Home Page › Forums › Network Management › ZeroShell › Captive Portal Issue
- This topic is empty.
-
AuthorPosts
-
May 18, 2009 at 11:49 am #41683
Azrael78
MemberHi,
First post to the forum – but we’ve recently been tasked with creating a captive portal for our school wifi.
I have gotten the captive portal working, it authenticates against AD using RADIUS.
The ZS box has 2 interfaces (ETH00 – 10.5.84.0/22 and ETH01 – 192.168.199.0/24).
ETH00 is the interface which ZS should talk to our upstream proxy server and ETH01 is where the wifi clients connect.
So far I can get a wifi client to get DHCP (from ZS), it can do DNS lookups against internet addresses.
What it cannot do is surf the web, even when authenticated.
I don’t have any HTTP Capture Rules set, I DO have the PARENTPROXY and PARENTPORT settings set for HAVP.I can confirm our site internet service is working.
I’m not sure quite what is going on.It almost seems as if HAVP (or perhaps ZS) isn’t listening on port 80 or redirecting port 80 to the actual proxy.
If I specify the proxy IP manually with port 8080 – it works, but I don’t want that at all, I was under the impression that transparent proxies would fix this.
I’m a little rusty with Linux so if you need more information or output from commands, please let me know and I’ll post back.
Thanks,
Az
May 18, 2009 at 12:19 pm #48115yum
MemberHi,
Please don’t forget that transparent proxy works only for http protocol :
Zeroshell uses Transparent Proxy mode which involves automatically capturing the client requests on TCP 80 port.
For any other protocol (FTP, ICQ, HTTPS e t.c.) you need to specify the proxy IP manually or to use NAT for your clients.
May 18, 2009 at 1:04 pm #48116Azrael78
MemberAs far as I’m aware we are only using HTTP, however if I wanted to use NAT as well (to grab any other protocols) – how would I do this?
Thanks,
Az
May 18, 2009 at 3:34 pm #48117yum
MemberBasic setup of NAT is simple. You just have to ensure that FORWARD queue of firewall doesn’t block packets to/from 192.168.199.0/24 subnet. Via menu “Router” -> “NAT” put ETH00 interface in NAT mode.
May 19, 2009 at 7:51 am #48118Azrael78
MemberThanks for that yum.
Just to clarify, I have no FORWARD rules in the firewall, so should I add some?
I also have no HTTP capture rules either.
Your suggesting I add ETH00 (10.5.84.0/22) to be configured as NAT, rather than ETH01?
Thanks,
Az
May 19, 2009 at 12:55 pm #48119yum
MemberYes, ETH00 as long as it is external interface of your router.
By default Zeroshell passes all traffic, policy “ACCEPT”.May 19, 2009 at 2:00 pm #48120Azrael78
Member@yum wrote:
Yes, ETH00 as long as it is external interface of your router.
By default Zeroshell passes all traffic, policy “ACCEPT”.I tried that and I still cannot get out to the internet.
Everything else works – just no web-browsing.I’m pointing it to an upstream proxy that can be accessed from 10.5.x.x.
I’m at a loss.
Thanks,
Az
May 19, 2009 at 2:50 pm #48121yum
MemberHmm, double check network setup under menu “Setup”->”Network”. I mean IPs, netmasks.
Is network status up (for example 1000Mb/s Full Duplex) for both interfaces?
Can you ping upstream proxy using menu “Utilities”? Can you ping any external site?
Did you correctly set up default gateway under menu “Router”?
Maybe it’s just DNS misconfiguration?May 21, 2009 at 7:49 am #48122Azrael78
Member@yum wrote:
Hmm, double check network setup under menu “Setup”->”Network”. I mean IPs, netmasks.
Is network status up (for example 1000Mb/s Full Duplex) for both interfaces?
Can you ping upstream proxy using menu “Utilities”? Can you ping any external site?
Did you correctly set up default gateway under menu “Router”?
Maybe it’s just DNS misconfiguration?Both interfaces are up.
I can ping the upstream proxy (the utilities menu uses ETH00).
I can ping/arp/traceroute external sites (the utilities menu uses ETH00).The default Gateway is 10.5.87.254 which is our main router for internet based traffic.
It could be a DNS misconfiguration, how would I check this? I can resolve external addresses via ETH00, but how do I make it use ETH01?
I think the problem almost is possibly one of the following:
1) Transparent Proxy in HAVP doesn’t work (as in – it’s not properly routing HTTP traffic from ETH01 to port 80 on ETH00).
2) Port 80 on ETH00 is somehow blocked.
3) It can do the above but cannot route the traffic to the upstream from port 80.
If I use the captive portal, login as a valid user and then MANUALLY set the proxy to ETH01 port 8080 (ensuring that bypass local addresses in IE is unchecked) – it works providing transparent proxy is OFF.
If I do the same with transparent proxy turned on, it doesn’t work, however I believe the point of transparent proxy is so that you don’t have to put in proxy IPs and such.
Thanks,
Az
Edit: Using ping -I ETH01 213.18.249.41 – I can ping the upstream proxy via ETH01. I can also nslookup http://www.google.com from both ETH00 and ETH01. So it does look more like a routing issue.
May 21, 2009 at 8:21 am #48123vmv4
MemberHi Az!
From Captive portal descrpton:
A Captive Portal consists in a gateway that is the default router for the subnet to protect. Such gateway blocks IP packets destined towards the outside and captures the http and https requests on TCP ports 80 and 443 redirecting them to a web server (called Authentication Server) that show to the user an authentication page. If the user insert the right credentials, the Authentication Server communicates to the gateway that the host of the user is authorized and the gateway forwards the packets outside of the protect network.
That’s why it is impossble to use Captve portal and transparent proxy on the same router, IMHO.
Regards, vmv4
May 21, 2009 at 2:37 pm #48124Azrael78
MemberThat’s a little odd – I can understand the reason behind it but nowhere on the ZS website or documentation did it say I needed 2 boxes, nor has it been suggested anywhere that I’d need 2 boxes.
I’m still inclined to get it all working though as it could be a benefit to the school I work in.
If indeed you cannot have Captive Portal AND Transparent Proxy on the same box, then if I could simply point the Captive Portal end at an existing proxy that would do nicely.
Az
May 21, 2009 at 3:24 pm #48125imported_fulvio
ParticipantCaptive Portal and transparent proxy should work correctly together.
Regards
FulvioMay 21, 2009 at 4:03 pm #48126Azrael78
Member@fulvio wrote:
Captive Portal and transparent proxy should work correctly together.
Regards
FulvioThats what I thought… I’m just very confused and frustrated as to why my ZS install doesn’t let me do just that.
Anything else I can try? I’m not above reinstalling ZS from scratch to narrow down the problem.
Az
July 6, 2009 at 2:54 pm #481277andY
MemberI got to exactly this same point, with exactly the same result.
It seems you will also need to set up NAT. In the ‘ROUTER’ section click on ‘NAT’. As your setup has the local side on ETH01, highlight ETH00 on the left side, and click on >>> to move it to the right.
Should sort it for you – did for me!
Cheers, Andy E.
-
AuthorPosts
- You must be logged in to reply to this topic.