Date: Mon, 14 Apr 2008 09:50:45 -0400 From: Mike Bloom <mike@databloom.com> To: freebsd-ipfw@freebsd.org Subject: layer 2 captive portal questions Message-ID: <48036135.1080707@databloom.com>
next in thread | raw e-mail | index | archive | help
Hi All, I'm replacing a commercial java sesm capture portal with location specific vlans with ipfw and I'd like to allow a user to enter their credentials to a webserver running on the gateway of their local vlan, and be allowed to surf as long as their mac address and ip address stay the same. so far I have a working ip layer captive portal as such: 00100 228 49451 divert 8668 ip from any to any via fxp0 00100 40 6771 allow ip from 10.1.4.5 to any 00200 0 0 fwd 10.1.4.1,8080 tcp from any to any dst-port 80 in 00300 296 77558 allow ip from any to any 00400 0 0 deny ip from any to any 65535 294 25712 deny ip from any to any fxp0 is WAN, 10.1.4.1 is the gateway ip for my vlan's subnet. If I do a 00100 40 6771 allow ip from 10.1.4.5 to any before the fwd statement, my user is free to browse the web without the capture portal. However, what I would like to do is lock down their mac address (which I collect from arping their ip on the vlan interface) **and** ip. as such: 00100 0 0 allow ip from 10.1.4.5 to any via vlan4 MAC 00:1b:63:ac:3a:84 any 00100 0 0 allow ip from 10.1.4.5 to any via vlan4 MAC any 00:1b:63:ac:3a:84 I think I'm mixing layer2 and layer 3 criteria and probably I just need to seperate these rules out by blocking layer2 between fxp0 and vlan4 (where the 10.1.4.x subnet exists) **then** allowing ip through via the previously mentioned scheme. Any thoughts or suggestions would be greatly appreciated.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48036135.1080707>