[ previous ] [ next ] [ threads ]
 
 From:  John <naverxp at yahoo dot com dot sg>
 To:  sylikc <sylikc at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Captive Portal + LAN Deny All + Access Points
 Date:  Sat, 22 Jan 2005 12:23:30 +0800
sylikc wrote:

>John,
>
>
>On Sat, 22 Jan 2005 02:51:39 +0800, John <naverxp at yahoo dot com dot sg> wrote:
>  
>
>>Hi
>>First come first, I've got m0n0wall running for about a week, its been
>>stable. Hurray!
>>
>>--------------
>>| internet |
>>--------------
>>|
>>|m0n0wall|----------- DMZ
>>|
>>|--------------
>>| | |
>>AP PC1 PC2
>>
>>This time i've added a Access Point to my internal network and
>>incorporated Captive Portal & PPTP. Logically speaking, this makes only
>>users with PPTP accounts granted access to all network + WAN.
>>    
>>
>
>So you're only allowing outside users access to your network?
>
>  
>
>>So i drafted out these set of rules:
>>- LAN Deny All
>>- PPTP Allow 80, 443, 110, 25
>>- WAN Allow Identd
>>- Captive Portal Enabled without Radius
>>
>>But whenever i perform, LAN Deny All, my captive portal won't work.
>>(however i can still dial vpn)
>>it is only when i do a, LAN Allow All, my captive portal resumes its
>>function. But this isn't what i want.
>>    
>>
>
>VPN is immune to the LAN rules because m0n0 treats it as another
>interface.  Inbound VPN connections into the LAN will allow the LAN to
>talk back to the VPN (that's just how stateful firewalls work).  It's
>just the LAN can't connect out.
>
>Why isn't a LAN allow all what you want?  The captive portal prevents
>unauthorized users from going out anyway.
>
>
>/sylikc
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>  
>
Hi

Thanks for your replies.

Does that mean that captive portal does not work with VPN? In that case, 
is it possible to enable captive portal to work on PPTP interface also?

What happens now is, I'm adding a Access Point to allow users that are 
authenticated in this neighbourhood (Wirelessly) to connect to me (and 
only VPN authenticated users are allowed to surf the internet & have 
access to the services under the network). Because Access Point users 
are connected to my internal network which is quite scary, so VPN is my 
only security for authentication. (Should i put AP users under another 
subnet?)

All users (except computers in exception list) no matter with VPN 
connection or No VPN connection will be shown with the captive portal 
page and limited to captive portal's timeout.

John