Users are able to bypass the splash page using a VPN. I messed around with the VPN myself and managed to get by and have zero restrictions. I have a testing SSID where I created a firewall blocking every IP besides the ones necessary, yet the VPN still managed to bypass the splash page and pull an IP that was denied. Just wanted to see if anyone had a similar issue or any ideas on how to resolve such a massive security problem.
Any help would be much appreciated. Thank you.
Are you sure that the Controller disconnection behavior is not set to Open?
@alemabrahao Thanks for the reply. But the Controller disconnection behavior is set to "Restricted."
Can you share your SSID configuration?
Try enabling the Walled Garden.
Sadly, that didn't work.
I suggest you open a support case.
Sweet I'll work on that. I appreciate your quick responses.
This could be a possible workaround.
Workaround: Apply a traffic shaping rule to limit bandwidth on port 53 and other ports that might be used by a VPN. Users attempting to bypass splash pages to access the internet over VPN will not likely use your network if they only get 100 Kbps.
Real Solution: Use an upstream MX or other firewall to block VPN attempts on port 53. Make sure not to block your DNS server such as 8.8.8.8.
Root Cause:
When client devices connect to the MR they are placed in a captive portal policy and the MR firewall rules (L3 and L7) do not get applied to the client devices until after they authenticate with the captive portal. However the traffic shaping rules are indeed applied to clients, and you can limit the throughput of VPN traffic.
For the workaround, is there a way to slow down the bandwidth for specific ports rather than the entire network?
Yes, it is.
Thanks mate! It works!
These users were using 3rd party VPN to bypass the guest wireless authentication are now blocked.
Capative portal strength also set to block all access?
Yes it is.
Unfortunately Splash page is not secure.