[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Captive Portal & devices w/o browser capability
 Date:  Mon, 15 Nov 2004 11:58:40 -0800
Hi all,

I'm having some trouble with getting the captive portal working in my
environment.  I currently use the captive portal to restrict devices
that can be connected to my trusted LAN subnet by creating a login
page with no buttons and then putting all my trusted hosts into the
pass-thru MAC address list.  (I do this because I have no physical
layer security in my current environment)

This is fine for all the devices that have a web browser (actual
computers) as with the captive portal, when you open up the browser to
surf, it does a redirect to m0n0, then redirects to whatever site you
were going to in the first place.

However, an issue arises with devices that do not have a browser.  I'm
talking about printers, managed switches, etc.  The problem I'm having
is that I can PPTP VPN into my network, but cannot remotely administer
any of these devices because those devices can receive packets, but
not send them back because it's blocked by the captive portal.  These
devices can't bypass the captive portal because they don't have any
browsers and can't load up a site and all and get redirected...

I am wondering why the pass-thru MAC list devices must use the web
browser before m0n0 will let it through.  Why can't it be that when
m0n0 receives a packet from a device on the interface matching that
MAC to be permitted atuomatically after indexing the current IP it
holds?

Anyway, I've already thought of using DHCP MAC filtering, but without
Layer1 security, that doesn't save me from having people just pluggin
in and statically assign their own IPs and then traversing through the
trusted LAN.


Thanks,

/sylikc