From owner-freebsd-net@freebsd.org Sun Jan 7 19:12:21 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1644E7BC37 for ; Sun, 7 Jan 2018 19:12:21 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.20.71]) by mx1.freebsd.org (Postfix) with ESMTP id B5F97742F7 for ; Sun, 7 Jan 2018 19:12:21 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id B599ACB8D22; Sun, 7 Jan 2018 12:40:30 -0600 (CST) Received: from 108.68.171.12 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Sun, 7 Jan 2018 12:40:30 -0600 (CST) Message-ID: <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> In-Reply-To: <20180107180422.GA46756@admin.sibptus.transneft.ru> References: <20180107180422.GA46756@admin.sibptus.transneft.ru> Date: Sun, 7 Jan 2018 12:40:30 -0600 (CST) Subject: Re: Fwd: Re: Quasi-enterprise WiFi network From: "Valeri Galtsev" To: "Victor Sudakov" Cc: "Freddie Cash" , "freebsd-net" Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jan 2018 19:12:21 -0000 On Sun, January 7, 2018 12:04 pm, Victor Sudakov wrote: > Freddie Cash wrote: >> > >> > I'm trying to setup a quasi-enterprise WiFi network for mobile >> > devices. This will be a solution for a public library with the only >> > requirement that guest users should get personal credentials for WiFi >> > access from a librarian (not a shared PSK for everyone). > >> >> You don't *need* RADIUS for this, although it may make some things >> easier >> in some setups. >> >> All you need is a separate vlan for the "guest" wireless clients to >> connect >> to, at the default gateway for that vlan to the FreeBSD machine, and use >> firewall rules to redirect all "new" devices to a local Apache setup >> (new >> meaning you don't know the MAC address). >> >> In Apache, you use mod_rewrite rules to change the requested URL to a >> local >> webpage where you display your rules and whatnot, along with the login One trouble I expect here is: if the client goes to https destination, it will complain about your local apache certificate, as the client expects next packet (SSL negotiation) to come from host it was going originally to. I've seen quite a few of similar things. "Home brew" words come to my mind, no offense intended. Even older or two WiFi setups central IT folks at big university I work for did this setup that brakes when client goes to SSL-ed URL. Next, what if client does not use web browser at all, and just attempts to ssh to external host... Of course, your mod_rewrite rules, Freddie, may help. > > What you are suggesting is essentially a hand-made captive portal. I > would be grateful for your mod_rewrite rules, but this will be a last > resort. AFAIK there are implementations of a captive portal in > M0n0wall and pfSense. Thanks, Victor! Valeri > I've also seen howtos like > https://www.unixmen.com/freebsd-10-1-x64-wifi-captive-portal/ > > But if I can, I'd try a pure WiFi solution first, of course if it > exists. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > AS43859 > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++