OPNsense Forum
English Forums => General Discussion => Topic started by: srijan on July 16, 2016, 08:32:14 pm
-
Hello Everyone,
I am new to Opnsense, but so far liked everything Opnsense has to offer. However, recently I got stuck using Captive Portal. My requirement is to use Captive Portal with Transparent Proxy and it does not seem to work.
1. Standalone Captive portal work fine.
2. Captive Portal with Forward Proxy work absolutely fine, does web filtering as well.
3. Captive Portal with Transparent Proxy does not seem to work. Works at times and fails at times.
My requirement is to allow Captive Portal authenticate users and then pass on the session to Transparent proxy. I see two rules in IPFW, one to pass all port 80 traffic to Captive Portal and below it is a rule to pass that traffic through. I want Captive portal to pass the authenticated traffic to proxy when Transparent proxy is enabled. Something similar to this is what i see:
05002 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em1
05002 allow ip from any to any dst-port 80 via em1
I only need the authenticated traffic to pass to proxy and then the proxy take effect.
It would be a great help if anyone can suggest a solution. I have checked pretty much everywhere with no results.
I want to install Opnsense in my production environment and this is a requirement.
Thanking you all in anticipation.
-
Can someone help me pass authenticated traffic to proxy on port 3128. Basically, here are the IPFW rules:
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2
# pass authorized
add 65533 pass ip from any to any
I need help in passing the authenticated traffic to proxy_IP:3128. Then the proxy will hopefully pass the traffic out. This way I may be able to use Captive Portal with Transparent Proxy.
-
I have the same problem. captive port goes smoothly on the hotspot network, trasparent proxy and content filtering goes perfectly on the LAN network
If the hotspot network I enable trasparent proxy the captive portal is no longer working and the clients it logs without login to the network, but at least the trasparent proxy work
-
I have a slightly different setup, I have setup captive portal and transparent proxy on the LAN interface. I, have finally managed to get it to work, with a workaround. Here is what I have done.
1. When you enable captive portal, it creates IPFW rules:
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2
This is to throw the Captive Portal to users.
2. After getting authenticated, the traffic passes through the following rules:
# pass authorized
add 65533 pass ip from any to any
3. I have create two IPFW rules to pass the authenticated traffic to the Transparent Proxy:
# pass authorized
add 65530 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in via em2
add 65530 allow ip from any to any dst-port 80 via em2
add 65533 pass ip from any to any
It then passes the traffic to the proxy. You just need to ensure that in the Firewall Rules, there is no rule to either block port 80 traffic, neither a NAT rule to redirect it to the transparent proxy.
Everything needs to be done via the IPFW ruleset.
-
please add a screen of your firewall rules setting.
-
Here are my IPFW rules:
root@OPNsense:~ # cat /usr/local/etc/ipfw.rules
#======================================================================================
# flush ruleset
#======================================================================================
flush
#======================================================================================
# define dummynet pipes
#======================================================================================
#======================================================================================
# define dummynet queues
#======================================================================================
#======================================================================================
# general purpose rules 1...1000
#======================================================================================
add 100 allow pfsync from any to any
add 110 allow carp from any to any
# layer 2: pass ARP
add 120 pass layer2 mac-type arp,rarp
# OPNsense requires for WPA
add 130 pass layer2 mac-type 0x888e,0x88c7
# PPP Over Ethernet Session Stage/Discovery Stage
add 140 pass layer2 mac-type 0x8863,0x8864
# layer 2: block anything else non-IP(v4/v6)
add 150 deny layer2 not mac-type ip,ipv6
# allow traffic send from localhost
add 200 skipto 60000 ipv6 from ::1 to any
add 201 skipto 60000 ipv4 from 127.0.0.0/8 to any
add 202 skipto 60000 ipv6 from any to ::1
add 203 skipto 60000 ipv4 from any to 127.0.0.0/8
#======================================================================================
# Allow traffic to this hosts static ip's
#======================================================================================
add 1002 skipto 60000 udp from any to 192.168.1.1 dst-port 53 keep-state
add 1002 skipto 60000 ip from any to { 255.255.255.255 or 192.168.1.1 } in
add 1002 skipto 60000 ip from { 255.255.255.255 or 192.168.1.1 } to any out
add 1002 skipto 60000 icmp from { 255.255.255.255 or 192.168.1.1 } to any out icmptypes 0
add 1002 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.1.1 } in icmptypes 8
add 1003 skipto 60000 udp from any to 1.1.1.1 dst-port 53 keep-state
add 1003 skipto 60000 ip from any to { 255.255.255.255 or 1.1.1.1 } in
add 1003 skipto 60000 ip from { 255.255.255.255 or 1.1.1.1 } to any out
add 1003 skipto 60000 icmp from { 255.255.255.255 or 1.1.1.1 } to any out icmptypes 0
add 1003 skipto 60000 icmp from any to { 255.255.255.255 or 1.1.1.1 } in icmptypes 8
#===================================================================================
# zone OPT Captive Portal (0) / em2 configuration
#===================================================================================
add 3000 skipto 10001 ip from table(0) to any via em2
add 3000 skipto 10001 ip from any to table(0) via em2
#======================================================================================
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2
#======================================================================================
# accept traffic from all interfaces not used by captive portal
#======================================================================================
# let the responses from the captive portal web server back out
add 6000 skipto 60000 tcp from any to any out
# forward unauthorized traffic from captiveportal interfaces to block rule
add 6002 skipto 65534 all from any to any via em2
# send all the rest to the traffic shaper rules
add 6199 skipto 60000 all from any to any
#======================================================================================
# setup zone accounting section
#======================================================================================
# zone OPT Captive Portal (0)
add 10001 count ip from any to any via em2
add 10998 skipto 30000 all from any to any via em2
add 10999 deny all from any to any not via em2
#======================================================================================
# setup accounting section, first rule is counting all CP traffic
#======================================================================================
add 30000 set 0 count ip from any to any
#======================================================================================
# traffic shaping section, authorized traffic
#======================================================================================
add 60000 return via any
# pass authorized
add 65530 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in via em2
add 65530 allow ip from any to any dst-port 80 via em2
add 65533 pass ip from any to any
# block all unmatched
add 65534 deny all from any to any
Regards,
-=Srijan Nandi
-
thank you, tomorrow i will tried