Project

General

Profile

Bug #869

Captive Portal rule does not work when using a restrictive ruleset

Added by Scott Ullrich almost 9 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
09/01/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

Directions to reproduce:

Setup captive portal on OPT1.

Add a rule on OPT1 interface:
allow
protocol any
src: OPT1 subnet
dst: OPT1 subnet
no gateway

Captive portal will not display as it should. It has something to do with ipfw forwarding the traffic to localhost.

See http://tinyurl.com/2a8s4ld
and http://twitpic.com/2kd0ab

History

#1 Updated by Chris Buechler almost 9 years ago

  • Status changed from New to Closed

The rule is correct as it is, where it passes to 8000/8001 to $cpinterface, and it all functions correctly. The reason allowing only OPT1 subnet to OPT1 subnet doesn't work is if you block the original destination's SYN it will get dropped by pf. e.g. if you browse to google.com and get IP 74.125.45.105, if you aren't allowing HTTP traffic to destination 74.125.45.105, that's going to get dropped and you won't get redirected to CP. That's the correct behavior.

Also available in: Atom PDF