[ previous ] [ next ] [ threads ]
 
 From:  "Chris Dickens" <chris at object dash zone dot net>
 To:  "'Quark IT - Hilton Travis'" <hilton at quarkit dot com dot au>
 Cc:  "'Jesse Guardiani'" <jesse at wingnet dot net>, <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] DHCP Server request
 Date:  Tue, 8 Mar 2005 08:46:54 -0500
Quark:

I know I'm not the only one here who has been utterly confused at what your
intentions are with your inquiry.  You are very derogatory to everyone here
and consistently maintain that it is our fault that we don't understand you;
if you were actually clear, then you would have gotten your answer by now.
Admit that you either did not write your original request concisely enough,
or that you are changing your line of questioning as you go.  If someone
doesn't understand me, then it's my own failing - I admit that and then
re-word my inquiry in a professional and courteous manner.

As far as I can see, your request has transformed several times over the
course of the conversation.  First you're asking about some toggle on the
DHCP server WebGUI because you thought m0n0wall blocked access through the
firewall, then you maintained that the Captive Portal wasn't useful because
you couldn't toggle on/off MAC addresses - several suggestions were given
involving RADIUS, which is the proper way to handle authentication.  One
example in particular that I found to be excellent was from Michael Mae on
2/21 which I found particularly sneaky. ;)  Since you didn't mention RADIUS
until someone else did, I'll have to assume that you didn't even know what
it was, so now your asking us how you can do it without it AND with
usernames and passwords on top of it all!

Read the Quotes for yourself:

Hilton Travis @ 2/18/05 2pm:
"I have a request for an additional feature in the "DHCP Server" page.
Currently, it is easy to add MAC addresses for static mappings.  It is also
easy to remove them.  I have a client who leases "space" on their Internet
pipe to building tenants, and if these tenants have not paid their bill in
time, they need to have Internet access blocked. Currently, it is required
to have a list of the MAC addresses of registered machines so that once the
client has paid (late) the list is consulted to re-add them to the list of
allowed MACs.  What would be nice is a "Disable this address" option in DHCP
Server just as there is in the Firewall rules that would not delete that MAC
address from the list, but not allow it to access the Internet - allowing a
simple checkbox operation to re-add this MAC address to the allowed list."

Hilton Travis @ 2/18/05 4pm:
"I thought that maybe m0n0wall blocked requests from non-DHCP-assigned IPs,
but now I see that it just fails to dish DHCP out to those not in the list."

** I'm not aware of ANY firewall that does this; the mere thought that this
behaviour would be default without setting up a captive portal boggles my
mind?

Hilton Travis @ 2/18/05 7pm:
"Unfortunately, it also doesn't address my second concern - the ability to
have the MAC addresses in a list and be able to turn them on/off with a
checkbox.  Even in Captive Portal when a MAC is deleted from the
"Pass-through MAC" area, it is deleted, not just disabled."

Hilton Travis @ 3/8/05 6am:
"What I was asking was if there was a way to utilize Captive Portal without
a RADIUS Server, instead authenticating to a file of user/pass or a local
database or some other means of auth."

** Your original request most certainly did not ask this - you might note
that the subject line of this thread is even still titled "DHCP Server
request"

Now, with all of that aside, there have been a number of requests for some
type of built-in RADIUS server and while most of us admit that it would be
handy, it's not there.  Set it up elsewhere if you need to get the job done,
otherwise wait like everyone else for someone to add it to m0n0wall or do it
yourself.

--Chris

-----Original Message-----
From: Quark IT - Hilton Travis [mailto:hilton at quarkit dot com dot au] 
Sent: Tuesday, March 08, 2005 6:41 AM
To: m0n0wall dash dev at lists dot m0n0 dot ch
Cc: Jesse Guardiani
Subject: RE: [m0n0wall-dev] DHCP Server request


Hi Chris,

I clearly explained earlier that I know the difference between the Internet
and an internal machine.  Suggesting so is totally and utterly missing the
whole point of my original question.

As this is a firewall/gateway device, there's NO WAY that it can stop a
machine talking to another machine on the same physical segment.  A
firewall/gateway, in case there's anyone out there still unclear on this
(and if there is, WHY are they on the dev list???) can only block traffic
passing through it - not traffic on a local LAN, nor traffic on the local
freeway or train line.

What I was asking was if there was a way to utilize Captive Portal without a
RADIUS Server, instead authenticating to a file of user/pass or a local
database or some other means of auth.

--

Regards,

Hilton Travis                          Phone: +61 (0)7 3344 3889
(Brisbane, Australia)                  Phone: +61 (0)419 792 394
Manager, Quark IT                      http://www.quarkit.com.au
         Quark AudioVisual             http://www.quarkav.net

http://www.threatcode.com/ <-- its now time to shame poor coders 
into writing code that is acceptable for use on today's networks

War doesn't determine who is right.  War determines who is left.

This document and any attachments are for the intended recipient 
  only.  It may contain confidential, privileged or copyright 
     material which must not be disclosed or distributed. 

> -----Original Message-----
> From: Chris Dickens [mailto:chris at object dash zone dot net]
> Sent: Tuesday, 8 March 2005 13:23
> To: m0n0wall dash dev at lists dot m0n0 dot ch
> Cc: 'Jesse Guardiani'
> Subject: RE: [m0n0wall-dev] DHCP Server request
> 
> Jesse:
> 
> My apologies - I didn't realize you weren't the original
> poster.  I was most
> definitely referring to the original poster, Quark IT - 
> Hilton Travis.  I am
> also quite confused so I will be interested to hear back from Quark.
> 
> --Chris
> 
> -----Original Message-----
> From: Jesse Guardiani [mailto:jesse at wingnet dot net]
> Sent: Monday, March 07, 2005 9:51 AM
> To: m0n0wall dash dev at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall-dev] DHCP Server request
> 
> 
> On Monday 07 March 2005 8:00 am, Chris Dickens wrote:
> > Well, that's just dumb and I didn't think anyone would even bother
> > with the captive portal if they didn't intend to also auth with 
> > RADIUS.  Afterall, it's pretty useless then to give someone carte 
> > blanche access just by clicking one button?
> > 
> > They should just set up a RADIUS server and get over it.
> I'm basing
> > my response on your assertion that Jesse is competent
> enough to handle
> > administering such a service.
> 
> Hey Hey, let's get our facts straight before we start
> throwing names around.
> I'm not the original poster. I was just trying to give him answers and
> suggestions. Quark IT - Hilton Travis is the original poster.
> 
> Also, Quark IT - Hilton Travis seems to jump around a bit.
> I've re-read all
> of his posts, and I don't see anything about RADIUS mentioned 
> there. He
> started out talking about DHCP, then I suggested Captive Portal.
> 
> Then he said this:
> 
> "Unfortunately, this doesn't address my first concern - the
> ability to block
> certain (or all unspecified) MAC addresses from gaining access to the
> Internet."
> 
> But I'm sorry, Captive Portal does indeed do this. I use it
> on my local WLAN
> 
> network for just that purpose. Unless Quark IT - Hilton
> Travis's idea of the
> Internet is actually other machines on the LAN, in which case 
> he's correct.
> It doesn't do that. But in that case he's using incorrect terminology.
> 
> He then says this:
> 
> "Unfortunately, it also doesn't address my second concern -
> the ability to
> have the MAC addresses in a list and be able to turn them 
> on/off with a
> checkbox.  Even in Captive Portal when a MAC is deleted from the
> "Pass-through MAC" area, it is deleted, not just disabled."
> 
> This is true. There isn't a checkbox to temporarily disable
> MACs or IPs in
> the pass-through section. I believe this functionality would 
> be useful too.
> Perhaps he should write a patch.
> 
> The rest of his posts seem to be founded on the assumption
> that Captive
> Portal does not block unspecified MACs, when indeed it does. 
> And now this
> post about RADIUS? So what exactly is it that we're discussing here?
> 
> --
> Jesse Guardiani, Systems Administrator
> WingNET Internet Services,
> P.O. Box 2605 // Cleveland, TN 37320-2605
> 423-559-LINK (v)  423-559-5145 (f)
> http://www.wingnet.net
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch