Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Apr 2008 09:50:45 -0400
From:      Mike Bloom <>
Subject:   layer 2 captive portal questions
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi All,

I'm replacing a commercial java sesm capture portal with location 
specific vlans with ipfw and I'd like to allow a user to enter their 
credentials to a webserver running on the gateway of their local vlan, 
and be allowed to surf as long as their mac address and ip address stay 
the same.

so far I have a working ip layer captive portal as such:

00100 228 49451 divert 8668 ip from any to any via fxp0
00100  40  6771 allow ip from to any
00200   0     0 fwd,8080 tcp from any to any dst-port 80 in
00300 296 77558 allow ip from any to any
00400   0     0 deny ip from any to any
65535 294 25712 deny ip from any to any

fxp0 is WAN, is the gateway ip for my vlan's subnet. 

If I do a 

00100  40  6771 allow ip from to any

before the fwd statement, my user is free to browse the web without the capture portal.

However, what I would like to do is lock down their mac address (which I collect from arping their ip on the vlan interface) **and** ip.

as such:

00100   0      0 allow ip from to any via vlan4 MAC 00:1b:63:ac:3a:84 any
00100   0      0 allow ip from to any via vlan4 MAC any 00:1b:63:ac:3a:84

I think I'm mixing layer2 and layer 3 criteria and probably I just need to seperate these rules out by blocking layer2 between fxp0 and vlan4 (where the 10.1.4.x subnet exists) **then** allowing ip through via the previously mentioned scheme.

Any thoughts or suggestions would be greatly appreciated.

Want to link to this message? Use this URL: <>