Captive Portal

Hi,

we use m0n0walls Captive Portal for our WLAN.
This works perfect.
Now we want to use a Squid Proxy to log internet access. (We have to prove who accessed which site)
My idea was to use NAT and send all requests coming in on Port 80 to the Squid Proxy.
This works, but as soon as I enable the NAT rule, the Captive Portal won't show up for unauthorized users trying to access a website. Instead the browser loads a long time and ends in an error.
If I enter the Captive Portal adress manually (192.168.1.1:8000) the Captive Portal shows up and I'm able to login.
When I'm logged in, everything works fine. (Internet access and Squid logs the access)

Our temporary solution is, that users have to enter the captive portal adress to login, but this isn't a permanent option.

Any suggestions?

Where in your network is squid?

The configuration is:
m0n0wall with 3 interfaces (WAN, LAN, WLAN)
Captive Portal enabled on WLAN interface. Squid in LAN network.
NAT on WLAN interface: Port 80 -> 192.168.2.7 (LAN network / Squid)
We also tried to put squid in the wlan network. Same effect.
When I disable the NAT rule and set the proxy server on the client everything works fine.

What if you ran your squid box as a transparent bridge to come between WLAN interface on M0n0 and your WLAN clients? This assumes you use an AP connected to M0n0 by its ethernet rather than WIFI Lan card on PCI.

Wouldn't this mean, that all internet requests are coming from the squid-IP/MAC? So if the first user is logged in, Squid is added to the captive portals list and all request from squid are accepted by the captive portal.
(and all other clients using squid get internet access, too.)

I've seen the same with dansguardian. ( Just another proxy / content filter)

I've seen following in the firewall log.

packes comes from client" to firewall and goes out to the web page the client wants.
ALFTER captive Portal has found the web adress valid, it asks the Client to authenticat.
If the Page is not found, the client gets an Error.

Not sure why this is so, but it is.

Mich'l

Welcome to a race condition.  Let me give the order things happen in, and it may make more sense.

The user types http://www.google.com into the browser.
The OS queries DNS for www.google.com. (If the user uses OpenDNS, for example, it breaks here)
The m0n0wall cacheing DNS looks up IP and returns it or fails.  (If it fails, it breaks here)
The web browser makes a get on port 80 to 72.14.204.99.
Captive portal captures that get and reroutes it to m0n0wall:8000
The user receives the page and displays it. (Unless they are running some web safe software that checks all web pages)
Log in.

Now with NAT, you may never be passing through the captive portal.  With the get redirected, the portal never sees it, and login never happens.  Or, the redirect happens, and then you pass through the portal, which tries to redirect you, but the web browser is trying to hit the proxy to proxy the login page, which fails which...

What you may want to do, is stack two firewalls.  Set captive portal on the inner m0n0wall, and the nat redirect to squid on your outer firewall.