[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Captive portal Allow IP range - Feature Request?
 Date:  Mon, 13 Dec 2004 15:47:51 -0500
Aaron wrote:

> 
> Hello,
> 
> I'm not sure if I am missing something, but is it possible to specify a
> network of IP's to allow through the captive portal?
> 
> The reason is this: On the LAN interface, I have specified all
> non-registered DHCP requests to be assigned to 192.168.1.192 to
> 192.168.1.254 (192.168.1.192/26). This is my range for "unregistered"
> people and I restrict speeds and only allow traffic over port 80. It
> also forces them through the captive portal to a page about my network
> and makes them agree to terms of use.
> 
> For people that register, I give them a static DHCP assignment in
> 192.168.1.128/26. I then want to allow all of these IP's through
> without hitting the captive portal. So In captive portal: Allowed IP
> addresses, I can put in an IP for each of these. The problem is that I
> cannot put in a network or range it seems. So far, I have put them all
> in by hand, but it's a bit of a pain...especially if I want to allow
> all of the IP's except the ones in the captive portal range.
> 
> Am I missing an easier way to do this? I don't want to use Pass though
> Mac's as sorting people using IP's allows me to do more things to limit
> certain ranges.

It also makes your network more insecure. It's relatively easy to forge
a MAC address, but it's insanely easy to forge an IP. All you have to do
is assign the IP to your network interface! Could someone with more
knowledge of the Captive Portal's internals than I please confirm that
merely setting an interface IP statically would be enough to bypass
Captive Portal if one knows an allowed IP? 

And no, I don't think there is an easy way to allow a subnet in Captive
Portal. 

If you want a Captive Portal with marginal security, I think you're
probably better off not specifying allowed IPs, and specifying as few
MACs as possible. Let the username and pass do it's job and authenticate
your users.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net