Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal, MultiWAN and routing

    Scheduled Pinned Locked Moved
    Captive Portal
    2
    4
    385
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jarlel
      last edited by

      Hi all,

      I have this scenario:

      -A LAN with Captive Portal
      -Two WAN-links, WAN1 and WAN2. WAN1 is a "limited data volume" link with high bandwidth, WAN2 is a "use as much as you want" link with low bandwidth.

      I would like the Captive Portal users to use the WAN1 while they are using their monthly quota.
      When their quota is used up, I want the traffic to go via WAN2 without any limits.

      Can this be achieved with pfSense? If so, how can it be done?
      If not, do you know of any Captive Portal software that offers this functionality?

      Thanks!

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @jarlel
        last edited by

        @jarlel

        I presume this : you're in the middle of no where, not much of a choice with what ISP can reach you over land with a wire, and now you have a second ISP, the one from 'Elon' and tat one works great, but has an quota limit.

        When reading your question, I initially though : get the captive portal out of the equation, and make your setup work with one or two LAN's (one LAN will be the captive portal later on) and start digging.
        When that works, add the portal - and done, as the portal is just some 'local' functionality that already works.
        The other advantage of making it work in steps, is that you can concentrate on one thing at the time.
        Another one : you can pick any firewall device or software you want, you're not limited to "pfSense only".

        Experience (guts, the oracle, Google, etc) tells me you'll be needing something thatis actually used by every ISP on the planet : radius. Radius can do stuff like 'accounting' and can apply rules under defined conditions.
        The thing is : web servers, mail servers, 'DNS' servers, you can find everything within one click of your mouse and some minor keyboard activity.
        A how to about Radius, and thus the freeradius pfSense package, it presumes that you already know what it is, and how to use it.
        Up front I'll tell you right away : those who know how to use radius do not communicate/share their knowledge on the Internet. still, a lot can be found, but you really have to know about it before being able to understand the questions, let alone the answers.
        Like : "you can't fly the plane if you haven't learned flying first". There is no short cut for this one [ if there is, I never found one].

        The Netgate Youtube channel shows how to set up a pfSense captive portal that uses FreeRadius for the authentication and accounting. This can be done with 'the GUI'.
        Things like 'user X is allowed to connect if he has used less then xxxx Mbytes' or 'user X is allowed to connect if he has used less thenthe alloted time per hour/day/week or month'.

        Be warned : freeradius can do for more then that, butthe GUI had to make a choice : only 'some' fonctionalities as the one s I just mentioned are 'clickable'.
        The rest : you'll be editing, like our ISP and who ever else uses Rafius, config files.
        Loads of config files.
        Or the Freeradius scratch pad, or storage place, and that's the reason I advise you to use Freeradius with an MySQL back end (nice : I just added another 'server' to the list, but this one is also declassified from pure rocket science since 1995).

        I'm using the pfSense captive portal with the 'FreeRadius' package as an authentication source. I've being experimenting with it for the last ... couple of years.

        The fastest solution, as I know it will work :
        For every user, create 2 accounts.
        One that works and is quota limited. If the quota test fails, the user will see 'over quota' and he will know that this login is out of order for the rest of the month and he/she will have to use the second login from now on up until the end of the month.

        This leaves you with just one to handle : "login 1" will need to contain a policy that says that the users has to be routed to WAN2. "Login 2" will route over the other WAN1. Something like that, never tried this myself. But again, I'm pretty confident that this can be done as ISP's would need this kind of options.
        Be aware : you better be friends with the real interface : the command line, and config files.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        J 1 Reply Last reply Reply Quote 0
        • J
          jarlel @Gertjan
          last edited by

          @Gertjan thanks, yeah, the one with a quota limit comes from 'Elon', correct :-)

          The Captive Portal is already running with Freeradius. I had already thought about your suggestion for two accounts, but unfortunately I don't see a way to assign different policys to different
          accounts.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @jarlel
            last edited by

            @jarlel said in Captive Portal, MultiWAN and routing:

            but unfortunately I don't see a way to assign different policys to different
            accounts.

            I'll see what I can find - gime a couple of days though, as this means some serious Googling.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post