any keep state \
label USER_RULE: Default LAN - any
I can hack stuff so that things do work by changing /etc/inc/filter.inc (diff
has been white space mangled to stop it wrapping):-
diff -u filter.inc.orig filter.inc
--- filter.inc.orig 2010-02-23 15:24:02.0 +
+++ filter.inc 2010-02-23 15:24:04.0 +
@@ -1752,7 +1752,7 @@
$src = $lanip;
break;
case 'lan':
-$src = {$lansa}/{$lansn};
+$src = any;
break;
case 'pptp':
$src = {$pptpsa}/{$pptpsn};
which feels like doing surgery with a chainsaw...
Can anyone suggest a better fix for this? And how do I do a proper bug
report to get this fixed in the next release...
Nigel.
--
[ Nigel Metheringham nigel.methering...@intechnology.com ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
--
/\ Best regards,| re...@freebsd.org
\ / Remko Lodder | re...@efnet
Xhttp://www.evilcoder.org/|
/ \ ASCII Ribbon Campaign| Against HTML Mail and News
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive portal failure with subnets on LAN interface
On Tue, Feb 23, 2010 at 10:26 AM, Nigel Metheringham nigel.methering...@dev.intechnology.co.uk wrote: I'm looking at pfsense 1.2.3. We have a requirement to push several subnets through a captive portal, so expected pfsense to be able to do this (with the Disable MAC filtering option). However any clients, other than on the local LAN network, that attempt to route through the pfsense box get no packets back at all - no redirect to the portal web page, nothing. This is due to the following pf rule being used to push packets to the captive portal stuff:- pass in quick on $lan from 192.168.50.0/24 to any keep state \ label USER_RULE: Default LAN - any That has nothing to do with what pushes to captive portal, that's your LAN rule. Edit that rule under Firewall Rules, LAN tab. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid
Hi Mike. The authentication requests go through to the Radius server...and we get a bad password error. It's weird. All the same settings work under m0n0wall. Same IPs, same radius server. I'm not sure how different pfSense is compared to the m0n0wall app. The Captive Portal setup looks identical to me, unless there is some underlying difference between the two applications. Thanks your your help. -Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Saturday, December 12, 2009 6:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid The external IP of the radius server has to be added to the radius servers client list or else it will reject authentication requests. Mike From: Tancinco, Jon mailto:tanci...@humnet.ucla.edu Sent: Wednesday, December 09, 2009 5:43 PM To: support@pfsense.com Subject: RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Secret key works under m0n0wall and the same key is used in pfSense. Not sure what you mean about the IP of the NAS. Thanks for your help! Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Wednesday, December 09, 2009 2:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Could be the secret key or check is you added the IP of the NAS. Mike From: Tancinco, Jon mailto:tanci...@humnet.ucla.edu Sent: Wednesday, December 09, 2009 11:37 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Same error on Versions 1.2.2 and 1.2.3 Using the pfSense Captive Portal. I am getting the Authentication error - Username and/or password invalid. message when trying to authenticate. The password is correctly submitted, but get the error everytime. RADIUS server reports incorrect password. Using m0n0wall, Captive Portal and RADIUS authentication works with no problems using the same username, password and RADIUS server. Any help would be appreciated. Jon
Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid
I see. Well the the only other thing I can think of is the password type i.e. m5,chap, etc must be different between the moonwall and pfsesnse boxes. Mike From: Tancinco, Jon Sent: Tuesday, December 15, 2009 11:51 AM To: support@pfsense.com Subject: RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Hi Mike. The authentication requests go through to the Radius server...and we get a bad password error. It's weird. All the same settings work under m0n0wall. Same IPs, same radius server. I'm not sure how different pfSense is compared to the m0n0wall app. The Captive Portal setup looks identical to me, unless there is some underlying difference between the two applications. Thanks your your help. -Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Saturday, December 12, 2009 6:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid The external IP of the radius server has to be added to the radius servers client list or else it will reject authentication requests. Mike From: Tancinco, Jon Sent: Wednesday, December 09, 2009 5:43 PM To: support@pfsense.com Subject: RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Secret key works under m0n0wall and the same key is used in pfSense. Not sure what you mean about the IP of the NAS. Thanks for your help! Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Wednesday, December 09, 2009 2:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Could be the secret key or check is you added the IP of the NAS. Mike From: Tancinco, Jon Sent: Wednesday, December 09, 2009 11:37 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Same error on Versions 1.2.2 and 1.2.3 Using the pfSense Captive Portal. I am getting the Authentication error - Username and/or password invalid. message when trying to authenticate. The password is correctly submitted, but get the error everytime. RADIUS server reports incorrect password. Using m0n0wall, Captive Portal and RADIUS authentication works with no problems using the same username, password and RADIUS server. Any help would be appreciated. Jon
Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid
The external IP of the radius server has to be added to the radius servers client list or else it will reject authentication requests. Mike From: Tancinco, Jon Sent: Wednesday, December 09, 2009 5:43 PM To: support@pfsense.com Subject: RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Secret key works under m0n0wall and the same key is used in pfSense. Not sure what you mean about the IP of the NAS. Thanks for your help! Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Wednesday, December 09, 2009 2:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Could be the secret key or check is you added the IP of the NAS. Mike From: Tancinco, Jon Sent: Wednesday, December 09, 2009 11:37 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Same error on Versions 1.2.2 and 1.2.3 Using the pfSense Captive Portal. I am getting the Authentication error - Username and/or password invalid. message when trying to authenticate. The password is correctly submitted, but get the error everytime. RADIUS server reports incorrect password. Using m0n0wall, Captive Portal and RADIUS authentication works with no problems using the same username, password and RADIUS server. Any help would be appreciated. Jon
RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid
Secret key works under m0n0wall and the same key is used in pfSense. Not sure what you mean about the IP of the NAS. Thanks for your help! Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Wednesday, December 09, 2009 2:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Could be the secret key or check is you added the IP of the NAS. Mike From: Tancinco, Jon mailto:tanci...@humnet.ucla.edu Sent: Wednesday, December 09, 2009 11:37 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Same error on Versions 1.2.2 and 1.2.3 Using the pfSense Captive Portal. I am getting the Authentication error - Username and/or password invalid. message when trying to authenticate. The password is correctly submitted, but get the error everytime. RADIUS server reports incorrect password. Using m0n0wall, Captive Portal and RADIUS authentication works with no problems using the same username, password and RADIUS server. Any help would be appreciated. Jon
RE: [pfSense Support] Captive Portal and Wifi network
- Lunix1618 [mailto:lunix1...@gmail.com] Hello everybody, I am in study phase to do a Wireless network and requirement is need to force users authenticate first. I figured out that can be done with Captive Portal feature of pfsense. However, I want to know if anybody did a Wifi network with 1 main access point connect directly to pfsense box and expand the wireless signal with some kind of Wifi extender ? TIA, - Yes, absolutely - if your Access Points support it - but you will be chopping bandwidth in half at every relay point. Two hops is probably OK, but I'd reconsider your setup for multiple hops. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Page
Does anyone know where I can find a nice templated captive portal page. Something with a simple header, ULA and Login. http://thegoldenear.org/toolbox/unices/pfsense-1.2-firewall.html#captive-portal -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
I agree completely. What we were using it for is all our wired clients and wireless *were* on the same internal lan. The captive portal was enabled on the LAN interface. All wired clients had mac-bypass entries, and the wireless clients had to get past the captive portal. What I'm thinking is that I will have to investigate some sort of rouge detection, or maybe network access protection for the wired clients, and then completely separate the wireless traffic on another interface. I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? Cheers, P.S. Chris/PFsense team, I am consistently impressed by this product. You guys do very good work, and my team and I appreciate your efforts immensely. The coding is important, but the community support is above and beyond! On Fri, May 8, 2009 at 10:25 PM, RB aoz@gmail.com wrote: On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal Question
I'm drafting a reply. Be done shortly. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 11:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question I agree completely. What we were using it for is all our wired clients and wireless *were* on the same internal lan. The captive portal was enabled on the LAN interface. All wired clients had mac-bypass entries, and the wireless clients had to get past the captive portal. What I'm thinking is that I will have to investigate some sort of rouge detection, or maybe network access protection for the wired clients, and then completely separate the wireless traffic on another interface. I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? Cheers, P.S. Chris/PFsense team, I am consistently impressed by this product. You guys do very good work, and my team and I appreciate your efforts immensely. The coding is important, but the community support is above and beyond! On Fri, May 8, 2009 at 10:25 PM, RB aoz@gmail.com wrote: On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal Question
We use the switches in a client's executive office suite buildings. We needed a way to provide internet access on a per suite basis, and we needed to provide public addresses on an as-needed basis (if they had a mail server, for example). We had a previous solution in place, but it was about 8-9 years old, and required manual intervention when tenants move from suite to suite (which happens a lot in these buildings). So our new (15 month old at this point) setup has 3 vlans on the switches: private unauthenticated, private authenticated, and public authenticated. (private and public refer to the address spaces in use on the vlans). As part of that setup, we use mac-based authentication on the HP switches. So, a client (aka tenant) can be plugged into any port on the switch, and the FreeRADIUS package from pfSense can provide authentication and VLAN assignments to the switch, and the switch will use the RADIUS information to put them on the correct VLAN automatically. For any client that does not authenticate, the switch throws them on the private unauthenticated vlan, and then the client cannot get on the internet without authenticating with the pfsense captive portal (the custom captive portal page pretty much says hey, you aren't getting on the internet unless you pay the land lord more $$. If you want access, call up xxx and give them this mac address: xx:xx:xx:xx:xx:xx). If their mac address is present in FreeRADIUS, then they get put on whatever vlan is assigned them from the vlan box. The private authenticated vlan is a private address space vlan that is NATted to the internet, and the public authenticated vlan is directly on the internet. In order to keep clients from seeing each other on the private authenticated vlan (basically this vlan is for tenants that have a single pc with no router), we add the following to each client entry in the Additional RADIUS Options box: HP-Nas-Filter-Rule = permit in ip from any to 172.20.1.1, HP-Nas-Filter-Rule += deny in ip from any to 172.20.1.0/24, HP-Nas-Filter-Rule += permit in ip from any to 0.0.0.0/0 This permits the clients to talk to the gateway and the rest of the internet, but not to any other machine on the same subnet. I don't know how much of this applies to your setup, but to sum up this solution, unauthenticated clients get put on a vlan that can't get on the internet (they can, but are stopped by a custom captive portal page from pfSense that tells them what to do), and authenticated clients get put on vlans that can freely access the internet. In your case, you might just need to use FreeRADIUS along with some switch ACLs (in the Additional RADIUS Options box) to allow/limit/prevent internet access. Hopefully that made some sense. It's a bit tough to describe without seeing it! :) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 9:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question Hi folks, Just an update. I built a new machine from the ground up today. Took a backup from the old machine, and just copied and pasted the 300+ mac-bypass entries into the new config file. Everything is working well, and as expected. I'm interested though Dimitri on the switch issue. I'm connected entirely to new managed HP 2848's and 2510G-48's and I have great LAN performance. Are you doing something directly with your switches as far as authentication goes, or did you just include the switches for completeness? Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. Thanks! On Fri, May 8, 2009 at 1:33 AM, Dimitri Rodis dimit...@integritasystems.com wrote: We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I
Re: [pfSense Support] Captive Portal Question
On Sat, May 9, 2009 at 00:10, Tim Dressel tjdres...@gmail.com wrote: I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? At the risk of redundancy, that was rather the point. Other than the interface of your manually entering them (which is not critical to the actual operation), the captive portal in its standard configuration makes a mac-bypass entry for every client. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal Question
We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Captive Portal Question
Hi folks, Just an update. I built a new machine from the ground up today. Took a backup from the old machine, and just copied and pasted the 300+ mac-bypass entries into the new config file. Everything is working well, and as expected. I'm interested though Dimitri on the switch issue. I'm connected entirely to new managed HP 2848's and 2510G-48's and I have great LAN performance. Are you doing something directly with your switches as far as authentication goes, or did you just include the switches for completeness? Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. Thanks! On Fri, May 8, 2009 at 1:33 AM, Dimitri Rodis dimit...@integritasystems.com wrote: We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
I was going to ask what hardware you were running this on. We have a rather large list of MAC addresses in our captive portal and it works fine. Its a dual opteron/4 gigs of ram. Probably overkill, so it wont help you know what you need, but if your running 128 ram or even 256, its bare bone minimum. Chris Flugstad Cascadelink 900 1st ave s, suite 201a seattle, wa 98134 p: 206.774.3660 | f: 206.577.5066 ch...@cascadelink.com RB wrote: On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal Issues
My apologies that should say our pfsenses and not our flenses From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] Sent: Tuesday, March 03, 2009 10:30 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal Issues We have been running pfSense as a Captive Portal for quite sometime. Lately, our flenses have had services that were locking up. You could view items on the GUI, but could not execute a Captive Portal lookup or a Halt System or Reboot System. And if you ssh'ed into the system, you could not execute either or a web configurator restart either. On the particular system we had this happen to lately, we were using 1.2.1-RC2 and have had it happen on 1.2.2. We did recently upgrade to 1.2.3-PRERELEASE-TESTING-VERSION and have not had it up long enough to determine if this version had the same issue. This is the error that was in the /var/log/ lighttpd.error.log 2009-03-03 09:04:58: (mod_fastcgi.c.2956) backend died; we'll disable it for 5 seconds and send the request to another backend instead: reconnects: 0 load: 192 2009-03-03 09:04:59: (mod_fastcgi.c.3568) all handlers for /index.php on .php are down. This was on the monitor hooked up to the pfSense device IPFW: IPV6 - Unknown Extension Header(10), ext 2 IPFW: IPV6 - Unknown Extension Header(5), ext 2 Thanks
Re: [pfSense Support] captive portal without MAC filtering
On Sat, Feb 7, 2009 at 2:31 PM, Pete Boyd petes-li...@thegoldenear.org wrote: The captive portal has the following option: MAC filtering - Disable MAC filtering If this option is set, no attempts will be made to ensure that the MAC address of clients stays the same while they're logged in. This is required when the MAC address of the client cannot be determined (usually because there are routers between pfSense and the clients). If this is enabled, RADIUS MAC authentication cannot be used. This sounds useful. It could fix the difficulty we have of requiring LAN users, who want to add wifi in their home, that they need to use wireless access points, not wireless routers (or wireless routers configured as purely wireless access points, for those that support this), so that they don't ruin our charging model. People find the technical differences hard to understand. It's simple to bridge wireless on almost every wireless router, just plug in one of the LAN ports rather than the WAN/Internet port. Double NAT is ugly and potentially problematic, so I would stay away from it if at all possible. Disabling MAC filtering will work around it if you really must do it that way. So, how does pfSense track people with this option enabled? How does it work? As it says in what you quoted above, just by IP rather than by IP and MAC. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive portal locking up?
Yes, that was the message I saw. I am going to upgrade to 1.2.1 RC2. This is what most are using now, correct? Thank you Dwane -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2008 8:06 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive portal locking up? On Tue, Dec 2, 2008 at 3:27 PM, Atkins, Dwane P [EMAIL PROTECTED] wrote: We are currently using 1.2 RC1 on a Dell Power Edge R200 and 1.2 Release on a Dell Power Edge 860. In the last couple of weeks, the devices has stopped working for those who are NOT already connected. If you are connected, you maintain the capability to gain access. Each time I have gone to the device, we receive and error message: IPFW2; Ipv6- unknown extension number (5), ext-hd eq 2 You sure that's the exact message? That would make you the only person to ever get that message on FreeBSD or pfSense - google doesn't know about it. Any other potentially relevant messages in your logs? For lack of any better ideas, I would try upgrading one to 1.2.1 to see if that makes any difference. Might be some kind of odd ipfw issue that doesn't exist in FreeBSD 7.0. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive portal locking up?
On Tue, Dec 2, 2008 at 3:27 PM, Atkins, Dwane P [EMAIL PROTECTED] wrote: We are currently using 1.2 RC1 on a Dell Power Edge R200 and 1.2 Release on a Dell Power Edge 860. In the last couple of weeks, the devices has stopped working for those who are NOT already connected. If you are connected, you maintain the capability to gain access. Each time I have gone to the device, we receive and error message: IPFW2; Ipv6- unknown extension number (5), ext-hd eq 2 You sure that's the exact message? That would make you the only person to ever get that message on FreeBSD or pfSense - google doesn't know about it. Any other potentially relevant messages in your logs? For lack of any better ideas, I would try upgrading one to 1.2.1 to see if that makes any difference. Might be some kind of odd ipfw issue that doesn't exist in FreeBSD 7.0. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal enabling Ethernet Port Traffic
If you want to authenticate machines connecting to switch ports, install the FreeRADIUS package. I added some interface options to the package earlier this year that should allow you to use it for mac-based authentication and vlan assignment for switches that support it. I use it in a couple different places and it works quite well for us. Dimitri Rodis Integrita Systems LLC -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2008 3:43 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal enabling Ethernet Port Traffic If you want per port (on your switch) based authentication, you may want to look at 802.1x with RADIUS. If you'd like to do per IP authentication, pfSense will work nicely. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - Chris Flugstad [EMAIL PROTECTED] wrote: So I have a need that I'm not sure if Pfsense is currently doing. I want to have a captive portal, but once auth'd that the ethernet port that was used to go through the captive portal, be enabled. well i guess it would already be enabled, since it got through, but more or less that the port had full access. Each port will go to different rooms in a hotel. Any ideas would be appreciated. -Topher - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
Dimitri Rodis wrote: If I wanted to display a user’s IP address AND MAC address on the captive portal page, does anyone have a code snippet that would do that on the pfSense captive portal page? Is this possible? I suggest opening a feature request ticket on cvstrac.pfsense.org, and/or starting a bounty. Somebody would probably be willing to pick this up for relatively cheap. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive Portal
If I made the modifications to display the mac/client IP on the default captive portal page, would you commit it and make it the default captive portal page? I would just throw a couple of lines right beneath the login button that say: Client MAC: xx:xx:xx:xx:xx:xx Client IP: xxx.xxx.xxx.xxx Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Saturday, March 22, 2008 6:41 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Dimitri Rodis wrote: If I wanted to display a user's IP address AND MAC address on the captive portal page, does anyone have a code snippet that would do that on the pfSense captive portal page? Is this possible? I suggest opening a feature request ticket on cvstrac.pfsense.org, and/or starting a bounty. Somebody would probably be willing to pick this up for relatively cheap. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal trouble
Try clearing your state table and seeing if that fixes the issue. Curtis
RE: [pfSense Support] Captive Portal trouble
Just tried, and no changes :( Yannick From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: dimanche 20 janvier 2008 23:47 To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal trouble Try clearing your state table and seeing if that fixes the issue. Curtis
Re: [pfSense Support] Captive Portal trouble
Did you already try disabling your transparent proxy? What are you using for your captive portal login page? Curtis
RE: [pfSense Support] Captive Portal trouble
Already tried to disable transparent proxy, change the interface of the proxy from lan to wan but didn't help. AS authentication page, I just create a blank html page where I copy/pasted the form : !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head meta http-equiv=Content-Type content=text/html; charset=utf-8 / titleUntitled Document/title /head body Private Room form method=post action=$PORTAL_ACTION$ p input name=auth_user type=text input name=auth_pass type=password input name=redirurl type=hidden value=$PORTAL_REDIRURL$ input name=accept type=submit value=Continue /p /form /body /html Regards From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: lundi 21 janvier 2008 2:20 To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal trouble Did you already try disabling your transparent proxy? What are you using for your captive portal login page? Curtis
Re: [pfSense Support] Captive Portal Design documents
better solution monowall On 10/1/07, Dziuk, Fred J [EMAIL PROTECTED] wrote: Our campus is using PfSense to control wireless access to our network via the Captive Portal and becoming very reliant on its operation. I do not want to necessarily become a developer to have technical troubleshooting skills. But I would like to have a document that describes the basics of the Captive Portal operations and was hoping for some links to some detailed design/operational documents other than source code. Questions I have: 1. How does the CP determine if a user needs to be authenticated? 2. Once authenticated, where is the user information kept? 3. I can issue PF and IPFW commands in the shell – Are both used in CP? 4. We have some users that some how disappear from the CP user list, but can still get through to the WAN. How do I debug this? 5. Seems like there are extra entries in the firewall ruleset that keep accumulating and never get removed. How do I clean this up? I have put out a few questions/problems to this list and have not received a single response. We are establishing an account for the commercial support, but we would like to have some local expertise. Thanks for any insight in the Captive Portal's operation. Fred Dziuk The Univ. of Texas Health Science Center at San Antonio Systems and Network Operations 210-567-2117
Re: [pfSense Support] Captive Portal Design documents
On 10/1/07, cassio lima [EMAIL PROTECTED] wrote: better solution monowall Please stop trolling. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal kills my firewall rules
Nate Stiller wrote: When I enable the Captive Portal on my LAN interface in either 1.2 BETA version 1 or 2, it messes with my WAN firewall rules. When enabled, the only rule that works is an allow in to pfSense's web admin from outside on HTTPS. Anyone else experience this or know of any fixes? You have to exempt any hosts with ports open to them from the WAN, as CP will block all reply traffic from those hosts otherwise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal kills my firewall rules
I forgot to say that this happens even on the clients that I use the pass through MAC filtering. On 7/20/07, Chris Buechler [EMAIL PROTECTED] wrote: Nate Stiller wrote: When I enable the Captive Portal on my LAN interface in either 1.2 BETA version 1 or 2, it messes with my WAN firewall rules. When enabled, the only rule that works is an allow in to pfSense's web admin from outside on HTTPS. Anyone else experience this or know of any fixes? You have to exempt any hosts with ports open to them from the WAN, as CP will block all reply traffic from those hosts otherwise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal 'file manager' files not visible
Upgrade to a recent testing snapshot. This has been fixed since Beta1. Scott On 6/25/07, Roberto Greiner [EMAIL PROTECTED] wrote: I'm making a test with 1.2Beta1, and got a problem with the captive portal. I added two files in the file manager section with the name starting with 'captiveportal-', and added references to those two files (one a .gif image named captiveportal-semfio_logo.gif, the other an .html iframe file named captiveportal-noticias.html) in the 'Portal page contents' file. It's exactly the same structure I used in the 1.0 pfSense and it worked. But with 1.2B1 I'm getting a 404 error for both files when a client opens the captive portal screen. Did somebody else get such a problem? Any help is welcome. Thank you, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal ?
On 5/18/07, David Strout [EMAIL PROTECTED] wrote: Now that I plowed through the VLAN issue. I have been presented with another config question. Is there any way to have captive portal active on multiple interfaces? I dug through the mail lists and the forum, but it seems that the answer is a resounding no. So naturally the next question is ... is there any plan to modify the captive portal to address multiple interfaces? I am sure it would be a coding nightmare, but in retrospect, have been presented with the question and seeing the value in their request, it sure would be a nice feature for a future release. No it will not work on multiple interfaces and there are no plans to work on this. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal sugesstion
On 5/3/07, Mohd Saidy [EMAIL PROTECTED] wrote: Hi, 1. Congratulation to developer that will release a new version of pfsense. Nice jobs guys! 2. I'm using captive portal for authenticate my wireless user (right now have about 700 users with approximately 100 cocurrent users), but when i want to add user i take some memory and time to read all existing users. My suggestions, why not split or group all user by 10 or 20 user by pages. For example as below; Users 1. abc1 2. abc2 3. abc3 4. abc4 5. abc5 6. abc6 7. abc7 8. abc8 9. abc9 10. abc10 1 2 3 4 5 6 7 8 9 10 Thank you Thanks for the suggestion! However we do not maintain the captive portal implementation. Maybe you could email the m0n0wall list with your suggestion. However, we are not against a bounty in our forum to help nudge this along from our end. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal apply button
On 3/18/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! I think it might be an error in captive portal: When changing some entry and then save them, there appear two apply buttons: http://pfsense.trendchiller.com/pics/cp_apply_error.jpg Thanks, fixed! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: What should it read on the fresh install ? It's a productive system... it's hard to reinstall in between... Right, but it must work, correct? :) If you could get a reading from a box that works, it would be most helpful. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi, Scott ! Fresh install shows the following, but does not work also :-( [snip] 01100 0 0 allow ip from any to any layer2 mac-type 0x888e I don't see the traffic counter increasing on this test. Did you actually test login again? The prior output shows the counter at 4. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
I found a potential issue. Please test a snapshot around two hours from now. Scott On 3/5/07, Scott Ullrich [EMAIL PROTECTED] wrote: On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi, Scott ! Fresh install shows the following, but does not work also :-( [snip] 01100 0 0 allow ip from any to any layer2 mac-type 0x888e I don't see the traffic counter increasing on this test. Did you actually test login again? The prior output shows the counter at 4. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
On 3/4/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hmmm, tried the latest snapshot... wpa2 does not seem to work with the captive portal until now... site cannot be found... :( Reinstall? The options are definitely back. # pfsense requires for WPA add 1100 set 1 pass layer2 mac-type 0x888e Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
Also, please install a working version and from the shell do a: ipfw show Then reinstall the non working version and from a shell do: ipfw show Scott On 3/4/07, Scott Ullrich [EMAIL PROTECTED] wrote: On 3/4/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hmmm, tried the latest snapshot... wpa2 does not seem to work with the captive portal until now... site cannot be found... :( Reinstall? The options are definitely back. # pfsense requires for WPA add 1100 set 1 pass layer2 mac-type 0x888e Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
On 3/3/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! I'm trying to use captive portal on ath0 interface... WLAN-client gets dhcp-lease and everything bit cannot tonnect to any network... If i add the mac-adress to the captive portal it works wothout auth... But i want auth for this client, so i remove the mac... but there does not pop up any auth page... When adding tcp 8000 from wlan-subnet to localhost there still is no popup... When looking to pfsense/status.php it looks like the rule for captive portal is generated without the rule having added by hand (so as it should be in the new version) Can anyone affirm this or is there just something i have overseen ? Greets, Martin ! If you are speaking of WPA then I just fixed that. Please test a new snapshot in a couple of hours. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive Portal and DNS
Ok, so all the computers has to point the DNS to pfsense IP, there is no way around it? Regards, Kelvin -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Sunday, March 04, 2007 12:13 PM To: support@pfsense.com Subject: AW: [pfSense Support] Captive Portal and DNS You have to use the dnsforwarder of pfSense to use the captive portal. It won't work with another DNS-Server. Holger -Ursprüngliche Nachricht- Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 4. März 2007 05:10 An: support@pfsense.com Betreff: [pfSense Support] Captive Portal and DNS Hi, anyone has any information how to pass DNS request packet through captive portal? The problem I faced was that the computers configured with a DNS server IP address instead of obtaining DNS server IP dynamically cannot invoke the captive portal. Regards, Kelvin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive Portal and DNS
Ok thanks -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Sunday, March 04, 2007 12:23 PM To: support@pfsense.com Subject: AW: [pfSense Support] Captive Portal and DNS Correct -Ursprüngliche Nachricht- Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 4. März 2007 05:23 An: support@pfsense.com Betreff: RE: [pfSense Support] Captive Portal and DNS Ok, so all the computers has to point the DNS to pfsense IP, there is no way around it? Regards, Kelvin -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Sunday, March 04, 2007 12:13 PM To: support@pfsense.com Subject: AW: [pfSense Support] Captive Portal and DNS You have to use the dnsforwarder of pfSense to use the captive portal. It won't work with another DNS-Server. Holger -Ursprüngliche Nachricht- Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 4. März 2007 05:10 An: support@pfsense.com Betreff: [pfSense Support] Captive Portal and DNS Hi, anyone has any information how to pass DNS request packet through captive portal? The problem I faced was that the computers configured with a DNS server IP address instead of obtaining DNS server IP dynamically cannot invoke the captive portal. Regards, Kelvin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive Portal bug + resource
You only can log the portal auth events by using a remote syslogserver. See statussystemlogs, settings. SNMP is not supported for this. Holger -Original Message- From: Roberto Greiner [mailto:[EMAIL PROTECTED] Sent: Monday, December 11, 2006 1:50 PM To: support@pfsense.com Subject: [pfSense Support] Captive Portal bug + resource Him I was doing a small test with the captive portal, and noticed a minor glitch with the setup pages. In the Services/Captive Portal/Allowed IP Addresses, when clicking to add a new IP, if you simply click save without adding anything, the error message appears out of place, thrown to the right side, when using firefox (I'm using 1.5, didn't test with 2.0). IE 6 renders the page properly. Also about the captive portal, is it possible to send messages to devices (like snmp) when a user logs in to the portal, or when he fails to log? Thank you, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive portal issue with pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006
Simply upgrading to the pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006 from pfSense-Full-Update-RC2 witch had been working fine for months. I then tried connecting through the portal to go to the internet and the error below is from Internet Explorer. The error only occurs after logon and no traffic will pass through the portal then. FYI I use the portal tied into IAS for radius authentication. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, September 22, 2006 9:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] Captive portal issue with pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006 On 9/22/06, Ronald Henriksen [EMAIL PROTECTED] wrote: Has any thing changed for the captive portal feature with snap shot pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006 after login from the portal I get a fatal error. I had to revert to pfSense-Full-Update-RC2.tgz to get the captive portal working again below is the error that the portal kicked out with pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006. Fatal error: Call to undefined function: get_next_ipfw_ruleno() in /etc/inc/captiveportal.inc on line 834 What steps did you take to produce this error? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal issue with pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006
Please try the newer snapshot. On 9/24/06, Ronald Henriksen [EMAIL PROTECTED] wrote: Simply upgrading to the pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006 from pfSense-Full-Update-RC2 witch had been working fine for months. I then tried connecting through the portal to go to the internet and the error below is from Internet Explorer. The error only occurs after logon and no traffic will pass through the portal then. FYI I use the portal tied into IAS for radius authentication. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, September 22, 2006 9:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] Captive portal issue with pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006 On 9/22/06, Ronald Henriksen [EMAIL PROTECTED] wrote: Has any thing changed for the captive portal feature with snap shot pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006 after login from the portal I get a fatal error. I had to revert to pfSense-Full-Update-RC2.tgz to get the captive portal working again below is the error that the portal kicked out with pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006. Fatal error: Call to undefined function: get_next_ipfw_ruleno() in /etc/inc/captiveportal.inc on line 834 What steps did you take to produce this error? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal issue with pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006
On 9/22/06, Ronald Henriksen [EMAIL PROTECTED] wrote: Has any thing changed for the captive portal feature with snap shot pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006 after login from the portal I get a fatal error. I had to revert to pfSense-Full-Update-RC2.tgz to get the captive portal working again below is the error that the portal kicked out with pfSense-Full-Update-1.0-SNAPSHOT-09-20-2006. Fatal error: Call to undefined function: get_next_ipfw_ruleno() in /etc/inc/captiveportal.inc on line 834 What steps did you take to produce this error? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
Yes, but it gives me an error when I do it. Did someone try it? --- Gertjan KROEB [EMAIL PROTECTED] wrote: Euuuh, How did you put it ON in the first place ? Use that to put it OFF. More serious: You'll find your answer on the main web page - Services - Captive Portal :: the first selectable option named Enable captive portal - and Save (on the bottom of the page). __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive portal - REDIR pages not working correctly
Fred, Although this isn't a pfSense solution, one way to fix your problem would be for you to run m0n0wall in VMware Server (free) or Microsoft Virtual Server 2005 R2 (also free). We run m0n0 and pfSense both in MS Virtual Server 2005 R2 and they work just fine. Dimitri Rodis Integrita Systems LLC From: Dziuk, Fred J [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 05, 2006 2:00 PMTo: support@pfsense.comSubject: [pfSense Support] Captive portal - REDIR pages not working correctly I have been using m0n0wall with a few custom Web pages for user authentication. I have the initial page that displays an Acceptable Use Policy that must be ACKNOWLEDGED, then an authentication page (username/password), and then a final Here is what you CAN and CANNOT do page. This works on m0n0wall V1.21 and 1.22. I need larger servers, so I purchased a couple of DELL PowerEdge 850s. The problem was that FreeBSD 4 does not seem to support SATA or Broadcom GigabitEthernet. I happened to come across pfSense. I downloaded the ISO and booted it up. I copied it to the hard drive (using the 99 function). Everything went really smooth. But now that I have added my custom Web authentication pages (via Portal Page Contents and File Manager sections), the initial AUP page comes up but when I CLICK on the OK, the second page (username/password) can not be found. The URL is the original URL with the local reference file added to it (Example: If my HOME page was www.microsoft.com, the URL for the second page would be www.microsoft.com/CaptivePortal2.html , instead of just CaptivePortal2.html which is located in local storage). It seems that the REDIRURL is being prepended to my local web page reference. Also, the Authentication Error Page Contents has a View Current Page, which only displays the main page (Portal Page Contents) not the Error Page. Does anyone have a solution for this issue?
Re: [pfSense Support] captive portal webgui prob
Done, thanks. On 4/13/06, Scott Ullrich [EMAIL PROTECTED] wrote: Please upgrade tohttp://www.pfsense.com/~sullrich/RELENG_1_SNAPSHOT_04-12-2006/ and tryagain.Beta 2 is old and will be replaced with Beta 3 this weekendbut in the meantime that snapshot is pretty much what Beta 3 will be.On 4/13/06, barney gumbo [EMAIL PROTECTED] wrote: I'm having a problem with making changes to the captive portal webgui page. If I attempt to change the idle or hard timeout settings, then hit the save button, I then get a page cannot be displayed.I can disable/enable captive portal without getting that error.I don't see anything obvious in the log files, and rebooting doesn't help. I'm running 1.0 beta 2.Any help or pointers will be appreciated.- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive Portal, VMWare and Radius
I can help with hosting space if you need to put it somewhere in the US. I have a site and space Im not using. -Original Message- From: Luiz Vaz [mailto:[EMAIL PROTECTED] Sent: Saturday, February 18, 2006 11:50 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal, VMWare and Radius Hi all, now it´s ok! ;) I cleared the captive portal options and setup again! After I listed the pf rules using pfctl -s rules. And it showed a strange rule that redirects all radius and radacct ports to 19000 19001 ports at 127.0.0.1 ... Don´t know where it come from! I think that it was because I tryed the captive with local user to test the net and after I switched back to captive with radius. So, i cleared it and voila! I hope that it may helps anyone too... ;) - - - - - - - Another thing, i setup my VMWare image with php dbg. Now i´m using it to debug the php code while i write some custom things. After, i compiled the pecl-radius extension to php and it is working fine! So, can i send to the list the code that i rewrite for radius_accounting.inc and radius_authentication.inc using the libradius functions? Maybe someone can add to the next versions of pfSense to use libradius instead php-radius custom function. It´s standard and much less error prone! Best Regards, Luiz Vaz
Re: [pfSense Support] Captive Portal, VMWare and Radius
Hehehe, Thanks! But it´s very small code... ;) Thanks again Richard ! ! !Best Regards,Luiz Vaz2006/2/19, Richard Davis [EMAIL PROTECTED]: I can help with hosting space if you need to put it somewhere in the US . I have a site and space I'm not using. -Original Message- From: Luiz Vaz [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 18, 2006 11:50 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal, VMWare and Radius Hi all, now it´s ok! ;) I cleared the captive portal options and setup again! After I listed the pf rules using pfctl -s rules. And it showed a strange rule that redirects all radius and radacct ports to 19000 19001 ports at 127.0.0.1 ... Don´t know where it come from! I think that it was because I tryed the captive with local user to test the net and after I switched back to captive with radius. So, i cleared it and voila! I hope that it may helps anyone too... ;) - - - - - - - Another thing, i setup my VMWare image with php dbg. Now i´m using it to debug the php code while i write some custom things. After, i compiled the pecl-radius extension to php and it is working fine! So, can i send to the list the code that i rewrite for radius_accounting.inc and radius_authentication.inc using the libradius functions? Maybe someone can add to the next versions of pfSense to use libradius instead php-radius custom function. It´s standard and much less error prone! Best Regards, Luiz Vaz
Re: [pfSense Support] Captive Portal, VMWare and Radius
On 2/19/06, Luiz Vaz [EMAIL PROTECTED] wrote: Hi all, now it´s ok! ;) Great!!! snip So, can i send to the list the code that i rewrite for radius_accounting.inc and radius_authentication.inc using the libradius functions? Yes, please post a link to them if you can host them somewhere or use the pfsense.com pastebin ( www.pfsense.com/pastebin ) and post the pastebin url that it generates. Maybe someone can add to the next versions of pfSense to use libradius instead php-radius custom function. It´s standard and much less error prone! How would this affect syncing with m0n0wall? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal, VMWare and Radius
On 2/18/06, Luiz Vaz [EMAIL PROTECTED] wrote: Another thing, i setup my VMWare image with php dbg. Now i´m using it to debug the php code while i write some custom things. After, i compiled the pecl-radius extension to php and it is working fine! So, can i send to the list the code that i rewrite for radius_accounting.inc and radius_authentication.inc using the libradius functions? Maybe someone can add to the next versions of pfSense to use libradius instead php-radius custom function. It´s standard and much less error prone! Good timing, PECL radius was added to HEAD by myself yesterday. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal, VMWare and Radius
Well, I'll do more tests with this and send the links with pastebin as soon as possible! ;) Thanks2006/2/19, Bill Marquette [EMAIL PROTECTED]:On 2/18/06, Luiz Vaz [EMAIL PROTECTED] wrote: Another thing, i setup my VMWare image with php dbg. Now i´m using it to debug the php code while i write some custom things. After, i compiled the pecl-radius extension to php and it is working fine! So, can i send to the list the code that i rewrite for radius_accounting.inc and radius_authentication.inc using the libradius functions? Maybe someone can add to the next versions of pfSense to use libradius instead php-radius custom function. It´s standard and much less error prone!Good timing, PECL radius was added to HEAD by myself yesterday. --Bill-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal, VMWare and Radius
Hi all, another issue: I put the same code under lighttpd running on 80 port and it works nice! Only when i try to use the captive portal under 8000 port that´s hanging. Weird? Regards,Luiz Vaz2006/2/16, Luiz Vaz [EMAIL PROTECTED]: It´s unselected. I disabled block private networks... The weird stuff is show by tcpdump:# tcpdump -vvv -i lnc1 -n udptcpdump: listening on lnc1, link-type EN10MB (Ethernet), capture size 96 bytes22:17: 50.316598 IP (tos 0x0, ttl 64, id 39331, offset 0, flags [none], proto: UDP (17), length: 84) 192.168.160.129.64567 200.184.125.*.1812: RADIUS, length: 56 Access Request (1), id: 0x60, Authenticator: 9abd35f98f741cd686e9d156dd437672 Username Attribute (1), length: 6, Value: joao 0x: 6a6f 616f Password Attribute (2), length: 18, Value: 0x: 53b3 5002 de8e bc62 6748 bed3 a512 80fb NAS Port Attribute (5), length: 6, Value: 5060 0x: 13c4 [|radius]22:17:50.569263 IP (tos 0x0, ttl 128, id 417, offset 0, flags [none], proto: UDP (17), length: 58) 200.184.125.*.1812 192.168.160.129.64567: [udp sum ok] RADIUS, length: 30 Access Accept (2), id: 0x60, Authenticator: ba3ed3255eca57439bc67802b234f09b Reply Attribute (18), length: 10, Value: Ol. jo.o 0x: 4f6c e120 6a6f e36f22:17:50.783098 IP (tos 0x0, ttl 64, id 44027, offset 0, flags [none], proto: UDP (17), length: 72) 192.168.160.129.62375 200.184.195.*.1812: [udp sum ok] RADIUS, length: 44 Access Request (1), id: 0xbf, Authenticator: 67f58126f94a4540766fc244f86dac28 Username Attribute (1), length: 6, Value: joao 0x: 6a6f 616f Password Attribute (2), length: 18, Value: 0x: 1d22 19cb 0707 ed6c a075 546a abbf eb93^C3 packets captured25 packets received by filter0 packets dropped by kernel As you can see, the request is received by radius and sent back with the correct response. But the response is mysteriously ignored So the radiusclient try again without knowning it.Best Regards, Luiz Vaz2006/2/16, Scott Ullrich [EMAIL PROTECTED]: What does interfaces, WAN, Block private networks show?On 2/15/06, Luiz Vaz [EMAIL PROTECTED] wrote: Hi All,I am using the pfSense on VMWare using the developers image. On the same machine i setup another VM with Win98.Everything is working good, DHCP, Captive Portal (NoAuth and LocalUserList).But, some strange stuff happens when i choose Radius Auth! My Radius server is another machine running outside world.In the firewall i allowed IN and OUT to UDP 1812, 1813 ports...When i try to login thru captive portal in Win98, it´s hanging. But calling the radius using NTRadPing inside the same Win98, it works!And using a radiusclient inside pfSense works too.Only when the php try to retrieve the info from Radius hangs. No matter if it use the custom radius code or using the libradius extension.My VMWare Net is:- Win98: 192.168.65.131 - pfSense: 192.168.65.130(LAN)- pfSense: 192.168.160.129 (WAN)- VMWare NAT:192.168.160.130 - VMWare Gateway:192.168.160.2Obs.: My Machine is using a DSL router with WinXP for the tests and Dev. A deep look in the calls showed this log in pftop: Using NTRadPing: udpIn192.168.65.131:1076 200.184.125.*:1812SINGLE:MULTIPLE udpOut 192.168.65.131:1076 200.184.125.*:1812MULTIPLE:SINGLE Output: Sending authentication request to server 200.184.125.*:1812 Transmitting packet, code=1 id=6 length=44 Received response from server in 600 miliseconds Replay packet code=2 id=6 length=30 Response: Accept-AcceptCaptive Portal: tcpIn 192.168.65.131:1077 192.168.65.130:8000 ESTABLISHED:ESTABLISHED udpOut 192.168.160.129:61371200.184.125.*:1812 MULTIPLE:SINGLE udpOut 192.168.160.129:64110200.184.195.*:1812 SINGLE:NO_TRAFFIC Output:Radius Error: No valid RADIUS responses received. My surprise is that the pfSense call to radius and it´s reply (I run Radius in DebugMode).But the pfSense don´t receive the response.I guess that i missed something on firewall. ;) Anyone had some ideia about what's happen?Or any tip to find it out? Best Regards, Luiz Vaz- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal, VMWare and Radius
Upgrade to http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-15-06/ On 2/17/06, Luiz Vaz [EMAIL PROTECTED] wrote: Hi all, another issue: I put the same code under lighttpd running on 80 port and it works nice! Only when i try to use the captive portal under 8000 port that´s hanging. Weird? Regards, Luiz Vaz 2006/2/16, Luiz Vaz [EMAIL PROTECTED]: It´s unselected. I disabled block private networks... The weird stuff is show by tcpdump: # tcpdump -vvv -i lnc1 -n udp tcpdump: listening on lnc1, link-type EN10MB (Ethernet), capture size 96 bytes 22:17: 50.316598 IP (tos 0x0, ttl 64, id 39331, offset 0, flags [none], proto: UDP (17), length: 84) 192.168.160.129.64567 200.184.125.*.1812: RADIUS, length: 56 Access Request (1), id: 0x60, Authenticator: 9abd35f98f741cd686e9d156dd437672 Username Attribute (1), length: 6, Value: joao 0x: 6a6f 616f Password Attribute (2), length: 18, Value: 0x: 53b3 5002 de8e bc62 6748 bed3 a512 80fb NAS Port Attribute (5), length: 6, Value: 5060 0x: 13c4 [|radius] 22:17:50.569263 IP (tos 0x0, ttl 128, id 417, offset 0, flags [none], proto: UDP (17), length: 58) 200.184.125.*.1812 192.168.160.129.64567: [udp sum ok] RADIUS, length: 30 Access Accept (2), id: 0x60, Authenticator: ba3ed3255eca57439bc67802b234f09b Reply Attribute (18), length: 10, Value: Ol. jo.o 0x: 4f6c e120 6a6f e36f 22:17:50.783098 IP (tos 0x0, ttl 64, id 44027, offset 0, flags [none], proto: UDP (17), length: 72) 192.168.160.129.62375 200.184.195.*.1812: [udp sum ok] RADIUS, length: 44 Access Request (1), id: 0xbf, Authenticator: 67f58126f94a4540766fc244f86dac28 Username Attribute (1), length: 6, Value: joao 0x: 6a6f 616f Password Attribute (2), length: 18, Value: 0x: 1d22 19cb 0707 ed6c a075 546a abbf eb93 ^C 3 packets captured 25 packets received by filter 0 packets dropped by kernel As you can see, the request is received by radius and sent back with the correct response. But the response is mysteriously ignored So the radiusclient try again without knowning it. Best Regards, Luiz Vaz 2006/2/16, Scott Ullrich [EMAIL PROTECTED]: What does interfaces, WAN, Block private networks show? On 2/15/06, Luiz Vaz [EMAIL PROTECTED] wrote: Hi All, I am using the pfSense on VMWare using the developers image. On the same machine i setup another VM with Win98. Everything is working good, DHCP, Captive Portal (NoAuth and LocalUserList). But, some strange stuff happens when i choose Radius Auth! My Radius server is another machine running outside world. In the firewall i allowed IN and OUT to UDP 1812, 1813 ports... When i try to login thru captive portal in Win98, it´s hanging. But calling the radius using NTRadPing inside the same Win98, it works! And using a radiusclient inside pfSense works too. Only when the php try to retrieve the info from Radius hangs. No matter if it use the custom radius code or using the libradius extension. My VMWare Net is: - Win98: 192.168.65.131 - pfSense: 192.168.65.130 (LAN) - pfSense: 192.168.160.129 (WAN) - VMWare NAT: 192.168.160.130 - VMWare Gateway: 192.168.160.2 Obs.: My Machine is using a DSL router with WinXP for the tests and Dev. A deep look in the calls showed this log in pftop: Using NTRadPing: udp In 192.168.65.131:1076 200.184.125.*:1812 SINGLE:MULTIPLE udp Out 192.168.65.131:1076 200.184.125.*:1812 MULTIPLE:SINGLE Output: Sending authentication request to server 200.184.125.*:1812 Transmitting packet, code=1 id=6 length=44 Received response from server in 600 miliseconds Replay packet code=2 id=6 length=30 Response: Accept-Accept Captive Portal: tcp In 192.168.65.131:1077 192.168.65.130:8000 ESTABLISHED:ESTABLISHED udp Out 192.168.160.129:61371 200.184.125.*:1812 MULTIPLE:SINGLE udp Out 192.168.160.129:64110 200.184.195.*:1812 SINGLE:NO_TRAFFIC Output: Radius Error: No valid RADIUS responses received. My surprise is that the pfSense call to radius and it´s reply (I run Radius in DebugMode). But the pfSense don´t receive the response. I guess that i missed something on firewall. ;) Anyone had some ideia about what's happen? Or any tip to find it out? Best Regards, Luiz Vaz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
Re: [pfSense Support] Captive Portal, VMWare and Radius
What does interfaces, WAN, Block private networks show? On 2/15/06, Luiz Vaz [EMAIL PROTECTED] wrote: Hi All, I am using the pfSense on VMWare using the developers image. On the same machine i setup another VM with Win98. Everything is working good, DHCP, Captive Portal (NoAuth and LocalUserList). But, some strange stuff happens when i choose Radius Auth! My Radius server is another machine running outside world. In the firewall i allowed IN and OUT to UDP 1812, 1813 ports... When i try to login thru captive portal in Win98, it´s hanging. But calling the radius using NTRadPing inside the same Win98, it works! And using a radiusclient inside pfSense works too. Only when the php try to retrieve the info from Radius hangs. No matter if it use the custom radius code or using the libradius extension. My VMWare Net is: - Win98: 192.168.65.131 - pfSense: 192.168.65.130 (LAN) - pfSense: 192.168.160.129 (WAN) - VMWare NAT: 192.168.160.130 - VMWare Gateway: 192.168.160.2 Obs.: My Machine is using a DSL router with WinXP for the tests and Dev. A deep look in the calls showed this log in pftop: Using NTRadPing: udp In 192.168.65.131:1076 200.184.125.*:1812SINGLE:MULTIPLE udp Out 192.168.65.131:1076 200.184.125.*:1812 MULTIPLE:SINGLE Output: Sending authentication request to server 200.184.125.*:1812 Transmitting packet, code=1 id=6 length=44 Received response from server in 600 miliseconds Replay packet code=2 id=6 length=30 Response: Accept-Accept Captive Portal: tcp In 192.168.65.131:1077 192.168.65.130:8000 ESTABLISHED:ESTABLISHED udp Out 192.168.160.129:61371 200.184.125.*:1812MULTIPLE:SINGLE udp Out 192.168.160.129:64110 200.184.195.*:1812 SINGLE:NO_TRAFFIC Output: Radius Error: No valid RADIUS responses received. My surprise is that the pfSense call to radius and it´s reply (I run Radius in DebugMode). But the pfSense don´t receive the response. I guess that i missed something on firewall. ;) Anyone had some ideia about what's happen? Or any tip to find it out? Best Regards, Luiz Vaz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal, VMWare and Radius
It´s unselected. I disabled block private networks... The weird stuff is show by tcpdump:# tcpdump -vvv -i lnc1 -n udptcpdump: listening on lnc1, link-type EN10MB (Ethernet), capture size 96 bytes22:17: 50.316598 IP (tos 0x0, ttl 64, id 39331, offset 0, flags [none], proto: UDP (17), length: 84) 192.168.160.129.64567 200.184.125.*.1812: RADIUS, length: 56 Access Request (1), id: 0x60, Authenticator: 9abd35f98f741cd686e9d156dd437672 Username Attribute (1), length: 6, Value: joao 0x: 6a6f 616f Password Attribute (2), length: 18, Value: 0x: 53b3 5002 de8e bc62 6748 bed3 a512 80fb NAS Port Attribute (5), length: 6, Value: 5060 0x: 13c4 [|radius]22:17:50.569263 IP (tos 0x0, ttl 128, id 417, offset 0, flags [none], proto: UDP (17), length: 58) 200.184.125.*.1812 192.168.160.129.64567: [udp sum ok] RADIUS, length: 30 Access Accept (2), id: 0x60, Authenticator: ba3ed3255eca57439bc67802b234f09b Reply Attribute (18), length: 10, Value: Ol. jo.o 0x: 4f6c e120 6a6f e36f22:17:50.783098 IP (tos 0x0, ttl 64, id 44027, offset 0, flags [none], proto: UDP (17), length: 72) 192.168.160.129.62375 200.184.195.*.1812: [udp sum ok] RADIUS, length: 44 Access Request (1), id: 0xbf, Authenticator: 67f58126f94a4540766fc244f86dac28 Username Attribute (1), length: 6, Value: joao 0x: 6a6f 616f Password Attribute (2), length: 18, Value: 0x: 1d22 19cb 0707 ed6c a075 546a abbf eb93^C3 packets captured25 packets received by filter0 packets dropped by kernel As you can see, the request is received by radius and sent back with the correct response. But the response is mysteriously ignored So the radiusclient try again without knowning it.Best Regards, Luiz Vaz2006/2/16, Scott Ullrich [EMAIL PROTECTED]: What does interfaces, WAN, Block private networks show?On 2/15/06, Luiz Vaz [EMAIL PROTECTED] wrote: Hi All,I am using the pfSense on VMWare using the developers image. On the same machine i setup another VM with Win98.Everything is working good, DHCP, Captive Portal (NoAuth and LocalUserList).But, some strange stuff happens when i choose Radius Auth! My Radius server is another machine running outside world.In the firewall i allowed IN and OUT to UDP 1812, 1813 ports...When i try to login thru captive portal in Win98, it´s hanging. But calling the radius using NTRadPing inside the same Win98, it works!And using a radiusclient inside pfSense works too.Only when the php try to retrieve the info from Radius hangs. No matter if it use the custom radius code or using the libradius extension.My VMWare Net is:- Win98: 192.168.65.131 - pfSense: 192.168.65.130(LAN)- pfSense: 192.168.160.129 (WAN)- VMWare NAT:192.168.160.130 - VMWare Gateway:192.168.160.2Obs.: My Machine is using a DSL router with WinXP for the tests and Dev.A deep look in the calls showed this log in pftop: Using NTRadPing: udpIn192.168.65.131:1076 200.184.125.*:1812SINGLE:MULTIPLE udpOut 192.168.65.131:1076 200.184.125.*:1812MULTIPLE:SINGLE Output: Sending authentication request to server 200.184.125.*:1812 Transmitting packet, code=1 id=6 length=44 Received response from server in 600 miliseconds Replay packet code=2 id=6 length=30 Response: Accept-AcceptCaptive Portal: tcpIn 192.168.65.131:1077 192.168.65.130:8000 ESTABLISHED:ESTABLISHED udpOut 192.168.160.129:61371200.184.125.*:1812 MULTIPLE:SINGLE udpOut 192.168.160.129:64110200.184.195.*:1812 SINGLE:NO_TRAFFIC Output:Radius Error: No valid RADIUS responses received. My surprise is that the pfSense call to radius and it´s reply (I run Radius in DebugMode).But the pfSense don´t receive the response.I guess that i missed something on firewall. ;) Anyone had some ideia about what's happen?Or any tip to find it out? Best Regards, Luiz Vaz- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal redirection problem
Yep, I just confirmed this. I'll work on a fix. Scott On 12/3/05, Denny [EMAIL PROTECTED] wrote: i just try out captive portal. it's ok when i try open, say, www.google.com and it's redirected to login page. but problems occur when i try to open, say, www.google.com/talk or www.somedomain.com/whatever/after/dot/com it will give me a 404 error not found. imho, this will cause confuse for newbies trying to access the internet. rgds, dny. ... but that which cometh out of the mouth, this defileth a man. Mat 15:11 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal redirection problem
Fixed in CVS. LightHTTPD to the rescue yet again. Scott On 12/3/05, Scott Ullrich [EMAIL PROTECTED] wrote: Yep, I just confirmed this. I'll work on a fix. Scott On 12/3/05, Denny [EMAIL PROTECTED] wrote: i just try out captive portal. it's ok when i try open, say, www.google.com and it's redirected to login page. but problems occur when i try to open, say, www.google.com/talk or www.somedomain.com/whatever/after/dot/com it will give me a 404 error not found. imho, this will cause confuse for newbies trying to access the internet. rgds, dny. ... but that which cometh out of the mouth, this defileth a man. Mat 15:11 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal - Is this possible?
On 11/30/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Hello again! About this old problem with the static arp entries.. 20223 deny ip from 192.168.22.201 not MAC any 00:02:00:25:00:b6 any layer2 in 20223 deny ip from any to 192.168.22.201 not MAC 00:02:00:25:00:b6 any layer2 out There are these things in the ipfw list.. Don't these manage to get the same level of protection? In either case, if this works correctly.. Static arp entries could be changed with a little trick.. We could deny all other macs from the rest of the network not having a mac like ff:ff:ff:ff:ff. Yes, but we're trying to get rid of ipfw. It's snuck back in for a few things due to issues with pf for which the easy fix is ipfw. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal - Is this possible?
Hello again! About this old problem with the static arp entries.. 20223 deny ip from 192.168.22.201 not MAC any 00:02:00:25:00:b6 any layer2 in 20223 deny ip from any to 192.168.22.201 not MAC 00:02:00:25:00:b6 any layer2 out There are these things in the ipfw list.. Don't these manage to get the same level of protection? In either case, if this works correctly.. Static arp entries could be changed with a little trick.. We could deny all other macs from the rest of the network not having a mac like ff:ff:ff:ff:ff. Endre On 11/14/05, Bill Marquette [EMAIL PROTECTED] wrote: If I remember how that feature works (since I enabled it - someone else actually wrote the code I believe, I'd have to look back about 6 months in cvs history!) it is supposed to do an arp -s for each IP in the list and then an ifconfig staticarp. According to the FBSD man page on ifconfig, staticarp doesn't do what I thought it did. staticarp If the Address Resolution Protocol is enabled, the host will only reply to requests for its addresses, and will never send any requests. For some reason, this used to work as advertised I thought (at least, that's the impression I got from the person that submitted the code originally). This should in a round about way only allow the firewall to communicate with devices in it's ARP table - maybe the devices that are communicating with it are already in it's ARP table (although it looks like it flushes the ARP table before adding the static entries, but after setting staticarp, so nothing new should be added.) --Bill
Re: [pfSense Support] captive portal - Is this possible?
We may very well have bugs lurking here. Need someone that knows FreeBSD internals to verify that the arp table is setup correctly, etc. On 11/14/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Of course I fully understand they can be spoofed, and way too easily, too. Anyway that's not the point, why did it let a client access the captive portal, when there are static arp entries enabled, and that client (ip and mac) isn't defined in any of the arp entries? I have the arp table filled till ip 30, so how come someone can access it who isn't in there? Isn't the static arp entry definition that, which allows only clients in this list to make connections to the server? Ethereal and a network card that allows you to change macs .. Trivial. Access to a network needs to be properly controlled (wired or wireless). Security needs to be designed in.. Physical access is never a deterant for the truly motivated. -Original Message- From: jonathan gonzalez [mailto:[EMAIL PROTECTED] Sent: Saturday, November 12, 2005 4:35 AM To: support@pfsense.com Subject: Re: [pfSense Support] captive portal - Is this possible? spoofed ip/arp ;) ?? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal - Is this possible?
Unfortunately, that's not me :( Anyway i don't know how the configuration is supposed to work .. shouldn't the configuration be okay if the undefined clients are defined too, but with bogus mac addresses (ip adress is defined, but mac address is ff:ff:ff:ff:ff:ff for example(or random)) ? An excerpt from the arp table: hostname (192.168.22.1) at 00:03:47:e0:da:b6 on fxp0 permanent [ethernet] ^ pfsense machine ? (192.168.22.4) at 00:01:02:b3:11:1f on fxp0 [ethernet] ^ shouldn't this entry be `permanent` ? On 11/14/05, Scott Ullrich [EMAIL PROTECTED] wrote: We may very well have bugs lurking here. Need someone that knows FreeBSD internals to verify that the arp table is setup correctly, etc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal - Is this possible?
On 11/14/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Unfortunately, that's not me :( Anyway i don't know how the configuration is supposed to work .. shouldn't the configuration be okay if the undefined clients are defined too, but with bogus mac addresses (ip adress is defined, but mac address is ff:ff:ff:ff:ff:ff for example(or random)) ? An excerpt from the arp table: hostname (192.168.22.1) at 00:03:47:e0:da:b6 on fxp0 permanent [ethernet] ^ pfsense machine ? (192.168.22.4) at 00:01:02:b3:11:1f on fxp0 [ethernet] ^ shouldn't this entry be `permanent` ? Yes, I would think so. Does a reboot make it permanent? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal - Is this possible?
No, it never turns 'permanent'. Either way about the other unspecified entries.. shouldn't those cover the rest of the subnet with bogus macs? Or they aren't supposed to have access anyway? On 11/14/05, Scott Ullrich [EMAIL PROTECTED] wrote: On 11/14/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Unfortunately, that's not me :( Anyway i don't know how the configuration is supposed to work .. shouldn't the configuration be okay if the undefined clients are defined too, but with bogus mac addresses (ip adress is defined, but mac address is ff:ff:ff:ff:ff:ff for example(or random)) ? An excerpt from the arp table: hostname (192.168.22.1) at 00:03:47:e0:da:b6 on fxp0 permanent [ethernet] ^ pfsense machine ? (192.168.22.4) at 00:01:02:b3:11:1f on fxp0 [ethernet] ^ shouldn't this entry be `permanent` ? Yes, I would think so. Does a reboot make it permanent? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] captive portal - Is this possible?
Ethereal and a network card that allows you to change macs .. Trivial. Access to a network needs to be properly controlled (wired or wireless). Security needs to be designed in.. Physical access is never a deterant for the truly motivated. -Original Message- From: jonathan gonzalez [mailto:[EMAIL PROTECTED] Sent: Saturday, November 12, 2005 4:35 AM To: support@pfsense.com Subject: Re: [pfSense Support] captive portal - Is this possible? spoofed ip/arp ;) ?? Szasz Revai Endre wrote: Hello, Today I noticed a user time out using the captive portal: Oct 30 10:20:18 logportalauth[56054]: TIMEOUT: shimon, 00:07:95:d3:d2:97, 192.168.11.100 http://192.168.11.100 It is using an ip from the class of the lan. The problem is, that I assign ip addresses to all the users of the LAN, with static arp entries. This user is not in the list (not the ip, nor mac address). How is that possible that he logged on from that ip? He shouldn't even be seeing the pfsense gateway if I have static arp entries, right? Any wild guesses? Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal - Is this possible?
Niether the ARP nor the IP is in my DHCP list (static arp entries are enabled, which actually don't seem to work, so i suppose it's from there). I have the 'anti-lockout rule' disabled too. On 11/12/05, jonathan gonzalez [EMAIL PROTECTED] wrote: spoofed ip/arp ;) ?? Szasz Revai Endre wrote: Hello, Today I noticed a user time out using the captive portal: Oct 30 10:20:18 logportalauth[56054]: TIMEOUT: shimon, 00:07:95:d3:d2:97, 192.168.11.100 http://192.168.11.100 It is using an ip from the class of the lan. The problem is, that I assign ip addresses to all the users of the LAN, with static arp entries. This user is not in the list (not the ip, nor mac address). How is that possible that he logged on from that ip? He shouldn't even be seeing the pfsense gateway if I have static arp entries, right? Any wild guesses? Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal - Is this possible?
spoofed ip/arp ;) ?? Szasz Revai Endre wrote: Hello, Today I noticed a user time out using the captive portal: Oct 30 10:20:18 logportalauth[56054]: TIMEOUT: shimon, 00:07:95:d3:d2:97, 192.168.11.100 http://192.168.11.100 It is using an ip from the class of the lan. The problem is, that I assign ip addresses to all the users of the LAN, with static arp entries. This user is not in the list (not the ip, nor mac address). How is that possible that he logged on from that ip? He shouldn't even be seeing the pfsense gateway if I have static arp entries, right? Any wild guesses? Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal update
At 07:23 PM 8/26/2005, Chris Buechler wrote: On 8/26/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: Running latest 80.4. Part of my problem was a basic misunderstanding. I had assumed that the portal would block access until you authenticated, so I left the default OPT1 = Any rule in I had before. Not a misunderstanding, that is how it's *supposed* to work. This is a bug. Should be able to get nowhere other than the interface's IP itself (for DNS purposes) before authenticating, and after authenticating, your defined rules should apply as normal. hmmm, so i should have left the OPT1 - Any rule enabled? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal update
On 8/26/05, Chris Buechler [EMAIL PROTECTED] wrote: yeah, if that's the controls you want applied to authenticated clients. Sounds like that's a bug though. Scott or someone will have to comment there. Chris is absolutely correct. I'll drag all the equipment back out tomorrow and retest this. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal
I noticed this behaviour this morning. https didn't work, http sent me to the login page, but ping worked (usually) and I could SSH through the firewall. Oddly, last night after I setup CP, it worked as intended. --Bill On 8/23/05, Tobias Frank [EMAIL PROTECTED] wrote: Hello, when trying to use the captive portal on 0.79 there is a strange thing. Following ports work without authentication: MySQL, smtp, ping, ssh, name. Others I didn´t check. m0n0wall (1.2b9) doesn´t show this behaviour. Is this a bug or a feature? heres my configuration 212.x.x.x 192.168.0.x / 24192.168.1.x / 24 -- -- --- -| Router |--| FW |--| pfsense |- -- -- --- (WAN - 192.168.0.129) (LAN - 192.168.1.1) I didn´t check the checkbox block private networks because one of the Mail-Servers has a private ip-address (192.168.99.x) Another feature of m0n0wall which i think its very useful is the Reauthentication in current beta version. So accounting works good for our use. Is it planned to integrate this feature in a future pfsense version? Greeting from Munich Tobias Frank - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal broken?
I have just commited a change for this. Please test on 0.80.4 On 8/25/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: Well, it doesn't seem to work at all. Here's what I'm seeing: 1. I'm allowed to pass whatever traffic I feel like before being authenticated. 2. When I launch the browser, and see the default pfsense captive portal page, typing an invalid user or password gives no indication of an error. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal question?
The interface must be enabled and configured to show up. Scott On 8/24/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: I was looking at the setup screen, and it doesn't look like it will let me pick the OPT1 interface (which is where my guest WLAN will come in on...) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal question?
At 07:10 PM 8/24/2005, Scott Ullrich wrote: The interface must be enabled and configured to show up. Aha, thanks. I was before, but I got bit by that bug you just fixed in the vlan checking code. Haven't pulled down 0.80 yet. Thx... Scott On 8/24/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: I was looking at the setup screen, and it doesn't look like it will let me pick the OPT1 interface (which is where my guest WLAN will come in on...) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal
On 8/23/05, Tobias Frank [EMAIL PROTECTED] wrote: Hello, when trying to use the captive portal on 0.79 there is a strange thing. Following ports work without authentication: MySQL, smtp, ping, ssh, name. Others I didn´t check. m0n0wall (1.2b9) doesn´t show this behaviour. Is this a bug or a feature? That's rather strange. It's not doing that here. Can you send me your config.xml to [EMAIL PROTECTED] (remove the passwrods). heres my configuration 212.x.x.x 192.168.0.x / 24192.168.1.x / 24 -- -- --- -| Router |--| FW |--| pfsense |- -- -- --- (WAN - 192.168.0.129) (LAN - 192.168.1.1) I didn´t check the checkbox block private networks because one of the Mail-Servers has a private ip-address (192.168.99.x) Another feature of m0n0wall which i think its very useful is the Reauthentication in current beta version. So accounting works good for our use. Is it planned to integrate this feature in a future pfsense version? I thought we where pretty much in sync. I'll take a look at it. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal Problems 0.73.6
If this is happening then your hitting some big giant locked area of the freebsd kernel. I haven't personally seen this issue but I have noticed that sometimes during filter reload operations the console keyboard stops responding which reminds me of your issue. Just a complete guess. Scott On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: I'm not sure what's going on, but every time we enable the Captive Portal in 0.73.6 (and older versions we were trying yesterday), the WebGUI starts to hang. Just after enabling it (with Local User Manager being the only setting not at the default value), the WebGUI responds and states that the settings were applied, but after that, nothing I do in the WebGUI works.. I can't get to any other WebGUI page, nor can I change any setting and Save settings... It's like the WebGUI goes out to lunch. Other info: - We're using the Metallic theme. - Our WebGUI runs on HTTPS. (Though we have had the same results on HTTP) - We have had the Squid package installed, but have removed it after running into this problem, thinking it may be related. Even though it has been removed, the problem persists... Is it possible that something was left behind in the uninstall? - We have Advanced Outbound NAT enabled (with only the default rule) with registered IPs on the LAN segment handed out via DHCP. - We have only the default firewall rules in place. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal
They are kept in pf tables. The table in question is captiveportal. Try this command at a command prompt after you have some ppl auth'd: pfctl -t captiveportal -T show Scott On 7/29/05, alan walters [EMAIL PROTECTED] wrote: Just was reviewing the captive portal implementation. All the port forwards work great now but I don't know where the rules are being kept for the ip's allowed section. Checked out rules debug and they are not there??? Where do they live at the moment??? Regards alan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] captive portal
On 7/29/05, alan walters [EMAIL PROTECTED] wrote: Ok the allowed ip addresses are in that table, but what I really wanted Was the rule that was being applied to the captive portal for allowed ip addresses and active clients. # cat /tmp/rules.debug | grep captiveportal no rdr on fxp2 proto tcp from captiveportal to any table captiveportal pass in on fxp2 from captiveportal to any keep state label allow captive portal authd users ok thanks it looks ok for allowed IP's, is the rule the same for captive portal clients that are being authenticated through the captive portal or are they authenticated on there mac address I had a problem before where some clients are connected through a wireless repeater and the mac address is the same for each client. Even though there ip address is different. Thats normal if the device is doing nat. No it is a bridge. Within the ip subnet but seems to nat or mask the mac address. It sucks big time Scott alan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal
On 7/29/05, alan walters [EMAIL PROTECTED] wrote: ok thanks it looks ok for allowed IP's, is the rule the same for captive portal clients that are being authenticated through the captive portal or are they authenticated on there mac address Yes - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
