Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal Bandwidth-Max-Up Down Radius

    Scheduled Pinned Locked Moved Captive Portal
    9 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dochy
      last edited by dochy

      Hello everyone, can't set my captive portal to limit bandwidth by specific user, i have Active Directory server and have installed NPS service on it. Authorization by NPS with works fine but i cant limit bandwidth by users or groups in active directory, can anybody help?
      I have found that https://github.com/pfsense/pfsense/blob/master/src/usr/share/doc/radius/dictionary.pfsense but i dont know how to add this to NPS and where we write bandwidth limits per users

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @dochy
        last edited by

        @dochy said in Captive Portal Bandwidth-Max-Up Down Radius:

        Active Directory

        You've used Authenticating from Active Directory using RADIUS/NPS as a guide line ?

        I presume that these attributes https://github.com/pfsense/pfsense/blob/master/src/usr/share/doc/radius/dictionary.pfsense have to be added to the Active directory and set to the correct values.

        Checking can be done with Troubleshooting NPS.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        D 1 Reply Last reply Reply Quote 0
        • GertjanG Gertjan referenced this topic on
        • D
          dochy @Gertjan
          last edited by dochy

          @Gertjan According to this guide am i correct configured? Here i write 2048 as a speed limit
          Also as i undestand this 2048 speed limit for the whole pfsense captive portal users, how can i limit rate for specific user e.x. user A 2 mbits user B 10 mbits and so on?

          bcc6e688-8951-439e-b254-ad840865e04d-image.png

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @dochy
            last edited by

            @dochy
            I've never used "Active Directory" myself.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            D 1 Reply Last reply Reply Quote 0
            • D
              dochy @Gertjan
              last edited by

              @Gertjan ok have you used captive portal RADIUS pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down attributes with any authentication system? it will be pretty if i can use this attributes with freeradius through active directory or directly with active directory. In my organization we have many users in Active Directory service and i should control bandwith of each user by groups or something like that.

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @dochy
                last edited by Gertjan

                @dochy said in Captive Portal Bandwidth-Max-Up Down Radius:

                have you used captive portal RADIUS pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down attributes with any authentication system?

                Yes.

                This captive portal setting is not used :

                7f74b54b-516d-4294-bfa4-f057ae5b90ca-image.png

                I've a test user, login 'x' and password 'x' set up in FreeRadius.
                No bandwidth limiting.

                ed13397e-0f07-489b-9708-f6c085e822b0-image.png

                When I use this 'x' account, I get what is available. Right now, the real limit is around 45 Mbytes / sec up and down. That limit is imposed by my very old access points.

                Now, I add a up and down limit for this user 'x' :

                1b91a13f-beea-483d-b9f6-d054e7b2a3f6-image.png

                and test again.
                Sure enough, I disconnected the actual 'x' connection first, and re connected using user login 'x'.
                Result :

                e76b9f63-ba97-4d63-8a13-31394d9171fd-Capture d_ecran . 2023-09-21 a 12.45.09.png

                I consider this a "it works".
                Other captive portal users are not impacted.

                @dochy said in Captive Portal Bandwidth-Max-Up Down Radius:

                have many users in Active Directory service and i should control bandwith of each user by groups or something like that.

                This is what I would do if I needed to figure this out :
                pfSense has a build in authentication system, the default build in User manager.
                This one is fine for very basic "login + password" checking.

                FreeRadius offers more, as you already can see in the in te captive portal settings page :

                e1d3242e-f36e-4f3a-82d1-708d6d6b86b4-image.png

                So, an initial identification is done, and further more, every minutes 'accounting' is done.
                This accounting is : the user id, and also, MAC address, consumed traffic and much more. All this info is send to FreeRadius, who compares in its own 'tables' (files and/or database) the allowed (max) values.
                FreeRadius sends back with a 'granted' or 'refused' answer.

                This handling, I want to see this in the code or scripts.
                FreeRadius is already a complex animal, but I said ones myself : it can't be that hard, as nearly every ISP, phone company and whatever other access that is metered on earth is using Radius already.
                So, it can be done. But this aspect is very little discussed on the Internet.
                You want to know how to build a web server ? That's easy, as the day you can read (5 years ?) you can find the info on the net - a zillion times.
                A mail server ? Same thing - a bit more complex, as everybody can send mail, but actually very few know what really happens, what is needed.
                A domain name server (aka : DNS server) : It's actually very easy, as it is ancient technology from the seventies last century, and didn't really evolve since. Take note that DNS is the biggest subject where people think they know what it is, and are fully wrong.
                Radius or an authentication server : ? That's a secret. Just look at the config file (sorry : the entire config folder with xxx files in it) of a Radius server. A mess.
                Of course, FreeRadius is open source. Still, you need to understand what you read .... what is needed to be done.
                I understand that using the source code as a manual isn't really possible for everybody. But for me it's the only sure way to find out how things are done. It can't fail, lie, can't be wrong, is easy to find.
                ( and better : if you think it's wrong : don't complain, change it ^^ )

                Anyway : I can't tell you what pfSense actually exchanges with the type LDAP server - if pfSense sends the "pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down attributes" to the LDAP, then you could see that on the LDAP side : just check (as always !) the log.
                Does it interact on it ? => Does it send a 'granted' or 'refused' back to pfSense ones the "pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down values go over the set limit ?

                I use FreeRadius for one simple (stupid) reason : I wanted to know what the 'Radius' thing was.
                My needs, a captive portal so I can handle Free Wifi access for a hotel, works just fine if I was using the build in pfSense user manager.
                I don't need to 'bandwidth' user or portal clients, as my 5 hotel APs are actually already limiting each user. The main WAN pipe is a 1 Gbits/sec up and down, so there is enough for everybody.
                There are at the most 20 hotel clients connected at any time, as it isn't strictly needed any more these days, I've also 4G / 5G coverage.

                Sorry for telling you much, and probably nothing.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                D 1 Reply Last reply Reply Quote 0
                • D
                  Dmc @Gertjan
                  last edited by

                  @Gertjan
                  I love your explanation as to why you're using Radius. Very relatable for me as well as its turned into an obsession to understand what it is and how it works. Since others can do it, I ought to be able to figure it out - Wrong

                  Though I do appreciate the quest of knowledge gave me a crash course on other elements of networking works. But the quest for this sacred knowledge continues.

                  QQ - I noticed you have very high latency when using bandwidth restrictions. I experienced the same. Is there any work around this? i am worried if ever need to enforce it myself my users would be very displeased with me as they rely heavily on it for their businesses.

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @Dmc
                    last edited by

                    @Dmc said in Captive Portal Bandwidth-Max-Up Down Radius:

                    .... rely heavily on it for their businesses.

                    Then don't apply bandwidth limiting ?!
                    Business, even gaming (imho) usage is "short bursts".
                    Only the "disney downloaders" and other p2p users needs to be bandwidth limited, so you can to discourage them.
                    back then, in 2023, I was still using VDSL, these days its 'fiber 1 GB +' symmetrical, so maybe I should probably test again.

                    My access points are now also way more modern : Unifi U6 Pro with "5" and "6" capabilities - I was using the old 2.4 Mhz WRT54GL back then = only the B+G bandwidth.

                    f91b14bc-5d84-4b38-85b2-6887dfa052d5-image.png

                    I use my portal for a hotel access, and I don't limit my clients anymore. The chart shows you why : no one is abusing, something I check ones in a while.
                    My clients use ... dono, 10 % of the available bandwidth at any time.

                    @Dmc said in Captive Portal Bandwidth-Max-Up Down Radius:

                    i am worried if ever need to enforce it myself my users would be very displeased with me as they rely heavily on it for their businesses.

                    Don't be.
                    It's like making a cake for 10 persons, and then just one eat your entire cake. You, and the other 9 will be "not happy", so you take this one guy in a corner and you have a small social verbal exchange with him. Or : you do the 'admin' thing : limit him.
                    Remember : You can bandwidth and quota limit just one person = one IP if you need to.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    D 1 Reply Last reply Reply Quote 0
                    • GertjanG Gertjan referenced this topic on
                    • D
                      Dmc @Gertjan
                      last edited by

                      @Gertjan

                      Agreed, perhaps ill change my approach and perspective. I shouldn't be punishing the 9 people for one bad player, I can just limit them abusers by IP if I must and have a talk with them for their abuse.

                      I am really starting to learn that network administration is really simple to talk about "oh, ill do this and that" 🤡 but implementation is just a whole another game. We've been too spoiled with the "one-click" culture 🤡 🤡

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.