Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    May 2019
    Posts
    3

    Default How to block a client from connecting to the Guest WIFI that uses Captive Portal

    Hi, I have a problem with my Guest WIFI. many neighbours try to connect to it and that fills up my license limit, no they dont have the portal password but seems like the system counts any client that get an IP as an active client....

    So I would like a way to ban some clients by their mac address or with a Tag, I dont want that this client get an IP by DHCP for the reason stated above, I tried in the firewall app doesnt work, I tried in the fliter rules, doesnt work either, I tried to add those clients to the bypass rules group but then they are not asked for login and password by the portal so they are logged in my guest network....

    How can I deal with this? the ideal would be a way that untangle doesnt count unauthenticated clients as part of active clients in the license....

    Actually I think that untangle shouldnt count clients that are connected thru the portal but not authenticated as part of the license count...

    Thank you in advance

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,673

    Default

    Create a new policy with firewall as block all. Then use a policy rule to send all unauthenticated to this policy.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    May 2019
    Posts
    3

    Default

    Quote Originally Posted by jcoffin View Post
    Create a new policy with firewall as block all. Then use a policy rule to send all unauthenticated to this policy.
    Thank you for your reply, I tried to add a TAG to unwanted clients and then created a firewall rule for this tagged clients, it didnt work, they got an IP, they might have no access but they get an IP from the DHCP anyways. with a policy will be different?

    Regards

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,237

    Default

    They are going to get IP addresses, none of the tools you're using impact the ability to access services on the Untangle server itself. The blocked end point has DNS resolution access, as well as access to the net support supporting the wireless. So yes, getting a DHCP address is expected.

    If you wish to prevent this, you need controls implemented on your access points.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untanglit
    Join Date
    Jun 2018
    Posts
    25

    Default

    Quote Originally Posted by rimba
    So I would like a way to ban some clients by their mac address or with a Tag.
    Quote Originally Posted by sky-knight View Post
    If you wish to prevent this, you need controls implemented on your access points.
    @Rimba, do you have a frequent number of "new" guests trying to authenticate through the portal? If it's a fairly small group, I'd use @Sky-knight's suggestion and implement a whitelist on your access point of only the devices you want to grant wireless access to. The list would be even smaller if you have a "Guest-only" SSID.

  6. #6
    Newbie
    Join Date
    May 2019
    Posts
    1

    Default

    check if your access point has 'mac filter blacklist' to drop the request for IPaddress before it hits the router. if the end client is smart they could spoof another mac address so keep monitoring the network

  7. #7
    Newbie
    Join Date
    May 2019
    Posts
    7

    Default

    Yup, use mac filtering at the ap level to block them from connecting.

    Another suggesting is to set your dhcp lease time low, like 30 minutes. This should free up IPs quicker, especially if they're just passing by.

    If there was a way to drop packets from a host (either by tag or mac addy) then it might be possible form within the firewall.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2