Results 1 to 9 of 9
  1. #1
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    653

    Default Captive Portal not working with overly restrictive Firewall & Web Filter rules

    We have a Untangle policy with the following:
    • Firewall app configured to block all traffic
    • Web Filter configured to block all categories
    • Captive Portal configured to capture everything & direct to login page

    The idea is that unauthenticated users are sent to a highly-restrictive policy until they have logged in.

    This seems to not work. Captive Portal never appears and everything is blocked.

    This leads me to wonder whether Untangle evaluates the Firewall App rules and/or the Web Filter app rules before invoking the Captive Portal app. Can anyone confirm this is correct (Firewall app and/or Web Filter apps are evaluated & action taken before Captive Portal app is considered)?

    Thanks!
    -
    Doug

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,589

    Default

    Yes, if all traffic is blocked there are no web requests to "capture"
    Just remove your firewall rule and use the captive portal to "capture" everything.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    653

    Default

    Quote Originally Posted by dmorris View Post
    Yes, if all traffic is blocked there are no web requests to "capture"
    Just remove your firewall rule and use the captive portal to "capture" everything.
    In doing this, I think we still want a firewall rule that blocks all WAN-destined ports except 53, 80 & 443. You see any harm in that?

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,589

    Default

    Quote Originally Posted by dmor View Post
    In doing this, I think we still want a firewall rule that blocks all WAN-destined ports except 53, 80 & 443. You see any harm in that?
    If you block that, there is nothing for captive portal to do. Whats the point of blocking traffic with firewall that is already going to get captured by captive portal?

    The whole point of captive portal is to block people from getting to the internet until they authenticate. I would use captive portal.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    653

    Default

    Quote Originally Posted by dmorris View Post
    If you block that, there is nothing for captive portal to do. Whats the point of blocking traffic with firewall that is already going to get captured by captive portal?

    The whole point of captive portal is to block people from getting to the internet until they authenticate. I would use captive portal.
    Are you saying Captive Portal blocks ALL PORTS (not just 80 & 443) until the user authenticates?

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,589

    Default

    That depends on your Capture Rules.

    With the default rule of traffic from any non-WAN, yes its going to capture all sessions from non-WANs.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    653

    Default

    Quote Originally Posted by dmorris View Post
    That depends on your Capture Rules.

    With the default rule of traffic from any non-WAN, yes its going to capture all sessions from non-WANs.
    But technically it is really only "capturing" HTTP/HTTPS sessions, and blocking everything else it "captures", correct? I can't see how it could redirect an email client using SMTP port 587 to the captive portal login page...?

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,589

    Default

    correct for anything besides 53,80,443 it just blocks it if the client is not authenticated
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    653

    Default

    Quote Originally Posted by dmorris View Post
    correct for anything besides 53,80,443 it just blocks it if the client is not authenticated
    That is great to know. Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2