Getting Captive Portal to work with passthrough setup
-
Hi there. I'm new to the forums and fairly new to pfSense. I'm trying to do something a little strange, perhaps, and can use some help. I apologize if I'm going into more detail than necessary. I want to be thorough.
I trying to help a coworking space setup their network. If you're unfamiliar with coworking, it's basically a large office that people can sign up for so they have a place to work. It's aimed at small, one-man businesses that normally work out of their home. The product they are selling is basically a desk to work at and wireless Internet. Obviously, good, secure, reliable wireless Internet is key… they can't afford to be down.
They also need to be able to track who is on their network and block people who don't have a current membership.
They have a Watchguard XTM 330 as their primary UTM device. We're not looking to replace this with pfSense. It's doing a couple of major jobs. It's providing round robin multi-wan balancing and failover with a DSL connection and a Cable connection... the best we have in our small town. It's also providing web filtering, gateway AV, etc. The plan was to use this to create a trap page which would authenticate users to a RADIUS server, etc. The owner of the company was developing his own user management system that was to tie into the RADIUS server.
Then they changed their minds. They decided not to develop their own system. They found one called Nexudus Spaces which does most of what they want. Problem is, Nexudus needs a pfSense router to handle the trap page. So, now I'm trying to figure out how to put a pfSense box on the network behind the Watchguard. I still want the Watchguard to handle most things - the multi-wan, the security stuff, etc. I basically want the pfSense to run the trap page and authenticate through Nexudus and that's about it.
My theory is to set the pfSense up to be a transparent bridge, running the captive portal, and turn off the other features. I followed William Tarrh's instructions for setting up the transparent bridge. Link to the PDF here:
http://people.pharmacy.purdue.edu/~tarrh/Transparent%20Firewall-Filtering%20Bridge%20-%20pfSense%202.0.2%20By%20William%20Tarrh.pdf
However, I can't assign a bridged adapter to the captive portal. I created an adapter for the bridge and assigned that to the captive portal, but it's not capturing anything. I can get online, but it's not asking me to authenticate.
My questions are these:
1. Is this a reasonable way to get what I want (use the pfSense as a trap page, let the Watchguard do the rest of the work) or am I missing the boat completely?
2. How can I get the trap page to work with the pfSense setup as a transparent bridge?
3. If all users are filtered through the pfSense for the captive portal, is the load balancing going to work correctly on the Watchguard? Will it recognize each user's connection so they can be intellegently routed over the least busy WAN connection, or will the Watchguard route all traffic from the pfSense over one WAN connection?I appreciate any help you can give me. Thanks!
-
I think I've more or less figured things out for myself. I would appreciate any input if there's a better or easier way to do this.
I started with a fresh install of pfSense. I disabled all packet filtering because I don't want it doing any of that. I setup the captive portal following Nexudus's instructions to work with their system. I bridged the WAN and LAN ports. I then assigned the bridge to its own interface and assigned it an IP address. Then, on the client machine, I made the bridge IP address the default gateway.
That seems to do the trick. When I try to browse the Internet I get stopped by the capture portal. I can authenticate, then I'm online just like I'm supposed to be.
Now I just have to get this configured to work with the Watchguard. I've got to figure out how to block Internet access that isn't filtered through the capture portal because someone out there will be clever enough to manually set their default gateway to bypass the pfSense box.
If there's a better approach to all of this please let me know, but I think this will work.