Re: [pfSense Support] Captive Portal Question
I agree completely. What we were using it for is all our wired clients and wireless *were* on the same internal lan. The captive portal was enabled on the LAN interface. All wired clients had mac-bypass entries, and the wireless clients had to get past the captive portal. What I'm thinking is that I will have to investigate some sort of rouge detection, or maybe network access protection for the wired clients, and then completely separate the wireless traffic on another interface. I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? Cheers, P.S. Chris/PFsense team, I am consistently impressed by this product. You guys do very good work, and my team and I appreciate your efforts immensely. The coding is important, but the community support is above and beyond! On Fri, May 8, 2009 at 10:25 PM, RB aoz@gmail.com wrote: On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal Question
I'm drafting a reply. Be done shortly. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 11:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question I agree completely. What we were using it for is all our wired clients and wireless *were* on the same internal lan. The captive portal was enabled on the LAN interface. All wired clients had mac-bypass entries, and the wireless clients had to get past the captive portal. What I'm thinking is that I will have to investigate some sort of rouge detection, or maybe network access protection for the wired clients, and then completely separate the wireless traffic on another interface. I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? Cheers, P.S. Chris/PFsense team, I am consistently impressed by this product. You guys do very good work, and my team and I appreciate your efforts immensely. The coding is important, but the community support is above and beyond! On Fri, May 8, 2009 at 10:25 PM, RB aoz@gmail.com wrote: On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal Question
We use the switches in a client's executive office suite buildings. We needed a way to provide internet access on a per suite basis, and we needed to provide public addresses on an as-needed basis (if they had a mail server, for example). We had a previous solution in place, but it was about 8-9 years old, and required manual intervention when tenants move from suite to suite (which happens a lot in these buildings). So our new (15 month old at this point) setup has 3 vlans on the switches: private unauthenticated, private authenticated, and public authenticated. (private and public refer to the address spaces in use on the vlans). As part of that setup, we use mac-based authentication on the HP switches. So, a client (aka tenant) can be plugged into any port on the switch, and the FreeRADIUS package from pfSense can provide authentication and VLAN assignments to the switch, and the switch will use the RADIUS information to put them on the correct VLAN automatically. For any client that does not authenticate, the switch throws them on the private unauthenticated vlan, and then the client cannot get on the internet without authenticating with the pfsense captive portal (the custom captive portal page pretty much says hey, you aren't getting on the internet unless you pay the land lord more $$. If you want access, call up xxx and give them this mac address: xx:xx:xx:xx:xx:xx). If their mac address is present in FreeRADIUS, then they get put on whatever vlan is assigned them from the vlan box. The private authenticated vlan is a private address space vlan that is NATted to the internet, and the public authenticated vlan is directly on the internet. In order to keep clients from seeing each other on the private authenticated vlan (basically this vlan is for tenants that have a single pc with no router), we add the following to each client entry in the Additional RADIUS Options box: HP-Nas-Filter-Rule = permit in ip from any to 172.20.1.1, HP-Nas-Filter-Rule += deny in ip from any to 172.20.1.0/24, HP-Nas-Filter-Rule += permit in ip from any to 0.0.0.0/0 This permits the clients to talk to the gateway and the rest of the internet, but not to any other machine on the same subnet. I don't know how much of this applies to your setup, but to sum up this solution, unauthenticated clients get put on a vlan that can't get on the internet (they can, but are stopped by a custom captive portal page from pfSense that tells them what to do), and authenticated clients get put on vlans that can freely access the internet. In your case, you might just need to use FreeRADIUS along with some switch ACLs (in the Additional RADIUS Options box) to allow/limit/prevent internet access. Hopefully that made some sense. It's a bit tough to describe without seeing it! :) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 9:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question Hi folks, Just an update. I built a new machine from the ground up today. Took a backup from the old machine, and just copied and pasted the 300+ mac-bypass entries into the new config file. Everything is working well, and as expected. I'm interested though Dimitri on the switch issue. I'm connected entirely to new managed HP 2848's and 2510G-48's and I have great LAN performance. Are you doing something directly with your switches as far as authentication goes, or did you just include the switches for completeness? Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. Thanks! On Fri, May 8, 2009 at 1:33 AM, Dimitri Rodis dimit...@integritasystems.com wrote: We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I
Re: [pfSense Support] Captive Portal Question
On Sat, May 9, 2009 at 00:10, Tim Dressel tjdres...@gmail.com wrote: I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? At the risk of redundancy, that was rather the point. Other than the interface of your manually entering them (which is not critical to the actual operation), the captive portal in its standard configuration makes a mac-bypass entry for every client. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal Question
We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Captive Portal Question
Hi folks, Just an update. I built a new machine from the ground up today. Took a backup from the old machine, and just copied and pasted the 300+ mac-bypass entries into the new config file. Everything is working well, and as expected. I'm interested though Dimitri on the switch issue. I'm connected entirely to new managed HP 2848's and 2510G-48's and I have great LAN performance. Are you doing something directly with your switches as far as authentication goes, or did you just include the switches for completeness? Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. Thanks! On Fri, May 8, 2009 at 1:33 AM, Dimitri Rodis dimit...@integritasystems.com wrote: We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
I was going to ask what hardware you were running this on. We have a rather large list of MAC addresses in our captive portal and it works fine. Its a dual opteron/4 gigs of ram. Probably overkill, so it wont help you know what you need, but if your running 128 ram or even 256, its bare bone minimum. Chris Flugstad Cascadelink 900 1st ave s, suite 201a seattle, wa 98134 p: 206.774.3660 | f: 206.577.5066 ch...@cascadelink.com RB wrote: On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal question?
The interface must be enabled and configured to show up. Scott On 8/24/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: I was looking at the setup screen, and it doesn't look like it will let me pick the OPT1 interface (which is where my guest WLAN will come in on...) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal question?
At 07:10 PM 8/24/2005, Scott Ullrich wrote: The interface must be enabled and configured to show up. Aha, thanks. I was before, but I got bit by that bug you just fixed in the vlan checking code. Haven't pulled down 0.80 yet. Thx... Scott On 8/24/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: I was looking at the setup screen, and it doesn't look like it will let me pick the OPT1 interface (which is where my guest WLAN will come in on...) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]