[ previous ] [ next ] [ threads ]
 
 From:  Melvin Backus <melvin at sleepydragon dot net>
 To:  Rodman Frowert <frowertr at i dash 1 dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Doh! Captive Portal not letting LAN talk to DMZ (OPT1) without DMZ clients "accepting" to Portal Page
 Date:  Fri, 10 Sep 2004 10:51:20 -0400
Rodman Frowert wrote:

> Wooohooo!
>
> It is the captive portal that is restricting me from being able to 
> talk to the DMZ.  If the captive portal is enabled on OPT1 and an OPT1 
> client has not agreed to the portal contents page, then of course that 
> client cannot respond to any requests coming from either the WAN or 
> the LAN (i.e. pings!!).  However, once the client does actually pass 
> through the portal, they are now subject to normal firewall rules.  I 
> can ping to my hearts content any client in the DMZ now as long as I 
> "agree" to the portal contents page.
>
> I can't believe this took me 2 days of cursing and throwing stuff to 
> figure out.  I was blaming it on everything from corrupted diskettes, 
> to bugs in m0n0 wall, and to ghosts and goblins.
>
> So I have a request.  Is it possible to add an option to m0n0's 
> captive portal so that it only listen to requests on certain ports?  
> For example, lets say I only wanted it to listen to client requests on 
> ports 80 and 443. This would mean that all other traffic from the 
> client could pass through the portal without authentication but if the 
> client attempted to access web pages, he would need to go through the 
> portal.  I know this isn't a very secure portal in this sense, but I 
> think an option to do it this way would be beneficial.  The way it is 
> setup right now, I can't put any kind of server inside the DMZ if 
> captive portal is enabled since they have no way of passing through 
> the portal.
>
> I guess I could add another NIC to the m0n0 box and make another DMZ 
> for servers and disable the captive portal on that interface, howerver...
>
> Rodman

As you've already pointed out you could add another NIC, but from the 
sounds of things your concept of the DMZ doesn't really match what I 
would expect either.  DMZ would normally indicate public servers with 
some protection from the outside, but accessible to everyone.  Why would 
you have the portal enabled there?  Perhaps I've just missed the point, 
but I would expect to see it enabled on the LAN side, not the DMZ.  If 
you wanted multiple LAN segments, then it might make sense, but then I 
wouldn't expect to see servers in that group.

-- 
Melvin Backus
Principal Wizard
Sleepy Dragon Enterprises
--
Do not meddle in the affairs of dragons, for 
you are crunchy, and taste good with ketchup!
--