"Your Service has been Suspended" type of page - restricting access

NickM · May 6, 2015, 4:45 PM

We are a small shop using pfSense to provide managed firewall services to a handful of clients. Some of them have a very hard time making timely payments and we're looking for a simple solution to block internet access for these as a last resort when they have ignored our pleas for payment. Basically some type of captive portal redirect or other method using squidGuard etc to block all HTTP traffic from the LAN and redirect them to a static page saying "Your account has been suspended, please contact blah blah…"

Has anyone done anything like this before? I would love to hear of a solution or at least a nudge in the right direction. All sites are running either 2.1.5 or 2.2.2 if that makes any difference.

Are you using captive portal on your pfsense?

luckman212 · May 6, 2015, 4:50 PM

Currently we are not using captive portal, no.

NickM · May 6, 2015, 4:54 PM

@luckman212:

Currently we are not using captive portal, no.

Well, using captive portal and providing your clients with a username and password to gain internet access through pfsense would give you that feature. Once a client doesn't pay or ignores your warnings, you can disable their username and they will not be able to authenticate.

luckman212 · May 6, 2015, 5:02 PM

The thing is I don't want them to have to see a portal page during normal use. And I want this to apply to the entire LAN not just specific devices. If I turned on captive portal and made the actual "logon" page just show this suspension notice I suppose that could work. If a user manually set their DNS and navigated to an https page however I assume that could still bypass the portal?

doktornotor · May 6, 2015, 5:05 PM

@luckman212:

If a user manually set their DNS and navigated to an https page however I assume that could still bypass the portal?

Uhm, no. That's not how it works.

luckman212 · May 6, 2015, 5:14 PM

Ok thanks Doktor - I see now.

So do you agree that enabling CP would be a good way to accomplish this?

doktornotor · May 6, 2015, 5:23 PM

Frankly… Setting up a DNS blackhole and blocking external DNS/forcing the pfSense DNS server is something whole lot easier to work with on a "per-client" basic. The portal is per interface.

luckman212 · May 6, 2015, 5:45 PM

Thanks for the pointers. I am researching those now.

Derelict · May 6, 2015, 7:13 PM

Redirect TCP/UDP DNS to your servers
Redirect TCP port 80 to an internal web server saying whatever you want it to say
Block everything else.

You can probably have these rules in place but disabled and enable them when you need to. At least once you have to put them in place for someone.

This is how I force my problem child to DNS Forwarder (Which is set to use OpenVPN) while everyone else uses the DNS Resolver in normal mode:

First, I set the DNS forwarder to listen on 8053 instead of 53

DHCP on KIDJAIL sets KIDJAIL address as the DNS server.

Then I do a port forward on the interface for the KIDJAIL VLAN (Kid connects to a different SSID):

Firewall > NAT, Add a port forward
Disabled: unchecked
No RDR: unchecked
Interface: KIDJAIL
Protocol: TCP/UDP
Source: leave alone
Destination: KIDJAIL address
Destination port range: DNS
Redirect target IP: 127.0.0.1
Redirect target port: (other) 8053

I have filter rule association disabled and I placed my own rule. No particular reason.

Then a firewall rule on KIDJAIL:

Firewall > Rules, KIDJAIL, Add a rule in the proper place
Interface: KIDJAIL
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: KIDJAIL net
Destination: Single host or alias: 127.0.0.1
Destination port range: 8053

I also have a block rule for TCP/UDP 53 to anything but KIDJAIL address. Actually, I have specific pass rules on a schedule for certain ports, then pass rules for certain local assets like printers, then the default deny any.

This should be easily-adaptable for an additional redirection of TCP/80 to an internal web server saying whatever you want. Just put rewrite rules in the web server so no matter what page they request they get / instead and, therefore, your love letter.

jimp · May 8, 2015, 3:18 PM

Could be much simpler:

1. Setup captive portal
2. Setup a blocked MAC redirect page in the CP settings
3. Add ALL clients to the MAC list with 'pass' entries
4. When someone fails to pay, set their MAC to be blocked rather than passed

Might be a maintenance PITA if you have a lot of system churn but it will do exactly what you want.

luckman212 · May 27, 2015, 3:52 AM

@Derelict:

Redirect TCP port 80 to an internal web server saying whatever you want it to say

This is a great post - very informative. Question: for this "internal web server" are you using pfSense somehow or a separate server? Because at these locations all I have to work with is the firewall itself. Not sure if your method would be possible then?

Derelict · May 27, 2015, 4:04 AM

I'm sure there are packages available for apache, maybe nginx. You can probably use the lighttpd that runs the webgui and captive portal interfaces.

I've never done it. I only described how I would do it.

I mistakenly implied the server has to be local. It doesn't have to be. All that has to happen is all port 80 requests get redirected and there's no captive portal or anything blocking their access to the target site. Maintaining one external web server for all the sites probably makes sense. My post forwarded to localhost but that's just what I chose as an example.

You can NAT the destination address to your deadbeat page (happens on LAN in) then outbound NAT can translate the source address (happens on WAN out). All you would lose is the ability to see what source address hit your web server but who really cares. You're just trying to make them call you, pay you, and get you to turn it back on.