From owner-freebsd-net@freebsd.org Mon Jan 8 07:20:44 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6199E7CC2F for ; Mon, 8 Jan 2018 07:20:44 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5]) by mx1.freebsd.org (Postfix) with ESMTP id 170966D7E1 for ; Mon, 8 Jan 2018 07:20:43 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) X-Virus-Scanned: by clamd daemon 0.98.5_1 for FreeBSD at relay2.tomsk.ru Received: from [212.73.125.240] (HELO admin.sibptus.transneft.ru) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16) with ESMTPS id 39907968; Mon, 08 Jan 2018 13:15:53 +0600 Received: from admin.sibptus.transneft.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.transneft.ru (8.15.2/8.15.2) with ESMTP id w087Kd1X052604; Mon, 8 Jan 2018 14:20:41 +0700 (+07) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.transneft.ru (8.15.2/8.15.2/Submit) id w087KZnY052603; Mon, 8 Jan 2018 14:20:35 +0700 (+07) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.transneft.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Mon, 8 Jan 2018 14:20:35 +0700 From: Victor Sudakov To: Freddie Cash Cc: galtsev@kicp.uchicago.edu, freebsd-net Subject: Re: Fwd: Re: Quasi-enterprise WiFi network Message-ID: <20180108072035.GB52442@admin.sibptus.transneft.ru> References: <20180107180422.GA46756@admin.sibptus.transneft.ru> <52165.108.68.171.12.1515350430.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 07:20:44 -0000 Freddie Cash wrote: > > > One trouble I expect here is: if the client goes to https destination, it > > will complain about your local apache certificate, as the client expects > > next packet (SSL negotiation) to come from host it was going originally > > to. I've seen quite a few of similar things. "Home brew" words come to my > > mind, no offense intended. Even older or two WiFi setups central IT folks > > at big university I work for did this setup that brakes when client goes > > to SSL-ed URL. Next, what if client does not use web browser at all, and > > just attempts to ssh to external host... > > > > That was an issue with our original setup that only used firewall redirect > rules, without the mod_rewrite stuff. It only worked if we walked people > through visiting a non-encrypted website, in order to bring up our login > page. As more and more sites started defaulting to HTTPS, it became > cumbersome. > > All mobile devices, including Windows/MacOS devices, include captive portal > detection these days, where they attempt to connect to a specific set of > HTTP sites after connecting to a network. The mod_rewrite rules intercept > only these requests, and redirect them to the login page. Your mod_rewrite rules are becoming more and more interesting. Please do post them. There is one more drawback however I have just thought about. If I go for a WiFi solution, I can deploy just an AP at some remote branch as a RADIUS client of the central FreeRADIUS server. If I go for a captive portal solution, I would need to install captive portals at every branch, or tunnel Internet traffic via the central hub. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859