|
||||||||||
On Sun, 6 Jun 2004, Michael Mee wrote: > computers to a Wet-11 wireless to ethernet bridge, the captive portal blocks > them, but also doesn't display the page. I also get the log message: > > Jun 6 10:08:24 m0n0-home /kernel: arp: 10.0.1.175 moved from > 00:90:4b:b1:58:6b to 00:06:25:12:48:47 on wi0 > > where 00:90:4b:b1:8:6b is the MAC of the computer behind the Wet-11 and > 00:06:25:12:48:47 is the Wet-11 itself. Not sure what this message means or > why it appears... looks like the Wet-11 is doing proxy arp for the clients behind it. since the captive portal uses the mac address to determine if a box should be let through or not, and at the same time checks if the mac address and the ip address are bound, you're seeing the above behaviour. the log message is m0n0wall telling you that it has detected that 10.0.1.175 was initially seen tied to one mac address (your client), and then changed to another (wet-11). this is a clear indication that the wet-11 is proxy arping for clients behind it. could you turn of proxy arps on the wet-11 ? alternatively, you could not use pass-through macs, but use the allowed ip outgoing instead. place in the ip addresses of the clients who're allowed to bypass the captive portal sign on page, and they'll go thru. allowed ips are not subject to mac address checking/filtering on the captive portal, though the firewall ruleset will act on them. Regards, /\_/\ "All dogs go to heaven." dinesh at alphaque dot com (0 0) http://www.alphaque.com/ +==========================----oOO--(_)--OOo----==========================+ | for a in past present future; do | | for b in clients employers associates relatives neighbours pets; do | | echo "The opinions here in no way reflect the opinions of my $a $b." | | done; done | +=========================================================================+ |