This topic contains 12 replies, has 0 voices, and was last updated by 
-
Posts
-
Hi,
First post to the forum – but we’ve recently been tasked with creating a captive portal for our school wifi.
I have gotten the captive portal working, it authenticates against AD using RADIUS.
The ZS box has 2 interfaces (ETH00 – 10.5.84.0/22 and ETH01 – 192.168.199.0/24).
ETH00 is the interface which ZS should talk to our upstream proxy server and ETH01 is where the wifi clients connect.
So far I can get a wifi client to get DHCP (from ZS), it can do DNS lookups against internet addresses.
What it cannot do is surf the web, even when authenticated.
I don’t have any HTTP Capture Rules set, I DO have the PARENTPROXY and PARENTPORT settings set for HAVP.I can confirm our site internet service is working.
I’m not sure quite what is going on.It almost seems as if HAVP (or perhaps ZS) isn’t listening on port 80 or redirecting port 80 to the actual proxy.
If I specify the proxy IP manually with port 8080 – it works, but I don’t want that at all, I was under the impression that transparent proxies would fix this.
I’m a little rusty with Linux so if you need more information or output from commands, please let me know and I’ll post back.
Thanks,
Az
Hi,
Please don’t forget that transparent proxy works only for http protocol :
Zeroshell uses Transparent Proxy mode which involves automatically capturing the client requests on TCP 80 port.
For any other protocol (FTP, ICQ, HTTPS e t.c.) you need to specify the proxy IP manually or to use NAT for your clients.
As far as I’m aware we are only using HTTP, however if I wanted to use NAT as well (to grab any other protocols) – how would I do this?
Thanks,
Az
Basic setup of NAT is simple. You just have to ensure that FORWARD queue of firewall doesn’t block packets to/from 192.168.199.0/24 subnet. Via menu “Router” -> “NAT” put ETH00 interface in NAT mode.
Thanks for that yum.
Just to clarify, I have no FORWARD rules in the firewall, so should I add some?
I also have no HTTP capture rules either.
Your suggesting I add ETH00 (10.5.84.0/22) to be configured as NAT, rather than ETH01?
Thanks,
Az
Yes, ETH00 as long as it is external interface of your router.
By default Zeroshell passes all traffic, policy “ACCEPT”.@yum wrote:
Yes, ETH00 as long as it is external interface of your router.
By default Zeroshell passes all traffic, policy “ACCEPT”.I tried that and I still cannot get out to the internet.
Everything else works – just no web-browsing.I’m pointing it to an upstream proxy that can be accessed from 10.5.x.x.
I’m at a loss.
Thanks,
Az
Hmm, double check network setup under menu “Setup”->”Network”. I mean IPs, netmasks.
Is network status up (for example 1000Mb/s Full Duplex) for both interfaces?
Can you ping upstream proxy using menu “Utilities”? Can you ping any external site?
Did you correctly set up default gateway under menu “Router”?
Maybe it’s just DNS misconfiguration?@yum wrote:
Hmm, double check network setup under menu “Setup”->”Network”. I mean IPs, netmasks.
Is network status up (for example 1000Mb/s Full Duplex) for both interfaces?
Can you ping upstream proxy using menu “Utilities”? Can you ping any external site?
Did you correctly set up default gateway under menu “Router”?
Maybe it’s just DNS misconfiguration?Both interfaces are up.
I can ping the upstream proxy (the utilities menu uses ETH00).
I can ping/arp/traceroute external sites (the utilities menu uses ETH00).The default Gateway is 10.5.87.254 which is our main router for internet based traffic.
It could be a DNS misconfiguration, how would I check this? I can resolve external addresses via ETH00, but how do I make it use ETH01?
I think the problem almost is possibly one of the following:
1) Transparent Proxy in HAVP doesn’t work (as in – it’s not properly routing HTTP traffic from ETH01 to port 80 on ETH00).
2) Port 80 on ETH00 is somehow blocked.
3) It can do the above but cannot route the traffic to the upstream from port 80.
If I use the captive portal, login as a valid user and then MANUALLY set the proxy to ETH01 port 8080 (ensuring that bypass local addresses in IE is unchecked) – it works providing transparent proxy is OFF.
If I do the same with transparent proxy turned on, it doesn’t work, however I believe the point of transparent proxy is so that you don’t have to put in proxy IPs and such.
Thanks,
Az
Edit: Using ping -I ETH01 213.18.249.41 – I can ping the upstream proxy via ETH01. I can also nslookup http://www.google.com from both ETH00 and ETH01. So it does look more like a routing issue.
Hi Az!
From Captive portal descrpton:
A Captive Portal consists in a gateway that is the default router for the subnet to protect. Such gateway blocks IP packets destined towards the outside and captures the http and https requests on TCP ports 80 and 443 redirecting them to a web server (called Authentication Server) that show to the user an authentication page. If the user insert the right credentials, the Authentication Server communicates to the gateway that the host of the user is authorized and the gateway forwards the packets outside of the protect network.
That’s why it is impossble to use Captve portal and transparent proxy on the same router, IMHO.
Regards, vmv4
That’s a little odd – I can understand the reason behind it but nowhere on the ZS website or documentation did it say I needed 2 boxes, nor has it been suggested anywhere that I’d need 2 boxes.
I’m still inclined to get it all working though as it could be a benefit to the school I work in.
If indeed you cannot have Captive Portal AND Transparent Proxy on the same box, then if I could simply point the Captive Portal end at an existing proxy that would do nicely.
Az
Captive Portal and transparent proxy should work correctly together.
Regards
Fulvio@fulvio wrote:
Captive Portal and transparent proxy should work correctly together.
Regards
FulvioThats what I thought… I’m just very confused and frustrated as to why my ZS install doesn’t let me do just that.
Anything else I can try? I’m not above reinstalling ZS from scratch to narrow down the problem.
Az
I got to exactly this same point, with exactly the same result.
It seems you will also need to set up NAT. In the ‘ROUTER’ section click on ‘NAT’. As your setup has the local side on ETH01, highlight ETH00 on the left side, and click on >>> to move it to the right.
Should sort it for you – did for me!
Cheers, Andy E.
You must be logged in to reply to this topic.