Re: WISP client's data gets past my captive portal ?

From:	"Molle Bestefich" <molle dot bestefich at gmail dot com>
To:	"Bob Young" <bob at lavamail dot net>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: WISP client's data gets past my captive portal ?
Date:	Sat, 16 Sep 2006 13:56:22 +0200

Bob Young wrote:
> I do see the dhcp leases. And the logging shows my neighbors computer is
> trying to send data, but if captive portal is on, it seems that the data
> doesn't get out the WAN interface.

Everything is working as expected:
  1.) Wireless clients receive an IP address with DHCP.
  2.) If they're not authenticated via your portal (a web solution
running HTTP on top of TCP on top of IP), their traffic is blocked.

> But I'm surprised it can even get logged at all,
> especially when the captive portal is turned on.

Either
a.) you've just misunderstood how m0n0wall's captive portal works, or
b.) you're saying that you'd like your firewall to keep you in the
blind, by hiding all traffic that was blocked because of missing
authentication.

In case of a.), re-read my response in the last email.
HTTP requires working IP, therefore clients need to get an IP via DHCP
before your captive portal can work.

In case of b.), if the world was a perfect place, there would
currently be a rule in your rulebase saying:

Source        Destination      Authentication        Action         Logging
WLAN IP pool  Internet         Authe'd user          Allow          Log

And you would be able to add a rule above that, saying:

Source        Destination      Authentication        Action         Logging
WLAN IP pool  Internet         Non-authe'd user      Block          No log

Accomplishing exactly what you want.

I don't think things are that user friendly in m0n0wall, however.
But I really have no clue, since I've never used captive portal :-).