DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2830n Firewall rules/User Authentication/Landing page fault

  • rayforster1
  • Topic Author
  • Offline
  • New Member
  • New Member
More
13 Jun 2013 14:13 #76555 by rayforster1
I’m pulling my hair out trying to get what I thought would be a simple task working.

Scenario: Two adjacent properties each with its own guest WiFi network sharing a Broadband connection, but are restricted to only allow WWW / email traffic. Admin users have their own WiFi network, without restriction. Got this working fine. Now, I’d like to add a user authentication step, so guest users have to enter a name / password, where upon they are directed to a landing page, giving terms & conditions of internet usage policy etc. Admin users don’t have to authenticate. This is so if anything illegal is downloaded, we can track user access and know they have received and seen the terms & conditions etc.

This should be a perfectly feasible scenario – indeed its described in one of Draytek’s own guides, to be found at:

http://www.draytek.com/index.php?option=com_k2&view=item&id=1841:faq-article-1841&Itemid=293&lang=en

I’m following example 2 – but instead of servers being un-authenticated, these are my admin users.

Here’s what I have - 3 WiFi networks:
192.168.1.0 – Admin network
192.168.2.0 – Guest Network 1 (GN1)
192.168.3.0 – Guest Network 2 (GN2)

Each has a unique Wi-Fi password, no routing between networks & isolated from each other for security.
If an admin user joins the admin network, he gets a 192.168.1.X IP address fine, similarly guest users joining GN1 get a 192.168.2.X IP address & users joining GN2 get a 192.168.3.X IP address.

I have 2 IP groups:
Admin Access = IP subnet 192.168.1.0
Guest Access = IP Subnets 192.168.2.0 & 192.168.3.0

Rules:
A “Service Type group” called “Guest Apps” containing “Service Type object” which define WWW (80/443) and email (110,25,143)
Anyone with a source address of 192.168.1.0 (admin Access) – allowed full unrestricted access. Anyone with a source IP of 192.168.2.0 or 3.0 only allowed to use applications defined in “Guest Apps” group. This all works fine.

Try and add authentication, as per the document above, and everyone is given full, unrestricted internet access, without requiring authentication. It just doesn't work - Things like when you try and select a group in example 2, step 8 - the screen refreshes and goes back to what it was before you selected the group. The only way I've managed to successfully enter a group is to create a new one at this point with the same settings as the original group - but even that doesn't work... I'm never prompted for a login, nor do the rules work - I have complete, unrestricted, unauthenticated access.

The only way I've managed to get anything remotely like authentication working, is to use User based rules - which affects everyone, not just the users I want. This is so annoying - the manuals are next to useless and some features they don't even mention - like the LAN >> Web Portal setup... this doesn't work either.

Got the latest firmware, but still no joy.

Any ideas?? all input gratefully received.
Regards
RF

Please Log in or Create an account to join the conversation.

More
13 Jun 2013 22:17 #76564 by voodle
With your setup, since you've already got rules set up for the guest range, leave the firewall in Rule Based mode and apply the user account to the filter rule you've made for the guest network.

I've just checked that and trying to select a user or user group you've created does just leave the User Management in the filer rule set to None so you've definitely found a bug but I was able to get it working by selecting User - [Create New] in there then making the guest account which then actually applies :D

Hmm, testing some more, the bug is specific to Firefox; Chrome and IE were both able to set that no trouble.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami