Monowall WISP client's data gets past my captive portal ? in Wireless Service Providers

Re: Monowall WISP client's data gets past my captive portal ?

Mon, 11 Sep 2006 08:58:29 EDT

uscomputing : Unfortunatly they are all about their bottom line. The would rather lose one customer than spend lots of labor hours trying to resolve your issue. Most people don't even know what latency on their line is, and that's the kind of low maintenance customer they are looking for. The nice thing about being a WISP is that your customers do notice when you go the extra mile to solve a problem they are having and they won't hesitate to tell everyone they know about the good service they are getting from you.

Re: Monowall WISP client's data gets past my captive portal ?

Sun, 10 Sep 2006 23:11:31 EDT

Airplane777 : Hi John:

I wanted to let neighbors on, just to see how well my system worked. Especially since I'm homing in on getting my Monowall set up properly. At least I think I'm getting it pretty much set up...lol.

But I didn't like it when I saw the one or two neighbors that seemed to be using up tons of data recently. But now that has stopped...seems to be as of yesterday early.

When my new ISP finally gets my new dsl installed, thats when I'll hand out my door hangers. Then I'll turn off the Captive Portal and DHCP. Then I'll only let people on that pay and give them private static IP addresses.

It's been about 2 months since I started trying to get this new ISP to install my dsl. This co. has its own dslam. I had intermittancy problems with the Covad dslam...I still do. Basically Covad gave up on trying to fix the intermittancy problem. So I'm switching to another ISP.

EDIT: I should mention that SE was my ISP and Covad the CLEC. SE wanted to keep trying to fix it, but Covad told SE they would stop trying. They never would agree to a meeting with Verizon at my location to look at the problem together. They may have come to my place one time to check it out.

I don't think much of a company that just gives up like that. When I was in cellular, and we had a problem, we kept trying til we fixed it...no matter if it was a cell site problem or a microwave problem, etc...we kept at it til we fixed it. That doesn't seem to be the mentality of Covad. I realize Covad might do a good job for many customers...but it seems when there is an elusive intermittant problem...they give up way to quick.

Re: Monowall WISP client's data gets past my captive portal ?

Sun, 10 Sep 2006 21:29:48 EDT

lutful : This is my suggestion for a very secure HotSpot solution:

1. One SSID runs captive portal but firewall rules provide access to only a https site where a valid IEEE 802.1x certificate can be downloaded.

2. Users install the certificate and use a second SSID with firewall rules that allow access to the internet.

Re: Monowall WISP client's data gets past my captive portal ?

Sun, 10 Sep 2006 20:32:21 EDT

John Galt :

said by Airplane777 :

I came home today and noticed someone else authenticated past the captive portal page.

Since the authentication has been raised, what method can be used here to restrict access by users (using any protocol)...in any regard?

In other words...no pay, no play?
--
A is A

Re: Monowall WISP client's data gets past my captive portal ?

Sun, 10 Sep 2006 16:19:13 EDT

Airplane777 : Hi uscomputing:

I'm not sure about that. Could be a teenager trying something...lol.

I came home today and noticed someone else authenticated past the captive portal page. They didn't seem to be using all that much data though. Not like several days earlier. They didn't stay on real long.

Re: Monowall WISP client's data gets past my captive portal ?

Sun, 10 Sep 2006 16:06:36 EDT

uscomputing : Are you sure your neighbor who is using the connection isn't a teenage jr. hacker who is trying to run a port sniffer on his newly found free internet connection so he tell his friends how much of a hax0r he is?

Re: Monowall WISP client's data gets past my captive portal ?

Sun, 10 Sep 2006 13:19:41 EDT

Airplane777 : Something very interesting...

Starting sometime early yesterday, my neighbors computers no longer try to get on my system...even when I take off captive portal.

I did notice that two of these neighbors authenticated into my captive portal about 2 days ago. The captive portal page is set up so that after they click on the continue button, they will have a URL redirection to the Kim Komando security web page. On my captive portal I told them specifically to get AdAware, SpyBot, ZoneAlarm, and AVG Antivirus off of Kim Komando's web site.

Since my neighbors computers haven't been trying to get into my WISP interface for about the last day, I can only assume that they might have downloaded this software and used it.

Maybe they had some nasty application on their computer that automatically turned on their WiFi card and tried to associate with any AP it found...unknown to the owner. For many days it was associating to my AP. And after associating, if I didn't have captive portal turned on, it would pass data to the Internet.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 23:48:08 EDT

Airplane777 : Hi sporkme:

Thanks for your thoughts here.

Opening up just the ports you mentioned seems reasonable since it is gratis. If I have an actual WISP customer, I will know which IP address goes to which customer, since I'll give them private static IP addresses.

For my DHCP IP range, I can have just those ports opened that you mentioned. But for any paying customers, I can allow more leeway for my paying customers. I'll probably turn off DHCP when I start putting paying customers on my AP. I'll try to probably allow p2p for my paying customers, but I will put a very low weight on it and have it in my "catch all" queue.

If I can find out the neighbor who seems to have the infected computer, I'll let him know. I know his MAC address. Too bad my Netstumbler doesn't pick up wireless laptops, like it picks up APs. I could use a directional antenna to find this neighbor. I understand there are applications that will let me pick up the signal from the laptop. I need to find out more about those.

Right now I don't know which neighbor was on, since it was opened up to all in the neighborhood. I think it probably wss a nearby neighbor, due to the high signal strength that I saw.

I'll ask my WISP customers to use Spybot, and AdAware, Zone Alarm, etc. to keep their computers clean. So that might be a good solution.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 23:33:09 EDT

sporkme : I'm just going to jump in real quick and say this:

If I were running a captive portal, I would likely have rules on the interface that the AP is attached to that would block everything but the most common ports (21, 25, 53, 80, 110, 143, 443, 993, 995). If you are giving gratis access, why even bother with anything beyond the "basics"? Ideally, 25 would redirect to an smtp proxy with some basic rate limiting as well.

I'd guess that your friend is likely infected with some type of nasty that is either trying to infect other machines or to "phone home".

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 22:45:37 EDT

lutful : Rather than P2P, I suspect adware/trojan trying to send some info back to home server. Ask them to check/clean their PC using Spybot search and destroy. The log will show what was there.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 21:51:05 EDT

Airplane777 : Hi Lutful:

Wow. I get so much info coming at me I can forget some of what I have read in the past.

So then this incrimenting of port numbers in my case probably is normal, as my computer tries to connect to a web site.

But...in the case of my neighbors computers that were trying to connect to Asia web sites, their computers also tried to incriment port numbers at times. But maybe they could have been p2p or spyware, etc?

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 21:39:02 EDT

lutful : This is how TCP/IP works. I recall cmaenginsb provided good explanations in your early posts. :)

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 21:32:35 EDT

Airplane777 : Hi all:

The above screen shot is from my own laptop computer. Notice that there is also a lot of incrimenting of port numbers attached to the IP address that DHCP assigned to my laptop.

I noticed there are two destination IP addresses. First my compuyter tried to go to 66.210.246.140 port 80. It turns out that this is the web URL redirection web site that I have set up in Monowall. Why would my computer try to go to that web site by incrimenting a whole bunch of port numbers?

Then notice that there is another IP address of 69.95.90.67 port 80. There are two of those destination addresses. And that is correct. That is the web address I went to after the URL redirection web site.

So why does my computer have to incriment port numbers when it is trying to go to web sites. Maybe that is normal? If it is normal, I'm not sure why.

I think I'm operating a clean computer...but that screen makes me wonder whats going on. This might make me look like I don't know whats going on...lol. But I wanted to tell you guys anyway. I wasn't going to hold this info back...even if it might make me look like I don't know whats going on...lol.

I thought I'd show that screen to you guys, since it makes my computer act similiar to my neighbors, whose computer also incrimented port numbers. And I'm not doing any p2p that I know of. I even ran AdAWare and Spybot to check things out. My neighbors computers seem to be going to Asia web sites. I was going to a web site in the USA.

I hope this might help put more light on whats going on here with this port incrimenting.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 18:20:19 EDT

lutful : Often all unknown traffic is lumped as P2P including some ports used by emergency health monitors. :(

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 18:02:36 EDT

Airplane777 :

said by robbin :

You seem to have the idea that all P2P is bad. P2P is possibly the future of distributing data on the internet. It spreads out the load.

I did have the idea that p2p is pretty bad...at least for WISPs.

If I can see that I can allow p2p along with my other traffic, I'll feel better about it. But I'll probably just have to give is a veeeery low traffic weight, so it doesn't hog up the BW from more desirable applications.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:46:46 EDT

Airplane777 : BTW, I still love Monowall from all that I have learned from you all.

Monowall is still my first choice for router/firewall/traffic shaper.

I admit I still still have a lot to learn about fine tuning Monowall to my needs. I guess I'm at an impass here trying to figure what to do with that data the is trying to get into my WISP interface.

I won't be using captive portal or DHCP when I actually start selling to WISP customers. I'll assign static IP addresses, so I'll know who has what IP address.

From what I can see, I'm leaning towards just mitigating any p2p applications...as I'm starting to think that I don't want to lose customers who want to do p2p. I just want to give them the lowest traffic shaping weight possible.

I already have a "catch all" in my Monowall now, that I'm hoping is catching any p2p. I'm using "catch all" because I realize that p2p changes Ip and port addresses all the time. My catch-all should get them all. Gee...if I see that works real good for me, then I shouldn't need NetEnforcer at all...maybe?

So my Monowall passes p2p...I just am trying to give it a veeeery low weight.

Gee...with all that in mind...maybe I'm too overly worried about anyone on my network that is using p2p...like this neighbor.

So I should get BT and do some testing, to be sure that the low traffic shaping weight of 1, stops the bad effects of p2p on my high priority applications.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:43:23 EDT

robbin :

said by Airplane777 :

I'm sorry. I have such a dislike for p2p, that I guess I thought of it as malware also...

You seem to have the idea that all P2P is bad. P2P is possibly the future of distributing data on the internet. It spreads out the load. Here is a link to a linux distribution from Duke University as an example. The important point is that there are legitimate uses -- just as legitimate as VOIP or email or surfing the web!

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:34:43 EDT

lutful : You can allow a dozen ports to go through with higher priority and doom the rest to very low bit rates.

Although m0n0wall is considered by many to be one of the easiest firewalls, I think a few WISP and HotSpot specific config.xml files will be a good addition. I will ask some m0n0wall gurus.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:27:15 EDT

Airplane777 :

said by robbin :

BitTorrent is peer-to-peer (P2P). It is NOT malware.

I'm sorry. I have such a dislike for p2p, that I guess I thought of it as malware also...lol.

Thanks for those links.

So you think all that data trying to get into my WISP interface is p2p?

If I was to take the captive portal off, then that data would flow out my WAN interface.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:26:24 EDT

Airplane777 : Lutful:

What you posted here...thats not mine data is it?

I'll relook to see if I can find it in my config file. Although I still don't know of a firewall rule to stop all this data on Monowall.

Reason being, I understand that I could put in place firewall rules for BT, Kazza, and the other p2p applications. But I understand they will migrate to port 80...and I can't stop data flowng in port 80.

I do have a catch-all that encompases p2p on my traffic shaper. Since I can't stop the p2p, I gave it a weight of 1.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:22:03 EDT

robbin : BitTorrent is peer-to-peer (P2P). It is NOT malware.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:17:24 EDT

Airplane777 : I don't have a rule to block all that data cause I don't know what the rule would be, due to all the different IP and port addresses that this malware is using.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:15:10 EDT

robbin : I'm not sure it's appropriate for this forum to be giving instructions on the use of BitTorrent. Just google it and look for information and FAQs. There is a massive amount of info out there giving help for using it. ;)

[edit] I can't imagine how you can consider learning how to block or mitigate it if you have never used it or understand how it works.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:10:27 EDT

lutful : Airplane777 kindly sent me his config file and the rules are set to allow those traffic ...



block
opt1
tcp
opt1
5000
Block Outgoing TCP data  on WISP Interface, coming from WISP subnet using any port, TO any IP using UPnP port 5000.

UPnP2 port 1900.
http-rp-epmap port 593.
NetBios ports 135-139
SMB port 445
port 1433 or 1434 ...>
 

passopt1
opt1
lan
Pass any Outgoing data on WISP Interface, coming from WISP subnet using any port, TO any IP (EXCEPT LAN) using any port.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 17:07:11 EDT

Airplane777 :

said by robbin :

Google for BitTorrent or just go to »www.bittorrent.com

When I download it, do I just go to some other location on the Bit Torrent web site and try to download a music file? I'm not sure that will help me to learn how to block or mitigate it.

I have a suspicion Monowall can't stop or mitigate it. I'll probably have to use deep packet inspection like with Net Enforcer.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 16:50:37 EDT

Airplane777 :

said by openbox9 :

Are the connections on your WISP interface (the ones that haven't authenticated to your portal) actually getting out on your WAN interface? If the answer is no, then you don't have a problem and your m0nowall captive portal is working the way it is supposed to.

Man, I really shouldn't post so late at night.

I'm not sure. I don't think so.

I go to the Status:Traffic graph, and once in a while I'll see a little quick blip go by about every 12 seconds. It peaks to about 5 kbs. The in and out is basically the same height. I'll post the picture above. It's not from my neighbor cause if I disconnect the ethernet cable from the WISP interface, I still get the same data going by.

It's probably form my desktop computer on the LAN interface...even though I'm not trying to up or download any data.

And if I go to the WISP interface on the graph, I don't see any data flowing at all. It's completely blank.

So all that data that is trying to get into my WISP interface (as shown by the log), is not showing up on the traffic graph.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 16:41:19 EDT

Airplane777 : Here is another sample.

You can see the malware is incrementing the source port numbers.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 16:38:16 EDT

robbin : Google for BitTorrent or just go to »www.bittorrent.com

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 16:28:36 EDT

Airplane777 : Hi openbo9:

I don't even know where to get BT. I never had a reason to use it before.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 15:19:43 EDT

openbox9 : Airplane, I reread this thread and I think I've totally misread this whole thing. Are the connections on your WISP interface (the ones that haven't authenticated to your portal) actually getting out on your WAN interface? If the answer is no, then you don't have a problem and your m0nowall captive portal is working the way it is supposed to.

Man, I really shouldn't post so late at night.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 15:14:16 EDT

Mike_27 :

said by Airplane777 :

So that terrible data from my neighbor has figured some way around the captive portal.

I think you have anwsered this yourself in an earlier post.

said by Airplane777 :

These neighbor is just associated to my AP. He did not log in via the captive portal.

Kick him so he has to authenticate via your captive portal.

Mike

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 15:04:39 EDT

openbox9 :

said by Airplane777 :

So it looks like it won't let pinging traffic through. What port does pinging traffic use? I'm pretty sure it's not port 80.

pinging is part of the ICMP protocol. It does not use TCP/UDP ports.

said by Airplane777 :

So that terrible data from my neighbor has figured some way around the captive portal.

I don't have any experience with m0n0wall, so I can't be much more help. Do you have a BT client installed to test without authenticating to your portal?

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 14:35:44 EDT

Airplane777 : deleted

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 14:25:13 EDT

Airplane777 :

said by openbox9 :

Don't even worry about going to your captive portal page. The simplest test I can think of is to associate your laptop to your AP and then try to ping anything outside of your network. If you're able to ping, then your portal is not stopping you and it most likely only works for http requests. I'll lay 50:1 odds this is the case

I tried pinging yahoo.com, and it would not ping. It does ping if I authenticate via the captive portal page.

So it looks like it won't let pinging traffic through. What port does pinging traffic use? I'm pretty sure it's not port 80.

I can't even ping my WISP gateway port from my laptop computer, without being authenticated. So that terrible data from my neighbor has figured some way around the captive portal.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 14:03:40 EDT

openbox9 :

said by John Galt :

Copyright issues aside...you don't want to block P2P, you want to mitigate its effects on your network.

"Port chasing" is a long row to hoe...you are never done as P2P clients become more adaptive.

I totally agree and I didn't mean to imply otherwise. Trying to outright block anything will only fuel the geeks and hackers (not crackers, but maybe them as well) to find another solution. Mitigation and minimizing the effects is definitely the way to go.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 13:58:28 EDT

Airplane777 : These neighbor is just associated to my AP. He did not log in via the captive portal.

When I get my WISP going, I'll turn off the captive portal. Right now anyone who authenticates via the captive portal gets an "Introduction" message of who I am and that I will soon offer WISP services in the area.

But even with captive portal turned off, this data will still flow without something like like NetEQualizer to mitigate things.

Doesn't look too good.

I see they are doing a lot of incrementing of the source ports.

Do you guys think this is p2p? Maybe Bit Torrent?

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 13:54:39 EDT

Airplane777 : After I start to get some customers, I just might utilize a Net Equalizer along with my Monowall.

That will be fair to all, it will throttle back anyone who clogs up the network, and it won't block any p2p...if I understand this correctly.

I'm not sure Monowall can mitigate p2p all that well...other then me having a "catch all" queue with very low weight...as long as the p2p is not using port 80. If port 80 is used by p2p, that would be a real bummer.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 12:59:28 EDT

John Galt :

said by openbox9 :

said by Airplane777 :

Although if I have a customer with BT, I would prefer not to completely block them. I'd like to just block the BT if possible. I just don't see how to do that with Monowall yet.

Good luck on that. If you can figure out an easy and low cost method to block only BT, you'd be a rich man because every ISP in the world would want the technology

Copyright issues aside...you don't want to block P2P, you want to mitigate its effects on your network.

"Port chasing" is a long row to hoe...you are never done as P2P clients become more adaptive.

I like the method that NetEqualizer uses...

"NetEqualizer's customer base comprises a growing subset of IT administrators that don't feel the need to identify types of traffic explicitly, as long as their impact is kept in check."

»www.ereleases.com/pr/20060905005.html
--
A is A

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 12:46:58 EDT

Airplane777 : Isn't stateful packet inspection at layer 7? I didn't think Monowall could do layer 7 inspection.

I think I read that somewhere. I forget where.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 12:37:16 EDT

openbox9 :

said by Airplane777 :

I'm going to try that on my laptop. I'll go to the captive portal page and not click on the Continue button...and I'll try to send an email to myself. That outgoing email will be on another port other then 80. I'll see if that works.

Don't even worry about going to your captive portal page. The simplest test I can think of is to associate your laptop to your AP and then try to ping anything outside of your network. If you're able to ping, then your portal is not stopping you and it most likely only works for http requests. I'll lay 50:1 odds this is the case ;)

Good luck on that. If you can figure out an easy and low cost method to block only BT, you'd be a rich man because every ISP in the world would want the technology.

said by Airplane777 :

Maybe one other way to stop this would be a firewall with stateful packet inspection...like Net Equalizer, or Net Enforcer...something with stateful packet inspection.

I don't think stateful inspection is going to help with your problem, especially since m0n0wall already uses stateful inspection.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 12:16:35 EDT

Airplane777 :

said by openbox9 :

Airplane, if I had to make a guess, I'd say that m0n0wall captive portal only works for http requests and that if someone associates with your AP, they can still transfer all other traffic without "authenticating" to your portal.

Hi openbox9:

Thanks much for your reply.

Gee...I never thought about my Monowall being able to pass traffic on ports other then port 80, even though the "Continue" button was not clicked on.

I'm going to try that on my laptop. I'll go to the captive portal page and not click on the Continue button...and I'll try to send an email to myself. That outgoing email will be on another port other then 80. I'll see if that works.

said by openbox9 :

I'd also guess that the .153 address using the port numbers 2549-2558 might be BT traffic since they're all about the same time and the connections are to different IP addresses. Without blocking everything but port 80 or using some sort of MAC or 802.1x authentication, I don't think you'll be able to solve this problem.

It would be nice if Monowall would let me block based on MAC addresses. Then no matter what IP address my DHCP gives him, he would be blocked.

Gee...after I said that, I realized that I can stop this guy based on his MAC address right in my AP. My AP has that capability. Although if I have a customer with BT, I would prefer not to completely block them. I'd like to just block the BT if possible. I just don't see how to do that with Monowall yet.

There is one good thing though. When I start selling my WISP service, then no one will get an IP address from my DHCP. I'll have DHCP turned off. Then I'll know each person's IP address. Then I can just block the person's static IP address if I notice them sending out "junk" like this...lol.

Maybe one other way to stop this would be a firewall with stateful packet inspection...like Net Equalizer, or Net Enforcer...something with stateful packet inspection. If I understand correctly, then it won't matter about the changing IP addresses or ports?

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 11:56:43 EDT

openbox9 : Airplane, if I had to make a guess, I'd say that m0n0wall captive portal only works for http requests and that if someone associates with your AP, they can still transfer all other traffic without "authenticating" to your portal. I'd also guess that the .153 address using the port numbers 2549-2558 might be BT traffic since they're all about the same time and the connections are to different IP addresses. Without blocking everything but port 80 or using some sort of MAC or 802.1x authentication, I don't think you'll be able to solve this problem.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 10:32:55 EDT

Airplane777 :

said by lutful :

Please add firewall rules on WISP interface right away.

The packets will still "get into" the interface - you cannot do anything about that in any router.

But they will be blocked and will not "go out" to LAN or WAN.

The problem is, I don't know what firewall rules to add in order to block this data at the WISP interface, other then specifically blocking the IP address of 192.168.3.153. That will completely stop the malware on this particular computer from getting in at all. But then my DHCP will probably hand out a different IP address to him a little later and it will start all over again.

Looks like there are too many different IP addresses to block.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 01:39:31 EDT

lutful : Sorry - did not look at the log carefully. Please add firewall rules on WISP interface right away.

The packets will still "get into" the interface - you cannot do anything about that in any router.

But they will be blocked and will not "go out" to LAN or WAN.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 01:29:35 EDT

Airplane777 :

said by lutful :

But you are blocking them as soon as they enter - so they show up in the log.

I'm really not blocking them from getting into the WISP interface. The green arrow to the left shows they came into the WISP interface.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 01:25:20 EDT

lutful :

said by Airplane777 :

Are you saying that I need some kind of firewall rule to block this trashy data from coming into my WISP interface?

Now I see what you mean. You cannot apply rules before the packets enter the firewall.

But you are blocking them as soon as they enter - so they show up in the log.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 01:12:48 EDT

Airplane777 : Here is a screen shot. I am showing the heading. And then showing a bunch of the WISP data that looks like it was passed into my WISP interface.

I assume this data was not passed out the WAN port, since the captive portal "continue" button was not clicked on. I know it wasn't clicked on because no one shows up when I do the Status:Captive Portal page.

Look how close together the different times are.

That IP address of 192.168.3.153 has a bunch of different port numbers. Some are incrementing. But some stay the same for several tries...like port 16210.

My DHCP server handed out this IP address to my neighbors computer...even though this neighbor didn't click on the "continue" button, in order to gain access to the Internet.

As a matter of fact, right now I have two neighbors that have obained IP addresses by way of DHCP. But its only this one IP address that seems to be giving problems.

Something wierd is going on with all that data flowing. Would love to find out what is happening.

I guess I could block that IP address from my WISP interface, but my DHCP might hand out a different IP address later on to this same computer.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 01:04:50 EDT

Airplane777 : Are you saying that the trashy data is being passed into my Monowall through the WISP port, but it isn't being allowed out the WAN port to any external server on the Internet?

That might make sense then.

Are you saying that I need some kind of firewall rule to block this trashy data from coming into my WISP interface?...even though this trash data still can't get out onto the Internet (since the captive portal is active)? That might explain why Monowall is logging this data...even though it can't get out to the Internet.

I wish I knew what kind of data it was so I could create a firewall to block it. It is trying to go to some external IP address, specifically using port 80. And the source IP address (as handed out by my DHCP), is always incrementing the port number.

EDIT: In the shot below it wasn't trying to use port 80, but it was trying to use that as a destination port earlier.

Maybe I can do a screen shot and show you.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 00:53:48 EDT

lutful : You still need firewall rules. Captive portal only traps HTTP requests to external servers.

Re: Monowall WISP client's data gets past my captive portal ?

Sat, 09 Sep 2006 00:44:54 EDT

Airplane777 : Hi Lutful:

I'm going to have to study closer what you posted, but I'm not sure what you posted explains why data can come into my WISP interface.

I figured that the captive portal would act like some kind of firewall for data coming into the WISP interface, if the "continue" button wasn't clicked on.

Re: Monowall WISP client's data gets past my captive portal ?

Fri, 08 Sep 2006 23:29:56 EDT

lutful : Block traffic to LAN and WISP nets, and then grant access to the internet using firewall rules. Something like this screenshot from »m0n0.myhsr.com/tutorial.html

Monowall WISP client's data gets past my captive portal ?

Fri, 08 Sep 2006 23:12:28 EDT

Airplane777 : This was in my thread on APNIC, but I thought this deserved a seperate thread, since the APNIC thread didn't seem to be going in this direction.

This is a thought provoking problem...

My problem here is:
I have people in my neighborhood that are associated to my AP and have gotten DHCP leases from my Monowall, but who have not clicked the "Continue" button on my captive portal (I instituted captive portal), in order to gain access to the Internet. But these people's computers are still passing apparently trashy data into my WISP interface of my Monowall.

I see an IP address that my DHCP has assigned to one of my neighbor's computers. And this IP address is acting as a source and incrementing port numbers trying to get to another IP address out on the Internet that goes to CHINA RAILWAY TELECOMMUNICATIONS CENTER. A bunch of the destination IP numbers that the DHCP IP address tries to go to is to CHINA RAILWAY TELECOMMUNICATIONS CENTER.

Whats really purplexing is that my neighbor's computer was given an IP address from the DHCP of my Monowall...But this computer did not log onto the Internet via the Captive Portal. But the logging information on my Monowall shows that this data is being passed. How can that be?

Seems that the trashy data is bypassing my captive portal?

Thanks for any ideas on how this can happen.