[ previous ] [ next ] [ threads ]
 
 From:  "Arturas Satkovskis" <arsatk at delfi dot lt>
 To:  "'Michael Mee'" <mm2001 at pobox dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] captive portal thru wet-11 strangeness
 Date:  Mon, 7 Jun 2004 15:16:37 +0300
Hi, 

Wet 11 in its latest firmware revision on the main configuration page has a
checkbox called "clone MAC address"
If disabled it will start substituting its MAC for clients which is behind
it.

-----Original Message-----
From: Dinesh Nair [mailto:dinesh at alphaque dot com] 

To: Michael Mee
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] captive portal thru wet-11 strangeness


On Sun, 6 Jun 2004, Michael Mee wrote:

> computers to a Wet-11 wireless to ethernet bridge, the captive portal 
> blocks them, but also doesn't display the page. I also get the log
message:
>
> Jun  6 10:08:24 m0n0-home /kernel: arp: 10.0.1.175 moved from 
> 00:90:4b:b1:58:6b to 00:06:25:12:48:47 on wi0
>
> where 00:90:4b:b1:8:6b is the MAC of the computer behind the Wet-11 
> and
> 00:06:25:12:48:47 is the Wet-11 itself. Not sure what this message 
> means or why it appears...

looks like the Wet-11 is doing proxy arp for the clients behind it. since
the captive portal uses the mac address to determine if a box should be let
through or not, and at the same time checks if the mac address and the ip
address are bound, you're seeing the above behaviour. the log message is
m0n0wall telling you that it has detected that 10.0.1.175 was initially seen
tied to one mac address (your client), and then changed to another (wet-11).
this is a clear indication that the wet-11 is proxy arping for clients
behind it.

could you turn of proxy arps on the wet-11 ? alternatively, you could not
use pass-through macs, but use the allowed ip outgoing instead. place in the
ip addresses of the clients who're allowed to bypass the captive portal sign
on page, and they'll go thru. allowed ips are not subject to mac address
checking/filtering on the captive portal, though the firewall ruleset will
act on them.

Regards,                           /\_/\   "All dogs go to heaven."
dinesh at alphaque dot com                (0 0)    http://www.alphaque.com/
+==========================----oOO--(_)--OOo----========================
+==+
| for a in past present future; do                                        |
|   for b in clients employers associates relatives neighbours pets; do   |
|   echo "The opinions here in no way reflect the opinions of my $a $b."  |
| done; done                                                              |
+=======================================================================
+==+


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch