Project

General

Profile

Actions

Bug #869

closed

Captive Portal rule does not work when using a restrictive ruleset

Added by Scott Ullrich about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
09/01/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

Directions to reproduce:

Setup captive portal on OPT1.

Add a rule on OPT1 interface:
allow
protocol any
src: OPT1 subnet
dst: OPT1 subnet
no gateway

Captive portal will not display as it should. It has something to do with ipfw forwarding the traffic to localhost.

See http://tinyurl.com/2a8s4ld
and http://twitpic.com/2kd0ab

Actions #1

Updated by Chris Buechler about 11 years ago

  • Status changed from New to Closed

The rule is correct as it is, where it passes to 8000/8001 to $cpinterface, and it all functions correctly. The reason allowing only OPT1 subnet to OPT1 subnet doesn't work is if you block the original destination's SYN it will get dropped by pf. e.g. if you browse to google.com and get IP 74.125.45.105, if you aren't allowing HTTP traffic to destination 74.125.45.105, that's going to get dropped and you won't get redirected to CP. That's the correct behavior.

Actions

Also available in: Atom PDF