[ previous ] [ next ] [ threads ]
 
 From:  Andrew Frazer <andrew dot frazer at sententia dot co dot nz>
 To:  "'Mitch (WebCob)'" <mitch at webcob dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Captive Portal for networks that are routed to...
 Date:  Sun, 10 Oct 2004 20:50:30 +1300 
In my case this is roughly what I have..



	----network X-----RouterX-----+
						|
						+------Mono----Internet
						|
	----network Y-----RouterY-----+


The internet is reachable from hosts on network X, and Y via Mono.    The
internet is also reacheable from a host on the LAN side of the Mono. However
only the hosts on the LAN side, are redirected to the captive portal.  Hosts
of network X, and Network Y are allowed straight through.  So as a 'router'
Monowall works fine.   The only problem is for some reason mono does'nt seem
to want to force the other users through the captive portal.   


In this case I am not running any NAT, on either of Router X, or Y, or on
Mono.. Just plain old boring straight routing.  In Sylikc's post from below,
I imagine he is referring to where the router is doing NAT/PAT for all the
hosts below it.  In that case, his comments would be correct. I have in fact
( by accident ), have tried that scenario, and the results suggested below
are what I observed.


-----Original Message-----
From: Mitch (WebCob) [mailto:mitch at webcob dot com] 
Sent: Saturday, October 09, 2004 7:27 PM
To: sylikc; Andrew Frazer
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Captive Portal for networks that are routed to...

> If you are running a routed network behind m0n0, then all m0n0 sees is
> the IP of the interface of the router connected to m0n0.  That's 1 IP
> and 1 MAC.  I am guessing if you authenticated one host behind it,
> then the entire network would be permitted by m0n0, because of this
> IP<-->MAC association by m0n0.  There's been talk of modifying the
> captive portal and not depending on the MAC or whatnot, but that sort
> of defeats the purpose of the captive portal ;)
>

Not quite true...

The mono see's ALL the IP's, but only one MAC... this gets back to the case
surrounding the posting you are quoting - my desire to use the gateway as a
password protected firewall to allow users IN to a network.

The problem iirc is that in this case, the code would have to be changed to
ignore the MAC - I think Dinesh was going to look at this at some point...

m/