On Monday 21 February 2005 2:52 am, Quark IT - Hilton Travis wrote:
> Hi All,
> OK. So I have now configured Captive Portal for the users on that
> network. Works fine as far as captive portal issues go - all blocked
> until they agree, and I can configure certain users to bypass the
> captive portal. Nice.
> Unfortunately, this doesn't address my first concern - the ability to
> block certain (or all unspecified) MAC addresses from gaining access to
> the Internet.
Actually, it should. That's what the captive portal does. I don't understand
what you mean here.
> Unfortunately, it also doesn't address my second concern - the ability
> to have the MAC addresses in a list and be able to turn them on/off with
> a checkbox. Even in Captive Portal when a MAC is deleted from the
> "Pass-through MAC" area, it is deleted, not just disabled.
Fair enough. That would be a nice feature.
> So, what I'd like to see for the Captive Portal section is the
> 1. The ability to just disable a particular MAC/IP from being on the
> "Pass-Thru" or "Block" list, not having to delete it totally - somewhat
> like in the Firewall Rules section where a rule can be configured but
> 2. The ability to block a particular MAC address in a similar way to
> "Pass-through MAC", but called something like "Blocked MAC".
> 3. Same goes with IP address as well as MAC address.
> 4. What would be really nice is a checkbox in the "Blocked" sections for
> "Block all MACs/IPs not listed in the Pass-Thru Section" which would be
> a really, really quick and dirty "close" of the network to all non-admin
> (or whoever's allowed to pass thru) users.
> Unfortunately, many of the tennants aren't sheep, so they can configure
> IPs and MACs to get around simple blocks. Hence why the "Blocked MACs"
> and "Blocked IPs" would be nice.
I think requiring some sort of PPPoE tunnel would be the only way to
truely lock down an interface from unauthorized use. MACs and IPs can
always be forged.
> Hilton Travis Phone: +61 (0)7 3344 3889
> (Brisbane, Australia) Phone: +61 (0)419 792 394
> Manager, Quark IT http://www.quarkit.com.au
> Quark AudioVisual http://www.quarkav.net
> http://www.threatcode.com/ <-- its now time to shame poor coders
> into writing code that is acceptable for use on today's networks
> War doesn't determine who is right. War determines who is left.
> This document and any attachments are for the intended recipient
> only. It may contain confidential, privileged or copyright
> material which must not be disclosed or distributed.
> > -----Original Message-----
> > From: Chris Dickens [mailto:chris at object dash zone dot net]
> > Sent: Saturday, 19 February 2005 06:11
> > Jesse:
> > Welcome to the wonderful world of corporate sheep. 99%
> > of people have no clue what a static IP is or how to
> > figure out one to code in, and this level of
> > obfuscation sadly works - but not against you or I. :)
> > --Chris
> > -----Original Message-----
> > From: Jesse Guardiani [mailto:jesse at wingnet dot net]
> > Sent: Friday, February 18, 2005 3:05 PM
> > On Friday 18 February 2005 2:27 pm, Quark IT - Hilton Travis wrote:
> > > Hi All,
> > >
> > > I have a request for an additional feature in the "DHCP
> > > Server" page. Currently, it is easy to add MAC
> > > addresses for static mappings. It is also easy to
> > > remove them. I have a client who leases "space" on
> > > their Internet pipe to building tenants, and if these
> > > tenants have not paid their bill in time, they need to
> > > have Internet access blocked. Currently, it is
> > > required to have a list of the MAC addresses of
> > > registered machines so that once the client has paid
> > > (late) the list is consulted to re-add them to the list
> > > of allowed MACs.
> > >
> > > What would be nice is a "Disable this address" option
> > > in DHCP Server just as there is in the Firewall rules
> > > that would not delete that MAC address from the list,
> > > but not allow it to access the Internet - allowing a
> > > simple checkbox operation to re-add this MAC address to
> > > the allowed list.
> > >
> > > It would make this feature much more usable in
> > > situations like this.
> > AFAIK, disabling DHCP won't actually prevent the user
> > from getting on the internet. It'll just prevent them
> > from getting an IP. It's easy to setup a static IP,
> > even under Windows 98, so why don't you use Captive
> > Portal instead? Then you can add your MAC addresses
> > and delete them in the way you describe, along with
> > popping up a message stating that the tenant's bill
> > might be due if their MAC isn't found...
> > --
> > Jesse Guardiani, Systems Administrator
> > WingNET Internet Services,
> > P.O. Box 2605 // Cleveland, TN 37320-2605
> > 423-559-LINK (v) 423-559-5145 (f)
> > http://www.wingnet.net
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)