[ previous ] [ next ] [ threads ]
 From:  sylikc <sylikc at gmail dot com>
 To:  Andrew Frazer <andrew dot frazer at sententia dot co dot nz>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Captive Portal for networks that are routed to...
 Date:  Fri, 8 Oct 2004 18:01:26 -0700

> I might be doing something wrong. I have only been able to get the captive
> portal working for hosts that are directly attached to the LAN interface.
> I have a couple of routed networks behind mono, that I have routes for.. but
> the portal does'nt seem to get them..
> AM I doing something wrong, or is this the way it works.

I think on one of the other threads, there was mention of how the
captive portal works.  Here's an excerpt from Dinesh who wrote the
captive portal:
> maybe i'd explain how the captive portal works. manuel first wrote in
> captive portal functionality, and i stepped in later with some improvements
> and RADIUS support.
> the captive portal initially sets up IPFW rules to divert all outgoing
> connections to another instance of httpd which throws up the authentication
> page. upon successful authentication, specific rules opening access are
> created for the IP and MAC address of the client host and subsequent access
> by this client is allowed thru without being diverted. though the IP
> address is used specifically to bypass the divert, it's still tied to the
> MAC address.
> this means an IP address, once bound to a MAC address on the captive
> portal, will only be allowed access if it continues to be bound to that MAC
> address.

If you are running a routed network behind m0n0, then all m0n0 sees is
the IP of the interface of the router connected to m0n0.  That's 1 IP
and 1 MAC.  I am guessing if you authenticated one host behind it,
then the entire network would be permitted by m0n0, because of this
IP<-->MAC association by m0n0.  There's been talk of modifying the
captive portal and not depending on the MAC or whatnot, but that sort
of defeats the purpose of the captive portal ;)