Overkill pfsense build and setup and some tips hotel setup

limona21

I managed to make a very nice responsive design with a time lapse video for the background. I compressed the video down 5 MB and I see the uploading limit is 1 MB. Is there a way I would be able to upload it in a different way? Maybe through the Diagnostics/Command Prompt/Upload? I tried that and it successfully uploaded the video to tmp directory. So is there a way to move it to captive portal directory or should I reference to tmp somehow, if so what is the full path.

Derelict

The captive portal upload files are limited to 1MB total because they are all encoded and stored in the config.xml.

You will want to whitelist another HTTP server and store your heavy files there and refer to the external server in your portal page.

Note that when you get lots of clients who show up with devices that have not gone through the portal yet still make bunches of connections to port 80 sites - incessantly because they're lame - you can get quite a load on your portal. Lighter is usually better no matter how pretty it looks. You might consider a pretty after-authentication URL instead. Externally-hosted "heavy" files should lighten the load on the portal server. nginx seems to be much better than lighttpd in this regard anyway.

Note that "external" doesn't have to mean off-site out on the internet. You could have a DMZ-type solution with an nginx/apache server. Another unbound DNS server wouldn't be a bad idea either.

Gertjan

I've pretty the same setup - hotel and everything.

Not using voucher - but room + password login (using the local pfSEnse user manager, we are not selling Internet access, so I can apply the rule : keep it simple).

One important thing was missing in your write up: the firewall rules for the OPT1 (Captive portal) interface !!!
See the image below for a simple setup.
I'll explain the rules :

1. I'll block all SMTP (port 25) outgoing trafic. If needed, I can explain why. Just do it and you won't regret it.
2. The alias "Poweredge" contains the IP of a syslog server in my LAN. this rules allows UDP trafic only (== syslog) from my AP's in the portal network to this server. APx is an alias for my 5 IP's used by my AP's present in the Captive Portal's network.
3. The AP's CAN communicate with the Internet, for their time, update , whatever they want to do.
4. The pfSense portal interface is pingable
5. I have two "air-print" printers, so portal visitors that can 'find' these printers (alias 'Printers' contains the IP of those two printers) can use these pribnter toi …. printer (You'll be needing the package Avahi !!) - this rule is experimental ...
6. "ThisFirewallPorts" (alias for 21,22,23,80,443) blocks all direct access to these ports on the pfSense Captive portal's interface.
7. "NetBIOSPorts" (alias for 135,137,139, 445) are not going anywhere ..... (traffic isn't routable anyway)
8. Visitors can't connect to the WAN adress of pfSense
9. Still there , Then the visitor may pas to the net ONLY (but not my LAN !).
10. Safety rule : block the rest.

Btw : the issue : devices capitalize the first letter of a voucher or login name.
For years, I patched the pfSense portal code so the first letter was first to lowercase ...
Today, my login "user"  is the room number, like "205" so this issue doesn't bug me (the client, actually) anymore.
But : I regret the issue. People came down to the reception and telling me : "I can't logging, the password (all the same for ALL rooms) isn't good. "
Right.
So I negotiated a deal :

• If I can make it work, you pay me a bear.
• If there is a problem with the network, you'll have to wait a little bit, I'll make it work, and I pay you a bear.
  The client always accepted, and I always left my work drunk - I never paid a bear in my live for a client :)

(Some clients understood the issue, so I advised them to su Apple ... or Samsung, beause it was their browser in their BJOD that forces the upper case character - it's NOT a pfSense  issue.)

Derelict

Hey, Gertjan, it looks to me like you can replace this rule:

Block TCP source PORTAL net dest PORTAL address ports ThisFirewallPorts

With:

Block IPv4 any source PORTAL net dest This Firewall (self)

Without impacting users at all and reducing the possibility something leaks.

I don't see any DNS rules. If that service is local it would have to be passed higher in the rule set like with ping.

And with the above the WAN address block could be deleted.

n3by

Are you sure that rule 9 will restrict traffic to LAN ? In pic it miss destination !LAN net

Gertjan

@Derelict:

Hey, Gertjan, it looks to me like you can replace this rule:
Block TCP source PORTAL net dest PORTAL address ports ThisFirewallPorts
With:
Block IPv4 any source PORTAL net dest This Firewall (self)
Without impacting users at all and reducing the possibility something leaks.

Are you sure ?
Because, as you said :
@Derelict:

I don't see any DNS rules. If that service is local it would have to be passed higher in the rule set like with ping.

If I add ports "53" or even "This Firewall (self)" then I have to make an explicit pass rule for TCP/UDP traffic to the DNS server (pfSense) - as for ping - as you said.

Readability would be better, I guess.

@Derelict:

And with the above the WAN address block could be deleted.

It's more a "full stop" line, useless, I know, because the final hidden rule will do the same.

Thanks for the suggestions.

PS : I changed rule 7 to block "This firewall" - any ports (and acivate the logging for this rule)
I did NOT add any DNS pass rule.
Captive portal still works …... no firewall rule logs where syslogged.
DNS cache in my iPhone ?

Derelict

That is the pass to the internet rule. It shouldn't restrict anything. That's why I don't use !LAN net rules (except where it makes perfect sense). Makes the rule set too unclear.

Gertjan

@n3by:

Are you sure that rule 9 will restrict traffic to LAN ? In pic it miss destination !LAN net

You were right, uploaded the wrong image - thanks making that clear.

Derelict

You only need the DNS pass rules if the clients are configured to use something on the firewall for DNS. If they're set to use, for example, google they'll be passed by the pass any any internet rule.

Gertjan

Ok, got it.
@Derelict : I saw that you can move, and thus separate posts, is it possible that you separate my post (edit : and move it to the Captive portal forum), and all the replies ?

Right now, I have the impression I polluted the initial post of itson - things went HS ….