[pfSense Support] captive portal firewall rules
Dear all, i am trying to configure captive portal in my network, its working only if i enabled 'allow from all to all in firewall anybody please tell me whats ports are using captive portal service. -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531
Re: [pfSense Support] Captive portal not redirecting after succesful login
Il 08/07/2011 12:22, Giacomo Di Ciocco ha scritto: After succesful login i'm not being redirected to the website i was about to visit, when i send the form the browser stays in waiting response..., however from the pfsense web interface i can see the user succesfully logged in, and if i reinitiate the connection to the website i was about to visit it works, other background connection attemps, ie. irc get their way just after pressing form's send button. Any hint ? Thank you, Giacomo. -- Giacomo Di Ciocco Phone: (+39) 0577319407 Fax: (+39) 0577318498 Mobile phone: (+39) 3483867757 Email: ad...@nectarine.info ___ Ship to: Giacomo Di Ciocco Via del Pozzo 3/A C/O BRT Telecomunicazioni S.R.L. 53035 Monteriggioni (SI) Italy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive portal not redirecting after succesful login
Il 08/07/2011 12:22, Giacomo Di Ciocco ha scritto: Hello everyone, this is my pfsense version: 2.0-RC3 (i386) built on Thu Jul 7 00:25:19 EDT 2011 After reboot radiusd gets stuck with 100% CPU load. Tried to update to latest version built on Jul 8, it wasnt succesful, i had to reinstall 2.0-RC1 and recover config.xml. Did the upgrade, this time was succesful. radiusd was not recognizing client, client entry was there, edited and saved, works fine. I'm now wondering how to allow clients to reach any dns server, hints ? Best regards, Giacomo. -- Giacomo Di Ciocco Phone: (+39) 0577319407 Fax: (+39) 0577318498 Mobile phone: (+39) 3483867757 Email: ad...@nectarine.info ___ Ship to: Giacomo Di Ciocco Via del Pozzo 3/A C/O BRT Telecomunicazioni S.R.L. 53035 Monteriggioni (SI) Italy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive portal not redirecting after succesful login
Hello everyone, this is my pfsense version: 2.0-RC3 (i386) built on Thu Jul 7 00:25:19 EDT 2011 It is a pretty complex setup however ill try to describe just meaningful parts. Theres a captive portal interface which is on a VLAN, captive portal is enabled and auths to local radius, tried with and without transparent http proxy, theres only one rule in the interface's firewall configuration it is a pass-all rule. After succesful login i'm not being redirected to the website i was about to visit, when i send the form the browser stays in waiting response..., however from the pfsense web interface i can see the user succesfully logged in, and if i reinitiate the connection to the website i was about to visit it works, other background connection attemps, ie. irc get their way just after pressing form's send button. Thank you. Best regards, Giacomo. -- Giacomo Di Ciocco DVB Project @ BRT Telecomunicazioni S.R.L. Phone: (+39) 0577319407 Fax: (+39) 0577318498 Mobile phone: (+39) 3483867757 Email: giacomo.dicio...@brttelecomunicazioni.it ___ BRT Telecomunicazioni S.R.L. Via del Pozzo 3/A 53035 Monteriggioni (SI) Italy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal Redirection
I am experiencing an issue again where the Captive Portal is not redirecting automatically. WE can web into http://pfsense.domain.local:8000 and it will redirect. However, if we just click on a browser and go to a homepage, it will not redirect. I have seen this before and thought I had the documentation to fix it, but that is not so. Dwane
[pfSense Support] Captive Portal redirect issues
Not intending to spam---I just wasn't sure the first one went to the proper email address. Good day all. I need some troubleshooting assistance. I am using pfsense 1.2.3 to go across a GRE tunnel. My set up is pfsense device-local router-distant router-user. From the user device, I can actually web into the inside interface of the pfsense device. However, I cannot seem to get the Captive Portal to redirect? I am sure it is some check box, but is there a test or a troubleshooting guideline, I can complete to possibly narrow down my issue? Thank you Dwane
[pfSense Support] Captive Portal
We are wondering if there is any information available that explains in detail how the Captive Portal on pfsense works? We know it's function, but we are wondering what is happening behind the scene? Any documentation would be nice. Thank you Dwane
Re: [pfSense Support] Captive Portal
Hi Dwane, in my oppinion, there's not much documentation on that topic available. But it's working that way: 1. Receives an IP Packet 2. Blocks it until authenticated / Answers with HTML Website if Port 80 is talked to 3. Receives credentials from User 4. Authenticates with internal Database / Radius Server 5. Stores logon Information ( MAC-Adress / IP Adress / Timestamp) internally to revoke access after an configured time 6. Allows Access to requested resource and opens an popup window to logout. regards Christian Am 08.10.2010 16:25, schrieb Atkins, Dwane P: We are wondering if there is any information available that explains in detail how the Captive Portal on pfsense works? We know it’s function, but we are wondering what is happening behind the scene? Any documentation would be nice. Thank you Dwane - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal Issues
Good afternoon. I am trying to install pfSense-2.0-BETA4-20100915-0900.iso to just run a captive portal. I am having issues even getting the captive portal to work. When I initiate a web page, I should get something requesting authentication. Instead, I get the web page requested if it is internal, but the page will timeout if it is external. Are there checkboxes that need to be checked or unchecked to just have the pfsense default login appear? Thanks Dwane
Re: [pfSense Support] captive portal
On Wed, Aug 25, 2010 at 7:19 AM, Hans Maes h...@bitnet.be wrote: Hi, I'm running a few (6 at the moment) pfsense 1.2.3-RELEASE boxes on a rather large scale wireless network, as border routers and firewalls between the internet uplinks and the rest of the network. (network background info: +600 subnets, +150 router nodes, 6 internet uplinks, about 1000 unique mac-address clients per 24h, www.wirelessbelgie.be , non-profit organisation running on volunteers ) The traffic shaper is active on the pfsense boxes to allow different internet speeds to different subnets on the network. I'm currently using very large alias lists to manage the +600 private subnets in the traffic shaper. We are currently looking at switching to a captive portal + traffic shaper + freeradius, so we can set speeds based on user/pass combination in stead of IP subnet. Tests are successful up till now, and we are going to switch this into production pretty soon. However, I have one problem: The network contains a lot of 'dumb' devices (ipcams, sound encoders, serial2ip, ...) which also need internet access, but have no clue on how to log in to the captive portal. I cannot use mac-authentication with the captive portal and the radius server because there are routers in between the pfsense boxes and the devices. From what I see now the only way to allow these devices access to the internet is to add them to the Allowed IP list in the captive portal. But managing this list seperately on every box would be a lot of work. I would prefer to use an alias containing all my allowed ip's which I can then update through the fetch alias list from url package. First Question: Is there any way to use aliases in the captive Allowed IP list, or to automate managing this list in any way ? No way to use aliases. Scripting with curl can automate management. Second question: Are the devices in the allowed list allowed to pass through the captive portal right away, or do they need to open an HTTP connection first to 'trigger' the captive portal logic ? They're automatically allowed through. Third Question: I'm currently running 1.2.3 but switching to 2.0 would be possible, if this would help me in this situation. What would you guys recommend for this situation, 1.2.3 or 2.0 ? Don't think there would be much difference in this particular scenario for you. 2.0 may let you push the CP function further upstream since it can run on multiple interfaces, giving you fewer boxes to manage. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] captive portal
Hi, I'm running a few (6 at the moment) pfsense 1.2.3-RELEASE boxes on a rather large scale wireless network, as border routers and firewalls between the internet uplinks and the rest of the network. (network background info: +600 subnets, +150 router nodes, 6 internet uplinks, about 1000 unique mac-address clients per 24h, www.wirelessbelgie.be , non-profit organisation running on volunteers ) The traffic shaper is active on the pfsense boxes to allow different internet speeds to different subnets on the network. I'm currently using very large alias lists to manage the +600 private subnets in the traffic shaper. We are currently looking at switching to a captive portal + traffic shaper + freeradius, so we can set speeds based on user/pass combination in stead of IP subnet. Tests are successful up till now, and we are going to switch this into production pretty soon. However, I have one problem: The network contains a lot of 'dumb' devices (ipcams, sound encoders, serial2ip, ...) which also need internet access, but have no clue on how to log in to the captive portal. I cannot use mac-authentication with the captive portal and the radius server because there are routers in between the pfsense boxes and the devices. From what I see now the only way to allow these devices access to the internet is to add them to the Allowed IP list in the captive portal. But managing this list seperately on every box would be a lot of work. I would prefer to use an alias containing all my allowed ip's which I can then update through the fetch alias list from url package. First Question: Is there any way to use aliases in the captive Allowed IP list, or to automate managing this list in any way ? (maybe some radius attribute I don't know about?) Second question: Are the devices in the allowed list allowed to pass through the captive portal right away, or do they need to open an HTTP connection first to 'trigger' the captive portal logic ? Third Question: I'm currently running 1.2.3 but switching to 2.0 would be possible, if this would help me in this situation. What would you guys recommend for this situation, 1.2.3 or 2.0 ? Thanks! Regards, Hans - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal Multi-Interface Capabilities
In the release notes for pfsense 2.0, it is mentioned that multi -interface capabilities will be a new feature. Is there a link or can someone better explain the terminology to us? Does this mean that if we have one interface on a pfsense 2.0 server, we can have multiple Vlans trunked to that port. Or does it mean that it supports multiple Network interface cards? If someone can better explain this to me and I maybe a how-to on how to use it. Thanks Dwane
Re: [pfSense Support] Captive Portal Multi-Interface Capabilities
On Fri, Jul 30, 2010 at 11:12 AM, Atkins, Dwane P atki...@uthscsa.edu wrote: In the release notes for pfsense 2.0, it is mentioned that multi –interface capabilities will be a new feature. Is there a link or can someone better explain the terminology to us? Does this mean that if we have one interface on a pfsense 2.0 server, we can have multiple Vlans trunked to that port. Or does it mean that it supports multiple Network interface cards? In a nutshell, it works the same as it does now except rather than a drop down to pick the interface, limiting you to one interface, it's a select box where you can pick one or as many interfaces as you want and it will run on all of those. That's working nicely, we've deployed it in production for some ISPs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal + load balancer clarification
On 28 Ιουλ 2010, at 3:25, Chris Buechler cbuech...@gmail.com wrote: On Tue, Jul 27, 2010 at 5:48 PM, Nikos Zaharioudakis nza...@gmail.com wrote: Greetings everybody and thank you for a so nice product ! :-) I have a small clarification question though. I need to share 2 or more dsl lines behind a pfsense box (it's going to be a virtual machine, but let's keep it simple) I will have to use the captive portal for some kind of authenticated access and the use of the load balancer is a must. I have read that the combination of both captive portal the balancer is not functioning in 1.2.3 release series. ( Is it still true? ) No. Pre-1.2.3, any rule with a gateway would bypass the portal. It'll work fine in 1.2.3. Another question that comes to mind is that if I have 3+ dsl lines I have to create a policy for all combinations of up / down dsl lines, right. No, you just need either a failover and/or balancing pool containing the interfaces desired. Their status will take care of itself. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I appreciate your prompt reply I would post a howto afterwards Thnx a lot once again Nikos - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] captive portal + load balancer clarification
Greetings everybody and thank you for a so nice product ! :-) I have a small clarification question though. I need to share 2 or more dsl lines behind a pfsense box (it's going to be a virtual machine, but let's keep it simple) I will have to use the captive portal for some kind of authenticated access and the use of the load balancer is a must. I have read that the combination of both captive portal the balancer is not functioning in 1.2.3 release series. ( Is it still true? ) In that case, an additional scenario comes to my mind. How about using one pfsense box for the captive portal (2 interfaces) and then use another pfsense box for the load balancer. In that case, the sticky connections would give me some good results for users that have some ipsec based vpn clients and peculiar web sites (web banking for eg) that need to see the same public ip address to originate from. Another question that comes to mind is that if I have 3+ dsl lines I have to create a policy for all combinations of up / down dsl lines, right. That is DSL1 DSL2 DSL3 up up up down up up down down up -no service --- ;-) up down down up updown up downup Any thoughts / suggestions or howtos would be highly appreciable Kind Regards, Nikos 3 Zaharioudakis Nikos, RHCE, RHCX,RHCI VCP VCI +30 694 720 40 63 http://zimbra.wikidot.com/zimbra-installations-in-greece
Re: [pfSense Support] captive portal + load balancer clarification
On Tue, Jul 27, 2010 at 5:48 PM, Nikos Zaharioudakis nza...@gmail.com wrote: Greetings everybody and thank you for a so nice product ! :-) I have a small clarification question though. I need to share 2 or more dsl lines behind a pfsense box (it's going to be a virtual machine, but let's keep it simple) I will have to use the captive portal for some kind of authenticated access and the use of the load balancer is a must. I have read that the combination of both captive portal the balancer is not functioning in 1.2.3 release series. ( Is it still true? ) No. Pre-1.2.3, any rule with a gateway would bypass the portal. It'll work fine in 1.2.3. Another question that comes to mind is that if I have 3+ dsl lines I have to create a policy for all combinations of up / down dsl lines, right. No, you just need either a failover and/or balancing pool containing the interfaces desired. Their status will take care of itself. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive portal redirect
Hi, i use pfsense 2.0 as a captive portal. Everything works fine except the redirect after user authentication. I set up captive portal to redirect connections to http://www.google.it after authentication, but often after giving username and password correctly the page of the authentication remains . What could be the problem? Thanks in advance. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal redirect problem
Thank you. 2010/5/28 Chris Buechler cbuech...@gmail.com: On Fri, May 28, 2010 at 11:53 AM, Cristian Del Carlo cristian.delca...@gmail.com wrote: Hi, I installed for testing PFsense 2.0 on a ALIX.2D13 and I try the captive portal function. The problem is that the server did not redirect correctly to the authentication page, firefox print a message like this This page does not redirect correctly. Firefox has detected that the server is redirecting the request for this page so that it can never be completed. and the user is not redirected in the authentication page. That was fixed today. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal redirect problem
Hi, I installed for testing PFsense 2.0 on a ALIX.2D13 and I try the captive portal function. The problem is that the server did not redirect correctly to the authentication page, firefox print a message like this This page does not redirect correctly. Firefox has detected that the server is redirecting the request for this page so that it can never be completed. and the user is not redirected in the authentication page. If I write in firefox http://192.168.1.1:8000; I only have blank page. If someone can give me a clue I thank him in advance, it is my first configuration of pfsense and i don't know if this is a problem in my configuration or if it is a problem in the release. Here i print same info about my configuration. Thank you. Config file: ?xml version=1.0? pfsense version6.3/version lastchange/ themepfsense_ng/theme sysctl item descSet the ephemeral port range to be lower./desc tunablenet.inet.ip.portrange.first/tunable valuedefault/value /item item descDrop packets to closed TCP ports without returning a RST/desc tunablenet.inet.tcp.blackhole/tunable valuedefault/value /item item descDo not send ICMP port unreachable messages for closed UDP ports/desc tunablenet.inet.udp.blackhole/tunable valuedefault/value /item item descRandomize the ID field in IP packets (default is 0: sequential IP IDs)/desc tunablenet.inet.ip.random_id/tunable valuedefault/value /item item descDrop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)/desc tunablenet.inet.tcp.drop_synfin/tunable valuedefault/value /item item descEnable sending IPv4 redirects/desc tunablenet.inet.ip.redirect/tunable valuedefault/value /item item descEnable sending IPv6 redirects/desc tunablenet.inet6.ip6.redirect/tunable valuedefault/value /item item descGenerate SYN cookies for outbound SYN-ACK packets/desc tunablenet.inet.tcp.syncookies/tunable valuedefault/value /item item descMaximum incoming/outgoing TCP datagram size (receive)/desc tunablenet.inet.tcp.recvspace/tunable valuedefault/value /item item descMaximum incoming/outgoing TCP datagram size (send)/desc tunablenet.inet.tcp.sendspace/tunable valuedefault/value /item item descIP Fastforwarding/desc tunablenet.inet.ip.fastforwarding/tunable valuedefault/value /item item descDo not delay ACK to try and piggyback it onto a data packet/desc tunablenet.inet.tcp.delayed_ack/tunable valuedefault/value /item item descMaximum outgoing UDP datagram size/desc tunablenet.inet.udp.maxdgram/tunable valuedefault/value /item item descHandling of non-IP packets which are not passed to pfil (see if_bridge(4))/desc tunablenet.link.bridge.pfil_onlyip/tunable valuedefault/value /item item descSet to 0 to disable filtering on the incoming and outgoing member interfaces./desc tunablenet.link.bridge.pfil_member/tunable valuedefault/value /item item descSet to 1 to enable filtering on the bridge interface/desc tunablenet.link.bridge.pfil_bridge/tunable valuedefault/value /item item descAllow unprivileged access to tap(4) device nodes/desc tunablenet.link.tap.user_open/tunable valuedefault/value /item item descVerbosity of the rndtest driver (0: do not display results on console)/desc tunablekern.rndtest.verbose/tunable valuedefault/value /item item descRandomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())/desc tunablekern.randompid/tunable valuedefault/value /item item descMaximum size of the IP input queue/desc tunablenet.inet.ip.intr_queue_maxlen/tunable valuedefault/value /item item descDisable CTRL+ALT+Delete reboot from keyboard./desc tunablehw.syscons.kbd_reboot/tunable valuedefault/value /item item descEnable TCP Inflight mode/desc tunablenet.inet.tcp.inflight.enable/tunable valuedefault/value /item item descEnable TCP extended debugging/desc tunablenet.inet.tcp.log_debug/tunable valuedefault/value /item item descSet ICMP Limits/desc tunablenet.inet.icmp.icmplim/tunable
Re: [pfSense Support] Captive Portal redirect problem
On Fri, May 28, 2010 at 11:53 AM, Cristian Del Carlo cristian.delca...@gmail.com wrote: Hi, I installed for testing PFsense 2.0 on a ALIX.2D13 and I try the captive portal function. The problem is that the server did not redirect correctly to the authentication page, firefox print a message like this This page does not redirect correctly. Firefox has detected that the server is redirecting the request for this page so that it can never be completed. and the user is not redirected in the authentication page. That was fixed today. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] captive portal, bypass for certain sites
Hi, I have an Alix board, with pfsense on it. I could use proxy, but I feel this is quite a load on the system (even when setting things to 0). So to avoid people visiting internet, I was thinking on using captive portal... But for some sites, (fixed ip-adresses) it shouldn't try to authenticate... can this be achieved by using some kind of ruleset ?? I do have a VLAN capable switch - but again, some ip-adresses need to be passed (they logon to a citrix site). Kind regards, Michel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal, bypass for certain sites
Did you read the configuration options from the captive portal? On my 2.0 machines that means that you can bypass certain IP's for the captive portal; and even use MAC-bypass to bypass machines based on their MAC. Does that answer the question? On Thu, March 25, 2010 11:08 am, Michel Servaes wrote: Hi, I have an Alix board, with pfsense on it. I could use proxy, but I feel this is quite a load on the system (even when setting things to 0). So to avoid people visiting internet, I was thinking on using captive portal... But for some sites, (fixed ip-adresses) it shouldn't try to authenticate... can this be achieved by using some kind of ruleset ?? I do have a VLAN capable switch - but again, some ip-adresses need to be passed (they logon to a citrix site). Kind regards, Michel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- /\ Best regards, | re...@freebsd.org \ / Remko Lodder | re...@efnet Xhttp://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal, bypass for certain sites
Remko Lodder wrote: On my 2.0 machines that means that you can bypass certain IP's for the captive portal; and even use MAC-bypass to bypass machines based on their MAC. Related to that, could anybody tell me whether in 2.0 you still need to do a web request before the MAC-bypass rule gets applied for your IP address ? This was one of the drawbacks of 1.x's captive portal when using 'stupid' devices (eg a wireless ipcam) on a captive portal'ed wireless subnet. (I guess I should just install 2.0 and try it out myself, but spare time is in short supply lately) Thanks! Hans (Sorry to steal this topic, but it is more or less on topic :-) ) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal, bypass for certain sites
On Thu, Mar 25, 2010 at 11:23 AM, Remko Lodder re...@elvandar.org wrote: Did you read the configuration options from the captive portal? On my 2.0 machines that means that you can bypass certain IP's for the captive portal; and even use MAC-bypass to bypass machines based on their MAC. Does that answer the question? No, that's not what I meant :) I mean - I don't want to install heavy proxy add-on onto my Alix board... to block the whole internet (if you didn't logon). Basically I want to block complete internet, but our own site (to logon to citrix). (this is a single IP, so that shouldn't be too much work for me) on several client computers behind the pfsense... Furthermore I want to only allow certain client computers (but that can be achieved by adding their mac-adresses), without having to go through captive portal. And if possible (that would be the cherry on the pie) - I want to block only during the weekends. But I don't think I can add an HTTP/HTTPS rule to circumvent the captive portal, can I ? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal, bypass for certain sites
On Thu, Mar 25, 2010 at 5:25 PM, Michel Servaes mic...@mcmc.be wrote: On Thu, Mar 25, 2010 at 11:23 AM, Remko Lodder re...@elvandar.org wrote: Did you read the configuration options from the captive portal? On my 2.0 machines that means that you can bypass certain IP's for the captive portal; and even use MAC-bypass to bypass machines based on their MAC. Does that answer the question? No, that's not what I meant :) Actually it is, just use the IP bypass for that site's IP. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] captive portal Session-Timeout
Hi, I am trying to use the RADIUS attribute Session-Timeout with the captive portal, but it seems to fail. The captive portal seems to ignore the attribute. Here is the tcpdump on lo0: 21:09:57.192049 IP (tos 0x0, ttl 64, id 28235, offset 0, flags [none], proto UDP (17), length 156) 127.0.0.1.43369 127.0.0.1.1812: RADIUS, length: 128 Access Request (1), id: 0x20, Authenticator: fc3d8b1559fb900b455e5e8a56876139 NAS IP Address Attribute (4), length: 6, Value: 192.168.73.195 NAS ID Attribute (32), length: 15, Value: pfSense.local Username Attribute (1), length: 7, Value: nikos Password Attribute (2), length: 18, Value: [|radius] 21:09:58.297790 IP (tos 0x0, ttl 64, id 61190, offset 0, flags [none], proto UDP (17), length 60) 127.0.0.1.1812 127.0.0.1.43369: RADIUS, length: 32 Access Accept (2), id: 0x20, Authenticator: aad3d354acb18e87157c9249478683b2 Session Timeout Attribute (27), length: 6, Value: 01:30 min Idle Timeout Attribute (28), length: 6, Value: 01:00 min The CP configuration is the following: captiveportal page/ timeout/ interfacelan/interface maxproc/maxproc idletimeout/ enable/ auth_methodradius/auth_method radacct_enable/ reauthenticateacct/ httpsname/ bwdefaultdn2000/bwdefaultdn bwdefaultup100/bwdefaultup certificate/ private-key/ logoutwin_enable/ redirurl/ radiusip127.0.0.1/radiusip radiusip2/ radiusport/ radiusport2/ radiusacctport/ radiuskeytstng123/radiuskey radiuskey2/ radiusvendordefault/radiusvendor /captiveportal Thanks for any insights on this, Nikos - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive portal failure with subnets on LAN interface
I'm looking at pfsense 1.2.3.
We have a requirement to push several subnets through a captive portal, so
expected pfsense to be able to do this (with the Disable MAC filtering
option).
However any clients, other than on the local LAN network, that attempt to route
through the pfsense box get no packets back at all - no redirect to the portal
web page, nothing.
This is due to the following pf rule being used to push packets to the captive
portal stuff:-
pass in quick on $lan from 192.168.50.0/24 to any keep state \
label USER_RULE: Default LAN - any
I can hack stuff so that things do work by changing /etc/inc/filter.inc (diff
has been white space mangled to stop it wrapping):-
diff -u filter.inc.orig filter.inc
--- filter.inc.orig 2010-02-23 15:24:02.0 +
+++ filter.inc 2010-02-23 15:24:04.0 +
@@ -1752,7 +1752,7 @@
$src = $lanip;
break;
case 'lan':
-$src = {$lansa}/{$lansn};
+$src = any;
break;
case 'pptp':
$src = {$pptpsa}/{$pptpsn};
which feels like doing surgery with a chainsaw...
Can anyone suggest a better fix for this? And how do I do a proper bug report
to get this fixed in the next release...
Nigel.
--
[ Nigel Metheringham nigel.methering...@intechnology.com ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive portal failure with subnets on LAN interface
Perhaps it should be optional, I came across this with redirection as well,
where the interface IP is hardcoded even if you select ''any'' there.
(which doesnt work if you have Squid on a different machine and redirect all
http traffic towards the squid box :-))
Cheerio,
Remko
On Feb 23, 2010, at 4:26 PM, Nigel Metheringham wrote:
I'm looking at pfsense 1.2.3.
We have a requirement to push several subnets through a captive portal, so
expected pfsense to be able to do this (with the Disable MAC filtering
option).
However any clients, other than on the local LAN network, that attempt to
route through the pfsense box get no packets back at all - no redirect to the
portal web page, nothing.
This is due to the following pf rule being used to push packets to the
captive portal stuff:-
pass in quick on $lan from 192.168.50.0/24 to any keep state \
label USER_RULE: Default LAN - any
I can hack stuff so that things do work by changing /etc/inc/filter.inc (diff
has been white space mangled to stop it wrapping):-
diff -u filter.inc.orig filter.inc
--- filter.inc.orig 2010-02-23 15:24:02.0 +
+++ filter.inc 2010-02-23 15:24:04.0 +
@@ -1752,7 +1752,7 @@
$src = $lanip;
break;
case 'lan':
-$src = {$lansa}/{$lansn};
+$src = any;
break;
case 'pptp':
$src = {$pptpsa}/{$pptpsn};
which feels like doing surgery with a chainsaw...
Can anyone suggest a better fix for this? And how do I do a proper bug
report to get this fixed in the next release...
Nigel.
--
[ Nigel Metheringham nigel.methering...@intechnology.com ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
--
/\ Best regards,| re...@freebsd.org
\ / Remko Lodder | re...@efnet
Xhttp://www.evilcoder.org/|
/ \ ASCII Ribbon Campaign| Against HTML Mail and News
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive portal failure with subnets on LAN interface
On Tue, Feb 23, 2010 at 10:26 AM, Nigel Metheringham nigel.methering...@dev.intechnology.co.uk wrote: I'm looking at pfsense 1.2.3. We have a requirement to push several subnets through a captive portal, so expected pfsense to be able to do this (with the Disable MAC filtering option). However any clients, other than on the local LAN network, that attempt to route through the pfsense box get no packets back at all - no redirect to the portal web page, nothing. This is due to the following pf rule being used to push packets to the captive portal stuff:- pass in quick on $lan from 192.168.50.0/24 to any keep state \ label USER_RULE: Default LAN - any That has nothing to do with what pushes to captive portal, that's your LAN rule. Edit that rule under Firewall Rules, LAN tab. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid
Hi Mike. The authentication requests go through to the Radius server...and we get a bad password error. It's weird. All the same settings work under m0n0wall. Same IPs, same radius server. I'm not sure how different pfSense is compared to the m0n0wall app. The Captive Portal setup looks identical to me, unless there is some underlying difference between the two applications. Thanks your your help. -Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Saturday, December 12, 2009 6:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid The external IP of the radius server has to be added to the radius servers client list or else it will reject authentication requests. Mike From: Tancinco, Jon mailto:tanci...@humnet.ucla.edu Sent: Wednesday, December 09, 2009 5:43 PM To: support@pfsense.com Subject: RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Secret key works under m0n0wall and the same key is used in pfSense. Not sure what you mean about the IP of the NAS. Thanks for your help! Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Wednesday, December 09, 2009 2:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Could be the secret key or check is you added the IP of the NAS. Mike From: Tancinco, Jon mailto:tanci...@humnet.ucla.edu Sent: Wednesday, December 09, 2009 11:37 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Same error on Versions 1.2.2 and 1.2.3 Using the pfSense Captive Portal. I am getting the Authentication error - Username and/or password invalid. message when trying to authenticate. The password is correctly submitted, but get the error everytime. RADIUS server reports incorrect password. Using m0n0wall, Captive Portal and RADIUS authentication works with no problems using the same username, password and RADIUS server. Any help would be appreciated. Jon
Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid
I see. Well the the only other thing I can think of is the password type i.e. m5,chap, etc must be different between the moonwall and pfsesnse boxes. Mike From: Tancinco, Jon Sent: Tuesday, December 15, 2009 11:51 AM To: support@pfsense.com Subject: RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Hi Mike. The authentication requests go through to the Radius server...and we get a bad password error. It's weird. All the same settings work under m0n0wall. Same IPs, same radius server. I'm not sure how different pfSense is compared to the m0n0wall app. The Captive Portal setup looks identical to me, unless there is some underlying difference between the two applications. Thanks your your help. -Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Saturday, December 12, 2009 6:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid The external IP of the radius server has to be added to the radius servers client list or else it will reject authentication requests. Mike From: Tancinco, Jon Sent: Wednesday, December 09, 2009 5:43 PM To: support@pfsense.com Subject: RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Secret key works under m0n0wall and the same key is used in pfSense. Not sure what you mean about the IP of the NAS. Thanks for your help! Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Wednesday, December 09, 2009 2:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Could be the secret key or check is you added the IP of the NAS. Mike From: Tancinco, Jon Sent: Wednesday, December 09, 2009 11:37 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Same error on Versions 1.2.2 and 1.2.3 Using the pfSense Captive Portal. I am getting the Authentication error - Username and/or password invalid. message when trying to authenticate. The password is correctly submitted, but get the error everytime. RADIUS server reports incorrect password. Using m0n0wall, Captive Portal and RADIUS authentication works with no problems using the same username, password and RADIUS server. Any help would be appreciated. Jon
Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid
The external IP of the radius server has to be added to the radius servers client list or else it will reject authentication requests. Mike From: Tancinco, Jon Sent: Wednesday, December 09, 2009 5:43 PM To: support@pfsense.com Subject: RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Secret key works under m0n0wall and the same key is used in pfSense. Not sure what you mean about the IP of the NAS. Thanks for your help! Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Wednesday, December 09, 2009 2:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Could be the secret key or check is you added the IP of the NAS. Mike From: Tancinco, Jon Sent: Wednesday, December 09, 2009 11:37 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Same error on Versions 1.2.2 and 1.2.3 Using the pfSense Captive Portal. I am getting the Authentication error - Username and/or password invalid. message when trying to authenticate. The password is correctly submitted, but get the error everytime. RADIUS server reports incorrect password. Using m0n0wall, Captive Portal and RADIUS authentication works with no problems using the same username, password and RADIUS server. Any help would be appreciated. Jon
RE: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid
Secret key works under m0n0wall and the same key is used in pfSense. Not sure what you mean about the IP of the NAS. Thanks for your help! Jon From: Michael Vinocur [mailto:michaelvino...@hotmail.com] Sent: Wednesday, December 09, 2009 2:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Could be the secret key or check is you added the IP of the NAS. Mike From: Tancinco, Jon mailto:tanci...@humnet.ucla.edu Sent: Wednesday, December 09, 2009 11:37 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal RADIUS authentication - Authentication error - Username and/or password invalid Same error on Versions 1.2.2 and 1.2.3 Using the pfSense Captive Portal. I am getting the Authentication error - Username and/or password invalid. message when trying to authenticate. The password is correctly submitted, but get the error everytime. RADIUS server reports incorrect password. Using m0n0wall, Captive Portal and RADIUS authentication works with no problems using the same username, password and RADIUS server. Any help would be appreciated. Jon
[pfSense Support] Captive Portal and Wifi network
Hello everybody, I am in study phase to do a Wireless network and requirement is need to force users authenticate first. I figured out that can be done with Captive Portal feature of pfsense. However, I want to know if anybody did a Wifi network with 1 main access point connect directly to pfsense box and expand the wireless signal with some kind of Wifi extender ? TIA, - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal and Wifi network
- Lunix1618 [mailto:lunix1...@gmail.com] Hello everybody, I am in study phase to do a Wireless network and requirement is need to force users authenticate first. I figured out that can be done with Captive Portal feature of pfsense. However, I want to know if anybody did a Wifi network with 1 main access point connect directly to pfsense box and expand the wireless signal with some kind of Wifi extender ? TIA, - Yes, absolutely - if your Access Points support it - but you will be chopping bandwidth in half at every relay point. Two hops is probably OK, but I'd reconsider your setup for multiple hops. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal/USB WiFi
Hello, I have a pfsense box with (1) WAN and (3) RJ45.. I have a D-link router hanging off one of the RJ45's... I will like to eliminate the router as only been used as access point I will like to know if pfsense has support for USB wi-fi Thank you!!! VIA VNT6656 USB WiFi Module, 802.11b/g - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal Page
Does anyone know where I can find a nice templated captive portal page. Something with a simple header, ULA and Login. I know it sounds so simple, but my web skillz are limited... Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Page
Does anyone know where I can find a nice templated captive portal page. Something with a simple header, ULA and Login. http://thegoldenear.org/toolbox/unices/pfsense-1.2-firewall.html#captive-portal -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
I agree completely. What we were using it for is all our wired clients and wireless *were* on the same internal lan. The captive portal was enabled on the LAN interface. All wired clients had mac-bypass entries, and the wireless clients had to get past the captive portal. What I'm thinking is that I will have to investigate some sort of rouge detection, or maybe network access protection for the wired clients, and then completely separate the wireless traffic on another interface. I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? Cheers, P.S. Chris/PFsense team, I am consistently impressed by this product. You guys do very good work, and my team and I appreciate your efforts immensely. The coding is important, but the community support is above and beyond! On Fri, May 8, 2009 at 10:25 PM, RB aoz@gmail.com wrote: On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal Question
I'm drafting a reply. Be done shortly. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 11:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question I agree completely. What we were using it for is all our wired clients and wireless *were* on the same internal lan. The captive portal was enabled on the LAN interface. All wired clients had mac-bypass entries, and the wireless clients had to get past the captive portal. What I'm thinking is that I will have to investigate some sort of rouge detection, or maybe network access protection for the wired clients, and then completely separate the wireless traffic on another interface. I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? Cheers, P.S. Chris/PFsense team, I am consistently impressed by this product. You guys do very good work, and my team and I appreciate your efforts immensely. The coding is important, but the community support is above and beyond! On Fri, May 8, 2009 at 10:25 PM, RB aoz@gmail.com wrote: On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal Question
We use the switches in a client's executive office suite buildings. We needed a way to provide internet access on a per suite basis, and we needed to provide public addresses on an as-needed basis (if they had a mail server, for example). We had a previous solution in place, but it was about 8-9 years old, and required manual intervention when tenants move from suite to suite (which happens a lot in these buildings). So our new (15 month old at this point) setup has 3 vlans on the switches: private unauthenticated, private authenticated, and public authenticated. (private and public refer to the address spaces in use on the vlans). As part of that setup, we use mac-based authentication on the HP switches. So, a client (aka tenant) can be plugged into any port on the switch, and the FreeRADIUS package from pfSense can provide authentication and VLAN assignments to the switch, and the switch will use the RADIUS information to put them on the correct VLAN automatically. For any client that does not authenticate, the switch throws them on the private unauthenticated vlan, and then the client cannot get on the internet without authenticating with the pfsense captive portal (the custom captive portal page pretty much says hey, you aren't getting on the internet unless you pay the land lord more $$. If you want access, call up xxx and give them this mac address: xx:xx:xx:xx:xx:xx). If their mac address is present in FreeRADIUS, then they get put on whatever vlan is assigned them from the vlan box. The private authenticated vlan is a private address space vlan that is NATted to the internet, and the public authenticated vlan is directly on the internet. In order to keep clients from seeing each other on the private authenticated vlan (basically this vlan is for tenants that have a single pc with no router), we add the following to each client entry in the Additional RADIUS Options box: HP-Nas-Filter-Rule = permit in ip from any to 172.20.1.1, HP-Nas-Filter-Rule += deny in ip from any to 172.20.1.0/24, HP-Nas-Filter-Rule += permit in ip from any to 0.0.0.0/0 This permits the clients to talk to the gateway and the rest of the internet, but not to any other machine on the same subnet. I don't know how much of this applies to your setup, but to sum up this solution, unauthenticated clients get put on a vlan that can't get on the internet (they can, but are stopped by a custom captive portal page from pfSense that tells them what to do), and authenticated clients get put on vlans that can freely access the internet. In your case, you might just need to use FreeRADIUS along with some switch ACLs (in the Additional RADIUS Options box) to allow/limit/prevent internet access. Hopefully that made some sense. It's a bit tough to describe without seeing it! :) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 9:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question Hi folks, Just an update. I built a new machine from the ground up today. Took a backup from the old machine, and just copied and pasted the 300+ mac-bypass entries into the new config file. Everything is working well, and as expected. I'm interested though Dimitri on the switch issue. I'm connected entirely to new managed HP 2848's and 2510G-48's and I have great LAN performance. Are you doing something directly with your switches as far as authentication goes, or did you just include the switches for completeness? Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. Thanks! On Fri, May 8, 2009 at 1:33 AM, Dimitri Rodis dimit...@integritasystems.com wrote: We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I
Re: [pfSense Support] Captive Portal Question
On Sat, May 9, 2009 at 00:10, Tim Dressel tjdres...@gmail.com wrote: I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? At the risk of redundancy, that was rather the point. Other than the interface of your manually entering them (which is not critical to the actual operation), the captive portal in its standard configuration makes a mac-bypass entry for every client. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive Portal Question
We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Captive Portal Question
Hi folks, Just an update. I built a new machine from the ground up today. Took a backup from the old machine, and just copied and pasted the 300+ mac-bypass entries into the new config file. Everything is working well, and as expected. I'm interested though Dimitri on the switch issue. I'm connected entirely to new managed HP 2848's and 2510G-48's and I have great LAN performance. Are you doing something directly with your switches as far as authentication goes, or did you just include the switches for completeness? Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. Thanks! On Fri, May 8, 2009 at 1:33 AM, Dimitri Rodis dimit...@integritasystems.com wrote: We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal Question
Hi folks, I've got a captive portal deployed on a simple LAN/WAN configured current PFsense box. All clients that I want to have transparent access to the internet have a MAC bypass entry. All other clients authenticate against the active portal. The mac-bypass has over 300 entries in it. I get network drops, slow traffic internal and external, and in general network unhappiness (slow ping times, things just dropping off the network, adding an additional MAC address when applying the settings causes the web interface to hang). Disabling the captive portal instantly makes everything work well again. So, two questions please: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Thanks in advance... Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
I was going to ask what hardware you were running this on. We have a rather large list of MAC addresses in our captive portal and it works fine. Its a dual opteron/4 gigs of ram. Probably overkill, so it wont help you know what you need, but if your running 128 ram or even 256, its bare bone minimum. Chris Flugstad Cascadelink 900 1st ave s, suite 201a seattle, wa 98134 p: 206.774.3660 | f: 206.577.5066 ch...@cascadelink.com RB wrote: On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal Issues
We have been running pfSense as a Captive Portal for quite sometime. Lately, our flenses have had services that were locking up. You could view items on the GUI, but could not execute a Captive Portal lookup or a Halt System or Reboot System. And if you ssh'ed into the system, you could not execute either or a web configurator restart either. On the particular system we had this happen to lately, we were using 1.2.1-RC2 and have had it happen on 1.2.2. We did recently upgrade to 1.2.3-PRERELEASE-TESTING-VERSION and have not had it up long enough to determine if this version had the same issue. This is the error that was in the /var/log/ lighttpd.error.log 2009-03-03 09:04:58: (mod_fastcgi.c.2956) backend died; we'll disable it for 5 seconds and send the request to another backend instead: reconnects: 0 load: 192 2009-03-03 09:04:59: (mod_fastcgi.c.3568) all handlers for /index.php on .php are down. This was on the monitor hooked up to the pfSense device IPFW: IPV6 - Unknown Extension Header(10), ext 2 IPFW: IPV6 - Unknown Extension Header(5), ext 2 Thanks
RE: [pfSense Support] Captive Portal Issues
My apologies that should say our pfsenses and not our flenses From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] Sent: Tuesday, March 03, 2009 10:30 AM To: support@pfsense.com Subject: [pfSense Support] Captive Portal Issues We have been running pfSense as a Captive Portal for quite sometime. Lately, our flenses have had services that were locking up. You could view items on the GUI, but could not execute a Captive Portal lookup or a Halt System or Reboot System. And if you ssh'ed into the system, you could not execute either or a web configurator restart either. On the particular system we had this happen to lately, we were using 1.2.1-RC2 and have had it happen on 1.2.2. We did recently upgrade to 1.2.3-PRERELEASE-TESTING-VERSION and have not had it up long enough to determine if this version had the same issue. This is the error that was in the /var/log/ lighttpd.error.log 2009-03-03 09:04:58: (mod_fastcgi.c.2956) backend died; we'll disable it for 5 seconds and send the request to another backend instead: reconnects: 0 load: 192 2009-03-03 09:04:59: (mod_fastcgi.c.3568) all handlers for /index.php on .php are down. This was on the monitor hooked up to the pfSense device IPFW: IPV6 - Unknown Extension Header(10), ext 2 IPFW: IPV6 - Unknown Extension Header(5), ext 2 Thanks
[pfSense Support] captive portal without MAC filtering
The captive portal has the following option: MAC filtering - Disable MAC filtering If this option is set, no attempts will be made to ensure that the MAC address of clients stays the same while they're logged in. This is required when the MAC address of the client cannot be determined (usually because there are routers between pfSense and the clients). If this is enabled, RADIUS MAC authentication cannot be used. This sounds useful. It could fix the difficulty we have of requiring LAN users, who want to add wifi in their home, that they need to use wireless access points, not wireless routers (or wireless routers configured as purely wireless access points, for those that support this), so that they don't ruin our charging model. People find the technical differences hard to understand. So, how does pfSense track people with this option enabled? How does it work? -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] captive portal without MAC filtering
On Sat, Feb 7, 2009 at 2:31 PM, Pete Boyd petes-li...@thegoldenear.org wrote: The captive portal has the following option: MAC filtering - Disable MAC filtering If this option is set, no attempts will be made to ensure that the MAC address of clients stays the same while they're logged in. This is required when the MAC address of the client cannot be determined (usually because there are routers between pfSense and the clients). If this is enabled, RADIUS MAC authentication cannot be used. This sounds useful. It could fix the difficulty we have of requiring LAN users, who want to add wifi in their home, that they need to use wireless access points, not wireless routers (or wireless routers configured as purely wireless access points, for those that support this), so that they don't ruin our charging model. People find the technical differences hard to understand. It's simple to bridge wireless on almost every wireless router, just plug in one of the LAN ports rather than the WAN/Internet port. Double NAT is ugly and potentially problematic, so I would stay away from it if at all possible. Disabling MAC filtering will work around it if you really must do it that way. So, how does pfSense track people with this option enabled? How does it work? As it says in what you quoted above, just by IP rather than by IP and MAC. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Captive portal locking up?
Yes, that was the message I saw. I am going to upgrade to 1.2.1 RC2. This is what most are using now, correct? Thank you Dwane -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2008 8:06 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive portal locking up? On Tue, Dec 2, 2008 at 3:27 PM, Atkins, Dwane P [EMAIL PROTECTED] wrote: We are currently using 1.2 RC1 on a Dell Power Edge R200 and 1.2 Release on a Dell Power Edge 860. In the last couple of weeks, the devices has stopped working for those who are NOT already connected. If you are connected, you maintain the capability to gain access. Each time I have gone to the device, we receive and error message: IPFW2; Ipv6- unknown extension number (5), ext-hd eq 2 You sure that's the exact message? That would make you the only person to ever get that message on FreeBSD or pfSense - google doesn't know about it. Any other potentially relevant messages in your logs? For lack of any better ideas, I would try upgrading one to 1.2.1 to see if that makes any difference. Might be some kind of odd ipfw issue that doesn't exist in FreeBSD 7.0. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive portal locking up?
On Tue, Dec 2, 2008 at 3:27 PM, Atkins, Dwane P [EMAIL PROTECTED] wrote: We are currently using 1.2 RC1 on a Dell Power Edge R200 and 1.2 Release on a Dell Power Edge 860. In the last couple of weeks, the devices has stopped working for those who are NOT already connected. If you are connected, you maintain the capability to gain access. Each time I have gone to the device, we receive and error message: IPFW2; Ipv6- unknown extension number (5), ext-hd eq 2 You sure that's the exact message? That would make you the only person to ever get that message on FreeBSD or pfSense - google doesn't know about it. Any other potentially relevant messages in your logs? For lack of any better ideas, I would try upgrading one to 1.2.1 to see if that makes any difference. Might be some kind of odd ipfw issue that doesn't exist in FreeBSD 7.0. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] captive portal ldap
---BeginMessage--- Hello Is possible to configure captive portal with ldap authentication? I have a linksys wrtg54 in my LAN, acting as AP. Is possible to configure this AP (with the default firmware or DD-wrt/openwrt) to authenticate to captive portal of pfsense? Thanks ---End Message--- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive portal questions
I've been running CP on a 1.2 install for about 6 months now and we now are noticing that there is no authentication happening. Thing we've tried: Moving the CP to another interface (ie WLAN (WAP connected ethernet)). Starting and restarting the CP service (fails the webConfigurator when we restart CP service. tail the /var/log/lighttpd.error.log (here is what we are seeing when a client hits the CP ... 2008-11-06 21:44:02: (connections.c.279) SSL: 1 error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2008-11-06 21:44:02: (connections.c.279) SSL: 1 error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Any ideas on how to revive the CP functionality are greatly appreciated -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal enabling Ethernet Port Traffic
So I have a need that I'm not sure if Pfsense is currently doing. I want to have a captive portal, but once auth'd that the ethernet port that was used to go through the captive portal, be enabled. well i guess it would already be enabled, since it got through, but more or less that the port had full access. Each port will go to different rooms in a hotel. Any ideas would be appreciated. -Topher - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive Portal enabling Ethernet Port Traffic
If you want to authenticate machines connecting to switch ports, install the FreeRADIUS package. I added some interface options to the package earlier this year that should allow you to use it for mac-based authentication and vlan assignment for switches that support it. I use it in a couple different places and it works quite well for us. Dimitri Rodis Integrita Systems LLC -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2008 3:43 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal enabling Ethernet Port Traffic If you want per port (on your switch) based authentication, you may want to look at 802.1x with RADIUS. If you'd like to do per IP authentication, pfSense will work nicely. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - Chris Flugstad [EMAIL PROTECTED] wrote: So I have a need that I'm not sure if Pfsense is currently doing. I want to have a captive portal, but once auth'd that the ethernet port that was used to go through the captive portal, be enabled. well i guess it would already be enabled, since it got through, but more or less that the port had full access. Each port will go to different rooms in a hotel. Any ideas would be appreciated. -Topher - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
Dimitri Rodis wrote: If I wanted to display a user’s IP address AND MAC address on the captive portal page, does anyone have a code snippet that would do that on the pfSense captive portal page? Is this possible? I suggest opening a feature request ticket on cvstrac.pfsense.org, and/or starting a bounty. Somebody would probably be willing to pick this up for relatively cheap. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive Portal
If I made the modifications to display the mac/client IP on the default captive portal page, would you commit it and make it the default captive portal page? I would just throw a couple of lines right beneath the login button that say: Client MAC: xx:xx:xx:xx:xx:xx Client IP: xxx.xxx.xxx.xxx Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Saturday, March 22, 2008 6:41 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Dimitri Rodis wrote: If I wanted to display a user's IP address AND MAC address on the captive portal page, does anyone have a code snippet that would do that on the pfSense captive portal page? Is this possible? I suggest opening a feature request ticket on cvstrac.pfsense.org, and/or starting a bounty. Somebody would probably be willing to pick this up for relatively cheap. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal
If I wanted to display a user's IP address AND MAC address on the captive portal page, does anyone have a code snippet that would do that on the pfSense captive portal page? Is this possible? Basically, I want to make it really easy for someone to call us and have us provision them for access, and if I am able to display that information on the Captive Portal, I can just have them read it to me as opposed to trying to step them through all of the hoops to get the mac address. Thanks, Dimitri Rodis Integrita Systems LLC
[pfSense Support] Captive Portal question
Hi, A question about the captive portal. I'm looking for a way to disallow concurrent user logins. However, most customers will use MAC address for authentication, so if I disallw concurrent user logins, they can still access the 'net from the MAC address and give their username/password to their neighbor. Is there a way to prevent that apart from using MAC auth for everyone? Thanks, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] captive portal with cookie
Hi, I've seen that microtik has an option of using cookies to authenticate users (captive portal). Is there something similar in pfsense? I'm thinking about using the captive portal for auth of subscribers to a WiFi service, but I'd rather not have them enter their credentials everytime they close their browser. Is it possible? Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal trouble
Hi all, I'm using now pfsense for a few months (old user of monowall) and I wanted today to activate captive portal. So I'm using pfsense 1.2 - RC3 with squid, bandwithd, ntop, and all the other usual ones :p Problem I got, when wanted to activate captive portal, and seems doesn't work at all. Traffic always going fine without any requirement for authentication. Thought maybe transparent proxy would cause that so disabled the transparent proxy and still the same thing :s Config is as followed : captiveportal element namecaptiveportal-pirate.swf/name size141920/size content /content /element interfacelan/interface maxproc/maxproc timeout/ idletimeout30/idletimeout auth_methodlocal/auth_method reauthenticateacct/ httpsname/ bwdefaultdn/bwdefaultdn bwdefaultup/bwdefaultup certificate/ private-key/ redirurl/ radiusip192.168.200.252/radiusip radiusip2/ radiusport/ radiusport2/ radiusacctport/ radiuskeypass/radiuskey radiuskey2/ radiusvendordefault/radiusvendor enable/ page htmltext /htmltext /page /captiveportal Any idea why ? Regards - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal trouble
Try clearing your state table and seeing if that fixes the issue. Curtis
RE: [pfSense Support] Captive Portal trouble
Just tried, and no changes :( Yannick From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: dimanche 20 janvier 2008 23:47 To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal trouble Try clearing your state table and seeing if that fixes the issue. Curtis
Re: [pfSense Support] Captive Portal trouble
Did you already try disabling your transparent proxy? What are you using for your captive portal login page? Curtis
RE: [pfSense Support] Captive Portal trouble
Already tried to disable transparent proxy, change the interface of the proxy from lan to wan but didn't help. AS authentication page, I just create a blank html page where I copy/pasted the form : !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head meta http-equiv=Content-Type content=text/html; charset=utf-8 / titleUntitled Document/title /head body Private Room form method=post action=$PORTAL_ACTION$ p input name=auth_user type=text input name=auth_pass type=password input name=redirurl type=hidden value=$PORTAL_REDIRURL$ input name=accept type=submit value=Continue /p /form /body /html Regards From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: lundi 21 janvier 2008 2:20 To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal trouble Did you already try disabling your transparent proxy? What are you using for your captive portal login page? Curtis
Re: [pfSense Support] Captive Portal Design documents
better solution monowall On 10/1/07, Dziuk, Fred J [EMAIL PROTECTED] wrote: Our campus is using PfSense to control wireless access to our network via the Captive Portal and becoming very reliant on its operation. I do not want to necessarily become a developer to have technical troubleshooting skills. But I would like to have a document that describes the basics of the Captive Portal operations and was hoping for some links to some detailed design/operational documents other than source code. Questions I have: 1. How does the CP determine if a user needs to be authenticated? 2. Once authenticated, where is the user information kept? 3. I can issue PF and IPFW commands in the shell – Are both used in CP? 4. We have some users that some how disappear from the CP user list, but can still get through to the WAN. How do I debug this? 5. Seems like there are extra entries in the firewall ruleset that keep accumulating and never get removed. How do I clean this up? I have put out a few questions/problems to this list and have not received a single response. We are establishing an account for the commercial support, but we would like to have some local expertise. Thanks for any insight in the Captive Portal's operation. Fred Dziuk The Univ. of Texas Health Science Center at San Antonio Systems and Network Operations 210-567-2117
Re: [pfSense Support] Captive Portal Design documents
On 10/1/07, cassio lima [EMAIL PROTECTED] wrote: better solution monowall Please stop trolling. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive portal and CARP
Hi gang. I have two pfsense firewalls, fw1 and fw2, 10 VLAN interfaces and CARP addresses in between. Everything works fine, untill I enable Captive portal on one of interfaces. First sign of trouble is, that all CARP interfaces on primary fw (fw1) goes to backup mode and fw2 becomes master. Then, if I disable CARP on fw2, fw1 goes to master mode (all interfaces). When I re-enable CARP on secondary firewall, all CARP interfaces goes to backup, except the interface, where Captive portal is enabled on fw1. This interface is suddenly in master mode on both firewalls. I entered IP of that interface on fw2 into Captive portal Allowed IP addresses, added MAC of that interface into Passthrough MAC in Captive portal configuration, I added allow any-any rule on that interface on fw1, but no luck. Any idea? My first thought is that CARP packets gets blocked on fw1, but no quick idea why... And, if even this starts to work, what would happen if fw1 dies and CARP on fw2 takes over? Is there any possibility to have synchronized Captive portal on both fw's? Thank you, Jan Zorz. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal status does not list USERNAME
We are using pfSense on our campus and it initially seems like a nice upgrade to m0n0wall. However, on the Status - Captive Portal page, m0n0wall would list the logged in USERNAME, Traffic IN, and Traffiic OUT. PfSense shows only IP address, MAC address, and Session Start Time. The USERNAME field associated with the IP address is very important to us because with the username we can tie the IP address to a user with email and phone number. Is there a way to view the active users with IP address and username? I have checked the documentation (mostly m0n0wall) and there seems to a difference on this one page display for some reason. Fred Dziuk Univ. of Texas Health Science Center at San Antonio
[pfSense Support] Captive Portal kills my firewall rules
When I enable the Captive Portal on my LAN interface in either 1.2 BETA version 1 or 2, it messes with my WAN firewall rules. When enabled, the only rule that works is an allow in to pfSense's web admin from outside on HTTPS. Anyone else experience this or know of any fixes?
Re: [pfSense Support] Captive Portal kills my firewall rules
Nate Stiller wrote: When I enable the Captive Portal on my LAN interface in either 1.2 BETA version 1 or 2, it messes with my WAN firewall rules. When enabled, the only rule that works is an allow in to pfSense's web admin from outside on HTTPS. Anyone else experience this or know of any fixes? You have to exempt any hosts with ports open to them from the WAN, as CP will block all reply traffic from those hosts otherwise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal kills my firewall rules
I forgot to say that this happens even on the clients that I use the pass through MAC filtering. On 7/20/07, Chris Buechler [EMAIL PROTECTED] wrote: Nate Stiller wrote: When I enable the Captive Portal on my LAN interface in either 1.2 BETA version 1 or 2, it messes with my WAN firewall rules. When enabled, the only rule that works is an allow in to pfSense's web admin from outside on HTTPS. Anyone else experience this or know of any fixes? You have to exempt any hosts with ports open to them from the WAN, as CP will block all reply traffic from those hosts otherwise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive portal 'file manager' files not visible
I'm making a test with 1.2Beta1, and got a problem with the captive portal. I added two files in the file manager section with the name starting with 'captiveportal-', and added references to those two files (one a .gif image named captiveportal-semfio_logo.gif, the other an .html iframe file named captiveportal-noticias.html) in the 'Portal page contents' file. It's exactly the same structure I used in the 1.0 pfSense and it worked. But with 1.2B1 I'm getting a 404 error for both files when a client opens the captive portal screen. Did somebody else get such a problem? Any help is welcome. Thank you, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal 'file manager' files not visible
Upgrade to a recent testing snapshot. This has been fixed since Beta1. Scott On 6/25/07, Roberto Greiner [EMAIL PROTECTED] wrote: I'm making a test with 1.2Beta1, and got a problem with the captive portal. I added two files in the file manager section with the name starting with 'captiveportal-', and added references to those two files (one a .gif image named captiveportal-semfio_logo.gif, the other an .html iframe file named captiveportal-noticias.html) in the 'Portal page contents' file. It's exactly the same structure I used in the 1.0 pfSense and it worked. But with 1.2B1 I'm getting a 404 error for both files when a client opens the captive portal screen. Did somebody else get such a problem? Any help is welcome. Thank you, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal MAC Passthru
Hi ! Anyone out there using Captive Portal with passthru MAC ? Because it just does not work form e... when adding a MAC adress it seems as i fit would be ignored. When addind the IP it works again. There does not come up any website asking for username and password... do I have to add some rule from WLAN ubnet towards pfsense or else ? Is there anyone successfully using MAC-Filtering ? I'm running the latest snapshot (6-6) and there's nothing in the logs... Any hints ? Greetings, Martin -Ursprüngliche Nachricht- Von: Heiko Garbe [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 17. Juni 2007 00:04 An: support@pfsense.com Betreff: Re: [pfSense Support] pfSense Firewall Logs: no ports listed !? That´s not a multicast problem btw. Take a look at the attachment-screenshot, where is the udp port number 500 for the vpn vector or any other port?? Greetings heiko Adam Armstrong schrieb: 224.0.0.2 is the all routers multicast address, and any traffic to it is probably router discovery or something similar. adam. That looks more like a protocol decode issue to me. 224.0.0.2 is a multicast address, I wouldn't be surprised if that really wasn't UDP. Can you show an example of a TCP log entry w/out ports, or something to a non-multicast address? Thanks --Bill On 6/16/07, Heiko Garbe [EMAIL PROTECTED] wrote: Hello, here is a screenshot. I think he means the firewall logs in the gui Greetings heiko Chris Buechler schrieb: On Fri, 2007-06-15 at 18:01 +0200, Fuchs, Martin wrote: Hi ! In the firewall logs always was shown blocked traffic with the ports that were used... Now with the 6-6 snapshot it does not display the ports anymore ... !? It's a little confusing and seems tob e a bit silly / senseless not to display the ports !? Can you post a screenshot? Not sure exactly what you mean, I haven't seen or heard of any issues. -- --- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal ?
Now that I plowed through the VLAN issue. I have been presented with another config question. Is there any way to have captive portal active on multiple interfaces? I dug through the mail lists and the forum, but it seems that the answer is a resounding no. So naturally the next question is ... is there any plan to modify the captive portal to address multiple interfaces? I am sure it would be a coding nightmare, but in retrospect, have been presented with the question and seeing the value in their request, it sure would be a nice feature for a future release. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal ?
On 5/18/07, David Strout [EMAIL PROTECTED] wrote: Now that I plowed through the VLAN issue. I have been presented with another config question. Is there any way to have captive portal active on multiple interfaces? I dug through the mail lists and the forum, but it seems that the answer is a resounding no. So naturally the next question is ... is there any plan to modify the captive portal to address multiple interfaces? I am sure it would be a coding nightmare, but in retrospect, have been presented with the question and seeing the value in their request, it sure would be a nice feature for a future release. No it will not work on multiple interfaces and there are no plans to work on this. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive portal sugesstion
Hi, 1. Congratulation to developer that will release a new version of pfsense. Nice jobs guys! 2. I'm using captive portal for authenticate my wireless user (right now have about 700 users with approximately 100 cocurrent users), but when i want to add user i take some memory and time to read all existing users. My suggestions, why not split or group all user by 10 or 20 user by pages. For example as below; Users 1. abc1 2. abc2 3. abc3 4. abc4 5. abc5 6. abc6 7. abc7 8. abc8 9. abc9 10. abc10 1 2 3 4 5 6 7 8 9 10 Thank you - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive portal sugesstion
On 5/3/07, Mohd Saidy [EMAIL PROTECTED] wrote: Hi, 1. Congratulation to developer that will release a new version of pfsense. Nice jobs guys! 2. I'm using captive portal for authenticate my wireless user (right now have about 700 users with approximately 100 cocurrent users), but when i want to add user i take some memory and time to read all existing users. My suggestions, why not split or group all user by 10 or 20 user by pages. For example as below; Users 1. abc1 2. abc2 3. abc3 4. abc4 5. abc5 6. abc6 7. abc7 8. abc8 9. abc9 10. abc10 1 2 3 4 5 6 7 8 9 10 Thank you Thanks for the suggestion! However we do not maintain the captive portal implementation. Maybe you could email the m0n0wall list with your suggestion. However, we are not against a bounty in our forum to help nudge this along from our end. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal apply button
On 3/18/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! I think it might be an error in captive portal: When changing some entry and then save them, there appear two apply buttons: http://pfsense.trendchiller.com/pics/cp_apply_error.jpg Thanks, fixed! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
Until now it behaviour did not change ... Using: 1.0.1-SNAPSHOT-02-27-2007 built on Tue Mar 6 09:35:38 EST 2007 # ipfw show 00030 22320 9418077 skipto 5 ip from any to any in via fxp0 keep-state 00030 4883 2515916 skipto 5 ip from any to any in via fxp2 keep-state 00030 00 skipto 5 ip from any to any in via fxp1 keep-state 00030 00 skipto 5 ip from any to any in via fxp3 keep-state 00050 4 524 skipto 29900 ip from any to any MAC 00:0e:35:6c:bf:d7 any keep-state 00050 00 skipto 29900 ip from any to any MAC any 00:0e:35:6c:bf:d7 keep-state 00050 00 skipto 29900 ip from any to any MAC 00:14:6c:6c:f4:58 any keep-state 00050 00 skipto 29900 ip from any to any MAC any 00:14:6c:6c:f4:58 keep-state 00050 00 skipto 29900 ip from any to any MAC 00:18:de:a0:f7:2e any keep-state 00050 00 skipto 29900 ip from any to any MAC any 00:18:de:a0:f7:2e keep-state 00050 00 skipto 29900 ip from any to any MAC 00:80:5a:35:4f:7b any keep-state 00050 00 skipto 29900 ip from any to any MAC any 00:80:5a:35:4f:7b keep-state 01000 16617 3892662 skipto 5 ip from any to any not layer2 not via ath0 01001 8152 1184059 allow ip from any to any layer2 not via ath0 0110014 392 allow ip from any to any layer2 mac-type 0x0806 01100 8 934 allow ip from any to any layer2 mac-type 0x888e 01100 00 allow ip from any to any layer2 mac-type 0x88c7 01100 00 allow ip from any to any layer2 mac-type 0x8863 01100 00 allow ip from any to any layer2 mac-type 0x8864 01100 00 allow ip from any to any layer2 mac-type 0x8863 01100 00 allow ip from any to any layer2 mac-type 0x8864 01100 00 allow ip from any to any layer2 mac-type 0x888e 01101 16 deny ip from any to any layer2 not mac-type 0x0800 01102 39553712 skipto 2 ip from any to any layer2 01200 2 682 allow udp from any 68 to 255.255.255.255 dst-port 67 in 01201 00 allow udp from any 68 to 10.100.101.1 dst-port 67 in 01202 00 allow udp from 10.100.101.1 67 to any dst-port 68 out 01203 00 allow icmp from 10.100.101.1 to any out icmptypes 8 01204 00 allow icmp from any to 10.100.101.1 in icmptypes 0 01300 00 allow udp from any to 10.100.101.1 dst-port 53 in 01301 00 allow udp from 10.100.101.1 53 to any out 01302 00 allow tcp from any to 10.100.101.1 dst-port 8000 in 01303 00 allow tcp from 10.100.101.1 8000 to any out 19902 00 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in 19903 00 allow tcp from any 80 to any out 19904 39152372 deny ip from any to any 29900 39954236 allow ip from any to any layer2 65535 43828 15827315 allow ip from any to any -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 6. März 2007 01:17 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal I found a potential issue. Please test a snapshot around two hours from now. Scott On 3/5/07, Scott Ullrich [EMAIL PROTECTED] wrote: On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi, Scott ! Fresh install shows the following, but does not work also :-( [snip] 01100 0 0 allow ip from any to any layer2 mac-type 0x888e I don't see the traffic counter increasing on this test. Did you actually test login again? The prior output shows the counter at 4. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
What should it read on the fresh install ? It's a productive system... it's hard to reinstall in between... On the non-working-system it reads: # ipfw show 00030 147403 130387849 skipto 5 ip from any to any in via fxp0 keep-state 00030 43395 63498221 skipto 5 ip from any to any in via fxp2 keep-state 00030 0 0 skipto 5 ip from any to any in via fxp1 keep-state 00030 0 0 skipto 5 ip from any to any in via fxp3 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:0e:35:6c:bf:d8 any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:0e:35:6c:bf:d8 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:14:6c:6c:f4:58 any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:14:6c:6c:f4:58 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:18:de:a0:f7:2e any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:18:de:a0:f7:2e keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:80:5a:35:4f:7b any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:80:5a:35:4f:7b keep-state 01000 76193 64802776 skipto 5 ip from any to any not layer2 not via ath0 01001 32161 1841212 allow ip from any to any layer2 not via ath0 01100 0 0 allow ip from any to any layer2 mac-type 0x0806 01100 4 460 allow ip from any to any layer2 mac-type 0x888e 01100 0 0 allow ip from any to any layer2 mac-type 0x8863 01100 0 0 allow ip from any to any layer2 mac-type 0x8864 01100 0 0 allow ip from any to any layer2 mac-type 0x8863 01100 0 0 allow ip from any to any layer2 mac-type 0x8864 01100 0 0 allow ip from any to any layer2 mac-type 0x888e 01101 0 0 deny ip from any to any layer2 not mac-type 0x0800 01102103 6114 skipto 2 ip from any to any layer2 01200 0 0 allow udp from any 68 to 255.255.255.255 dst-port 67 in 01201 0 0 allow udp from any 68 to 10.100.101.1 dst-port 67 in 01202 0 0 allow udp from 10.100.101.1 67 to any dst-port 68 out 01203 0 0 allow icmp from 10.100.101.1 to any out icmptypes 8 01204 0 0 allow icmp from any to 10.100.101.1 in icmptypes 0 01300 0 0 allow udp from any to 10.100.101.1 dst-port 53 in 01301 0 0 allow udp from 10.100.101.1 53 to any out 01302 29 1655 allow tcp from any to 10.100.101.1 dst-port 8000 in 01303 23 976 allow tcp from 10.100.101.1 8000 to any out 19902 0 0 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in 19903 0 0 allow tcp from any 80 to any out 19904 51 3483 deny ip from any to any 29900382 54201 allow ip from any to any layer2 65535 267263 258737393 allow ip from any to any -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 4. März 2007 19:06 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal Also, please install a working version and from the shell do a: ipfw show Then reinstall the non working version and from a shell do: ipfw show Scott On 3/4/07, Scott Ullrich [EMAIL PROTECTED] wrote: On 3/4/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hmmm, tried the latest snapshot... wpa2 does not seem to work with the captive portal until now... site cannot be found... :( Reinstall? The options are definitely back. # pfsense requires for WPA add 1100 set 1 pass layer2 mac-type 0x888e Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: What should it read on the fresh install ? It's a productive system... it's hard to reinstall in between... Right, but it must work, correct? :) If you could get a reading from a box that works, it would be most helpful. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
I'll try to get a fresh install on the same system as soon as possible... -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Montag, 5. März 2007 20:52 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: What should it read on the fresh install ? It's a productive system... it's hard to reinstall in between... Right, but it must work, correct? :) If you could get a reading from a box that works, it would be most helpful. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
Hi, Scott ! Fresh install shows the following, but does not work also :-( 00030 7882 4784874 skipto 5 ip from any to any in via fxp0 keep-state 00030 1445 1633539 skipto 5 ip from any to any in via fxp2 keep-state 00030 0 0 skipto 5 ip from any to any in via fxp1 keep-state 00030 0 0 skipto 5 ip from any to any in via fxp3 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:0e:35:6c:bf:d7 any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:0e:35:6c:bf:d7 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:14:6c:6c:f4:58 any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:14:6c:6c:f4:58 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:18:de:a0:f7:2e any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:18:de:a0:f7:2e keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:80:5a:35:4f:7b any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:80:5a:35:4f:7b keep-state 01000 4528 1890097 skipto 5 ip from any to any not layer2 not via ath0 01001 2595 246062 allow ip from any to any layer2 not via ath0 01100 0 0 allow ip from any to any layer2 mac-type 0x0806 01100 0 0 allow ip from any to any layer2 mac-type 0x888e 01100 0 0 allow ip from any to any layer2 mac-type 0x8863 01100 0 0 allow ip from any to any layer2 mac-type 0x8864 01100 0 0 allow ip from any to any layer2 mac-type 0x8863 01100 0 0 allow ip from any to any layer2 mac-type 0x8864 01100 0 0 allow ip from any to any layer2 mac-type 0x888e 01101 0 0 deny ip from any to any layer2 not mac-type 0x0800 01102 0 0 skipto 2 ip from any to any layer2 01200 0 0 allow udp from any 68 to 255.255.255.255 dst-port 67 in 01201 0 0 allow udp from any 68 to 10.100.101.1 dst-port 67 in 01202 0 0 allow udp from 10.100.101.1 67 to any dst-port 68 out 01203 0 0 allow icmp from 10.100.101.1 to any out icmptypes 8 01204 0 0 allow icmp from any to 10.100.101.1 in icmptypes 0 01300 0 0 allow udp from any to 10.100.101.1 dst-port 53 in 01301 0 0 allow udp from 10.100.101.1 53 to any out 01302 0 0 allow tcp from any to 10.100.101.1 dst-port 8000 in 01303 0 0 allow tcp from 10.100.101.1 8000 to any out 19902 0 0 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in 19903 0 0 allow tcp from any 80 to any out 19904 0 0 deny ip from any to any 29900 0 0 allow ip from any to any layer2 65535 13855 8308510 allow ip from any to any -Ursprüngliche Nachricht- Von: Fuchs, Martin [mailto:[EMAIL PROTECTED] Gesendet: Montag, 5. März 2007 21:00 An: support@pfsense.com Betreff: AW: [pfSense Support] Captive Portal I'll try to get a fresh install on the same system as soon as possible... -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Montag, 5. März 2007 20:52 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: What should it read on the fresh install ? It's a productive system... it's hard to reinstall in between... Right, but it must work, correct? :) If you could get a reading from a box that works, it would be most helpful. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
What really irritates m eis the fact that the mac filtering in the captive portal works well with wpa_2. Any cohenerce between mac and username auth ? Any clues for that ? Greets, Martin ! -Ursprüngliche Nachricht- Von: Fuchs, Martin [mailto:[EMAIL PROTECTED] Gesendet: Montag, 5. März 2007 21:35 An: support@pfsense.com Betreff: AW: [pfSense Support] Captive Portal Hi, Scott ! Fresh install shows the following, but does not work also :-( 00030 7882 4784874 skipto 5 ip from any to any in via fxp0 keep-state 00030 1445 1633539 skipto 5 ip from any to any in via fxp2 keep-state 00030 0 0 skipto 5 ip from any to any in via fxp1 keep-state 00030 0 0 skipto 5 ip from any to any in via fxp3 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:0e:35:6c:bf:d7 any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:0e:35:6c:bf:d7 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:14:6c:6c:f4:58 any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:14:6c:6c:f4:58 keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:18:de:a0:f7:2e any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:18:de:a0:f7:2e keep-state 00050 0 0 skipto 29900 ip from any to any MAC 00:80:5a:35:4f:7b any keep-state 00050 0 0 skipto 29900 ip from any to any MAC any 00:80:5a:35:4f:7b keep-state 01000 4528 1890097 skipto 5 ip from any to any not layer2 not via ath0 01001 2595 246062 allow ip from any to any layer2 not via ath0 01100 0 0 allow ip from any to any layer2 mac-type 0x0806 01100 0 0 allow ip from any to any layer2 mac-type 0x888e 01100 0 0 allow ip from any to any layer2 mac-type 0x8863 01100 0 0 allow ip from any to any layer2 mac-type 0x8864 01100 0 0 allow ip from any to any layer2 mac-type 0x8863 01100 0 0 allow ip from any to any layer2 mac-type 0x8864 01100 0 0 allow ip from any to any layer2 mac-type 0x888e 01101 0 0 deny ip from any to any layer2 not mac-type 0x0800 01102 0 0 skipto 2 ip from any to any layer2 01200 0 0 allow udp from any 68 to 255.255.255.255 dst-port 67 in 01201 0 0 allow udp from any 68 to 10.100.101.1 dst-port 67 in 01202 0 0 allow udp from 10.100.101.1 67 to any dst-port 68 out 01203 0 0 allow icmp from 10.100.101.1 to any out icmptypes 8 01204 0 0 allow icmp from any to 10.100.101.1 in icmptypes 0 01300 0 0 allow udp from any to 10.100.101.1 dst-port 53 in 01301 0 0 allow udp from 10.100.101.1 53 to any out 01302 0 0 allow tcp from any to 10.100.101.1 dst-port 8000 in 01303 0 0 allow tcp from 10.100.101.1 8000 to any out 19902 0 0 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in 19903 0 0 allow tcp from any 80 to any out 19904 0 0 deny ip from any to any 29900 0 0 allow ip from any to any layer2 65535 13855 8308510 allow ip from any to any -Ursprüngliche Nachricht- Von: Fuchs, Martin [mailto:[EMAIL PROTECTED] Gesendet: Montag, 5. März 2007 21:00 An: support@pfsense.com Betreff: AW: [pfSense Support] Captive Portal I'll try to get a fresh install on the same system as soon as possible... -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Montag, 5. März 2007 20:52 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: What should it read on the fresh install ? It's a productive system... it's hard to reinstall in between... Right, but it must work, correct? :) If you could get a reading from a box that works, it would be most helpful. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi, Scott ! Fresh install shows the following, but does not work also :-( [snip] 01100 0 0 allow ip from any to any layer2 mac-type 0x888e I don't see the traffic counter increasing on this test. Did you actually test login again? The prior output shows the counter at 4. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
I found a potential issue. Please test a snapshot around two hours from now. Scott On 3/5/07, Scott Ullrich [EMAIL PROTECTED] wrote: On 3/5/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi, Scott ! Fresh install shows the following, but does not work also :-( [snip] 01100 0 0 allow ip from any to any layer2 mac-type 0x888e I don't see the traffic counter increasing on this test. Did you actually test login again? The prior output shows the counter at 4. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
Hmmm, tried the latest snapshot... wpa2 does not seem to work with the captive portal until now... site cannot be found... :( -Ursprüngliche Nachricht- Von: Holger Bauer [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 21:39 An: support@pfsense.com Betreff: AW: [pfSense Support] Captive Portal Just monitor the build dates. You need the next available build from now. holger -Ursprüngliche Nachricht- Von: Fuchs, Martin [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 21:29 An: support@pfsense.com Betreff: AW: [pfSense Support] Captive Portal Well, yes, it's wpa-2 aes :-) Best work !!! I'll check it !!! Just tell me when, else I'll test it in 2 hours :-) -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 20:52 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal On 3/3/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! I'm trying to use captive portal on ath0 interface... WLAN-client gets dhcp-lease and everything bit cannot tonnect to any network... If i add the mac-adress to the captive portal it works wothout auth... But i want auth for this client, so i remove the mac... but there does not pop up any auth page... When adding tcp 8000 from wlan-subnet to localhost there still is no popup... When looking to pfsense/status.php it looks like the rule for captive portal is generated without the rule having added by hand (so as it should be in the new version) Can anyone affirm this or is there just something i have overseen ? Greets, Martin ! If you are speaking of WPA then I just fixed that. Please test a new snapshot in a couple of hours. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
On 3/4/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hmmm, tried the latest snapshot... wpa2 does not seem to work with the captive portal until now... site cannot be found... :( Reinstall? The options are definitely back. # pfsense requires for WPA add 1100 set 1 pass layer2 mac-type 0x888e Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
Also, please install a working version and from the shell do a: ipfw show Then reinstall the non working version and from a shell do: ipfw show Scott On 3/4/07, Scott Ullrich [EMAIL PROTECTED] wrote: On 3/4/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hmmm, tried the latest snapshot... wpa2 does not seem to work with the captive portal until now... site cannot be found... :( Reinstall? The options are definitely back. # pfsense requires for WPA add 1100 set 1 pass layer2 mac-type 0x888e Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal
Hi ! I'm trying to use captive portal on ath0 interface... WLAN-client gets dhcp-lease and everything bit cannot tonnect to any network... If i add the mac-adress to the captive portal it works wothout auth... But i want auth for this client, so i remove the mac... but there does not pop up any auth page... When adding tcp 8000 from wlan-subnet to localhost there still is no popup... When looking to pfsense/status.php it looks like the rule for captive portal is generated without the rule having added by hand (so as it should be in the new version) Can anyone affirm this or is there just something i have overseen ? Greets, Martin ! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal
On 3/3/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! I'm trying to use captive portal on ath0 interface... WLAN-client gets dhcp-lease and everything bit cannot tonnect to any network... If i add the mac-adress to the captive portal it works wothout auth... But i want auth for this client, so i remove the mac... but there does not pop up any auth page... When adding tcp 8000 from wlan-subnet to localhost there still is no popup... When looking to pfsense/status.php it looks like the rule for captive portal is generated without the rule having added by hand (so as it should be in the new version) Can anyone affirm this or is there just something i have overseen ? Greets, Martin ! If you are speaking of WPA then I just fixed that. Please test a new snapshot in a couple of hours. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
Well, yes, it's wpa-2 aes :-) Best work !!! I'll check it !!! Just tell me when, else I'll test it in 2 hours :-) -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 20:52 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal On 3/3/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! I'm trying to use captive portal on ath0 interface... WLAN-client gets dhcp-lease and everything bit cannot tonnect to any network... If i add the mac-adress to the captive portal it works wothout auth... But i want auth for this client, so i remove the mac... but there does not pop up any auth page... When adding tcp 8000 from wlan-subnet to localhost there still is no popup... When looking to pfsense/status.php it looks like the rule for captive portal is generated without the rule having added by hand (so as it should be in the new version) Can anyone affirm this or is there just something i have overseen ? Greets, Martin ! If you are speaking of WPA then I just fixed that. Please test a new snapshot in a couple of hours. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
Just monitor the build dates. You need the next available build from now. holger -Ursprüngliche Nachricht- Von: Fuchs, Martin [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 21:29 An: support@pfsense.com Betreff: AW: [pfSense Support] Captive Portal Well, yes, it's wpa-2 aes :-) Best work !!! I'll check it !!! Just tell me when, else I'll test it in 2 hours :-) -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 20:52 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal On 3/3/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! I'm trying to use captive portal on ath0 interface... WLAN-client gets dhcp-lease and everything bit cannot tonnect to any network... If i add the mac-adress to the captive portal it works wothout auth... But i want auth for this client, so i remove the mac... but there does not pop up any auth page... When adding tcp 8000 from wlan-subnet to localhost there still is no popup... When looking to pfsense/status.php it looks like the rule for captive portal is generated without the rule having added by hand (so as it should be in the new version) Can anyone affirm this or is there just something i have overseen ? Greets, Martin ! If you are speaking of WPA then I just fixed that. Please test a new snapshot in a couple of hours. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Captive Portal
Just started monitoring :-) -Ursprüngliche Nachricht- Von: Holger Bauer [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 21:39 An: support@pfsense.com Betreff: AW: [pfSense Support] Captive Portal Just monitor the build dates. You need the next available build from now. holger -Ursprüngliche Nachricht- Von: Fuchs, Martin [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 21:29 An: support@pfsense.com Betreff: AW: [pfSense Support] Captive Portal Well, yes, it's wpa-2 aes :-) Best work !!! I'll check it !!! Just tell me when, else I'll test it in 2 hours :-) -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 3. März 2007 20:52 An: support@pfsense.com Betreff: Re: [pfSense Support] Captive Portal On 3/3/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! I'm trying to use captive portal on ath0 interface... WLAN-client gets dhcp-lease and everything bit cannot tonnect to any network... If i add the mac-adress to the captive portal it works wothout auth... But i want auth for this client, so i remove the mac... but there does not pop up any auth page... When adding tcp 8000 from wlan-subnet to localhost there still is no popup... When looking to pfsense/status.php it looks like the rule for captive portal is generated without the rule having added by hand (so as it should be in the new version) Can anyone affirm this or is there just something i have overseen ? Greets, Martin ! If you are speaking of WPA then I just fixed that. Please test a new snapshot in a couple of hours. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal and DNS
Hi, anyone has any information how to pass DNS request packet through captive portal? The problem I faced was that the computers configured with a DNS server IP address instead of obtaining DNS server IP dynamically cannot invoke the captive portal. Regards, Kelvin
