On Sun, 6 Jun 2004, Michael Mee wrote:
> computers to a Wet-11 wireless to ethernet bridge, the captive portal blocks
> them, but also doesn't display the page. I also get the log message:
> Jun 6 10:08:24 m0n0-home /kernel: arp: 10.0.1.175 moved from
> 00:90:4b:b1:58:6b to 00:06:25:12:48:47 on wi0
> where 00:90:4b:b1:8:6b is the MAC of the computer behind the Wet-11 and
> 00:06:25:12:48:47 is the Wet-11 itself. Not sure what this message means or
> why it appears...
looks like the Wet-11 is doing proxy arp for the clients behind it. since
the captive portal uses the mac address to determine if a box should be
let through or not, and at the same time checks if the mac address and the
ip address are bound, you're seeing the above behaviour. the log message
is m0n0wall telling you that it has detected that 10.0.1.175 was initially
seen tied to one mac address (your client), and then changed to another
(wet-11). this is a clear indication that the wet-11 is proxy arping for
clients behind it.
could you turn of proxy arps on the wet-11 ? alternatively, you could not
use pass-through macs, but use the allowed ip outgoing instead. place in
the ip addresses of the clients who're allowed to bypass the captive
portal sign on page, and they'll go thru. allowed ips are not subject to
mac address checking/filtering on the captive portal, though the firewall
ruleset will act on them.
Regards, /\_/\ "All dogs go to heaven."
dinesh at alphaque dot com (0 0) http://www.alphaque.com/
| for a in past present future; do |
| for b in clients employers associates relatives neighbours pets; do |
| echo "The opinions here in no way reflect the opinions of my $a $b." |
| done; done |