Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Different rate limits based on login ?

    Scheduled Pinned Locked Moved
    Captive Portal
    3
    6
    67
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Swicago
      last edited by

      New to netgate, have a 6100
      I have been able to setup a Captive Portal and also setup custom domain to forward to logout page, without clients need to remember IP address or Port.
      Now I am on the quest for rate limits based on voucher types.

      Question: How would I go about setting up a single captive portal where I could have different speed tiers depending on login?
      Voucher system is bound by what ever rate limit is set on the captive portal, so that does not work.
      I would like to offer a few speed tiers.
      FREE: 1Mbs/500Kbs
      FAST: 6Mbs/750Kbs
      FASTEST: 10Mbs/1Mbs

      Would installing Free Radius Package allow me to create a voucher based system with different speed tiers?
      If so, any good tutorials showing such a setup?

      If this is not possible via Radius, can I do it with PHP and inject MAC based speed restriction, after validating a Voucher. In this case I would have to link the voucher roll # to a speed tier config file/DB. SO that once voucher is confirmed, PHP can pull tier speed and then add restriction to the MAC.
      If this would be possible, is there any documentation on using PHP to add MAC based speed restriction?

      Thanks in advance

      E GertjanG 2 Replies Last reply Reply Quote 0
      • E
        EDaleH @Swicago
        last edited by

        @Swicago said in Different rate limits based on login ?:

        Now I am on the quest for rate limits based on voucher types.

        If I understand you correctly, you can use voucher based Captive Portals. In order to achieve the 3 portals in your example, you would setup 3 VLans on the OPT1 interface, connect 3 separate captive portals, one to each Vlan and then configure the combination of the Captive Portal and Voucher sessions to match what you need. Each VLan has it's own DHCP pool.

        Note: in order to use 3 Vlans, you need access points that support VLans and use a separate StationID for each captive portal. For example FREE, FAST and FASTEST would show up as WiFi stations when they connect and each would have a separate voucher pool

        Although freeRadius can achieve the same, custom programming is required to prevent clients from logging into each other's Captive Portal. i.e. a FREE freeRadius authorized portal client can log into a FASTEST Captive Portal that is also authorized by freeRadius. I have brought his major flaw to Netgate's attention (Tunnel Attribute setting in freeRadius) but it was initially rejected outright and is now a Redmine sitting on the "future" shelf covered in dust.

        Be forewarned about FREE that if you forego authorization and don't use vouchers, people will just spoof MACs to get access if there is any time limit.

        Pay attention to DHCP Lease times and idle timeout settings if you are going to use Kea DHCP.

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @Swicago
          last edited by

          @Swicago said in Different rate limits based on login ?:

          Would installing Free Radius Package allow me to create a voucher based system with different speed tiers?
          If so, any good tutorials showing such a setup?

          yes, the one and only (2 actually), and you can find them here, on this page : https://www.youtube.com/@NetgateOfficial/videos

          IMHO, set up one portal, as the videos tell you to do so., and call it "Free", with the 1Mbs/500Kbs setting.
          Then, for a second interface, the FAST network, and use 6Mbs/750Kbs for the connected users.
          And a third, using "10Mbs/1Mbs".

          If you want to use (pfSense) Vouchers, you don't need FreeRadius, which will simply the setup a lot.
          For the FAST and FASTEST portals, activate a Voucher Role on each of them, and create some vouchers. These are the ones you 'sell'.
          No need to specify anything no where : a users that bought a "FASTEST" voucher will use the FASTEST (make that the name of the SSID ^^).
          Users who didn't bought a FAST or FASTEST voucher will not be able to use the FAST or FASTEST portal, as the voucher code will not work (or they don't have a voucher code as they are FREE users). And the other way around.
          The FREE portal is just an auto login, with no user neither password needed : use :

          6bfde2bb-77af-4ed0-91c3-e386d562fbca-image.png

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • S
            Swicago
            last edited by

            @EDaleH , @Gertjan ,

            Thank you both for responding. I already know I can make 3 portals/vlans. However, this is not very convenient on a customer level. I am right now looking at how to create a single portal that will accept vouchers and offer not only time length but also speed rates.
            I have since learned Radius will be the way to go, it supports returning custom attributes back to pfSense and these can be used to regulate speed of a client based on their voucher type.

            https://docs.netgate.com/pfsense/en/latest/captiveportal/configuration.html#radius-options

            E 1 Reply Last reply Reply Quote 0
            • E
              EDaleH @Swicago
              last edited by

              @Swicago

              @Swicago said in Different rate limits based on login ?:

              I have since learned Radius will be the way to go

              As long as you use "reauthenticate every minute" and do not enable multiuser per account. freeRadius can work.

              I assume you are using the default freeRadius installation that enables a SQL Lite DB for time and a flat file system for data quotas (/var/log/radacct), both on the same server as pfSense. I suggest you setup a test using low data and time quotas to ensure you are getting what you want before you do the final configuration. Stick to a single "Tunnel", i.e. a single portal and enable Stop/Start and reauthenticate every minute. In my experience, it is best to rely on the Captive Portal idle timeout and max timeout values if possible. That would require that each account have the same timeout limits independent of access type. Make sure it is freeRadius that is disconnecting your user by making it's timeout smaller during your test. If you want to use vouchers from the portal in freeRadius, export the vouchers, enter the first one manually in freeRadius, then you can backup only package manager in Diagnostics, Backup & Restore. Edit the XML file by finding the entry for the voucher you entered and duplicate it inline in the XML file, then restore the package manager backup after editing it. I found Excel did a nice job of automating it for me. freeRadius will start balking (user manager slow down) at around 2000 users (vouchers). As freeRadius does not inheritantly support vouchers, we use the same voucher value for user name and password to simplify logins.

              As you can see, you may find 3 Station IDs (Captive Portals) suddenly look quite good, quick and easy.

              S 1 Reply Last reply Reply Quote 0
              • S
                Swicago @EDaleH
                last edited by

                @EDaleH , great info. Thanks for the tips for testing. Good to know about the 2k limit. I don't I will have that problem at my site, but if it were to become a problem, maybe I'll look at the radius protocol and make my own listener that can respond correctly to pfsense.
                I have done similar services in the past for flow control on openwrt type devices.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post