Re: [m0n0wall] Captive Portal + LAN Deny All + Access Points

From:	sylikc <sylikc at gmail dot com>
To:	John <naverxp at yahoo dot com dot sg>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Captive Portal + LAN Deny All + Access Points
Date:	Fri, 21 Jan 2005 13:31:04 -0800

John,

On Sat, 22 Jan 2005 02:51:39 +0800, John <naverxp at yahoo dot com dot sg> wrote:
> Hi
> First come first, I've got m0n0wall running for about a week, its been
> stable. Hurray!
> 
> --------------
> | internet |
> --------------
> |
> |m0n0wall|----------- DMZ
> |
> |--------------
> | | |
> AP PC1 PC2
> 
> This time i've added a Access Point to my internal network and
> incorporated Captive Portal & PPTP. Logically speaking, this makes only
> users with PPTP accounts granted access to all network + WAN.

So you're only allowing outside users access to your network?

> 
> So i drafted out these set of rules:
> - LAN Deny All
> - PPTP Allow 80, 443, 110, 25
> - WAN Allow Identd
> - Captive Portal Enabled without Radius
> 
> But whenever i perform, LAN Deny All, my captive portal won't work.
> (however i can still dial vpn)
> it is only when i do a, LAN Allow All, my captive portal resumes its
> function. But this isn't what i want.

VPN is immune to the LAN rules because m0n0 treats it as another
interface.  Inbound VPN connections into the LAN will allow the LAN to
talk back to the VPN (that's just how stateful firewalls work).  It's
just the LAN can't connect out.

Why isn't a LAN allow all what you want?  The captive portal prevents
unauthorized users from going out anyway.

/sylikc