• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Firewall rule for captive portal authenticated users

Captive Portal
3
14
4.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pox
    last edited by Jul 7, 2017, 11:50 AM Jul 7, 2017, 11:39 AM

    hello all,

    i set up the captive portal and everything is working wonderfully and nicely.
    now i'd like to create a firewall rule only for users that are authenticated with the portal.
    is this somehow possible? i saw that an other user wanted to do a similar thing¹, but i can't grasp the way to do it.
    reading this² it says that authenticated users are added to table 1, can i use this information to create an other rule that applies only to those users?

    thanks!

    ¹https://forum.pfsense.org/index.php?topic=132951.0
    ²https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

    1 Reply Last reply Reply Quote 0
    • N
      NogBadTheBad
      last edited by Jul 7, 2017, 12:02 PM

      Put your captive portal users on their own subnet, then use that subnet in your firewall rules

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • P
        pox
        last edited by Jul 7, 2017, 12:13 PM

        How can I do that? I can put all WiFi users on a dedicated subnet (I actually already did that), but how can I put ONLY authenticated captive portal users on a different subnet?

        1 Reply Last reply Reply Quote 0
        • N
          NogBadTheBad
          last edited by Jul 7, 2017, 12:19 PM

          Do you have spare LAN port on your pfSense box or a switch that supports vlans ?

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • P
            pox
            last edited by Jul 7, 2017, 12:27 PM

            yes I do

            1 Reply Last reply Reply Quote 0
            • N
              NogBadTheBad
              last edited by Jul 7, 2017, 12:30 PM

              @pox:

              yes I do

              Spare LAN port, a switch that supports vlans or both ?

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • P
                pox
                last edited by Jul 7, 2017, 12:39 PM

                I have an AP that supports vlan tags on the ssid, two spare ports on the pfsense router that support vlans, and a managed switch that supports vlan tagging.
                What do you have in mind?

                ps. in the meantime I saw that the portal uses ipfw to create the firewall rules: it would be easy to create custom rules for authenticated users if those rules could add a tag to the packets.

                1 Reply Last reply Reply Quote 0
                • N
                  NogBadTheBad
                  last edited by Jul 7, 2017, 1:11 PM Jul 7, 2017, 12:55 PM

                  If it was me I'd create NON CP and CP vlans on your LAN interface.

                  Pass those vlans to the switch and pop the edge ports into NON CP and CP vlans as required.

                  Setup a NON CP and CP SSID.

                  You can then add firewall rules based on source address.

                  I don't think you can modify the ipfw rules via the GUI.

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • P
                    pox
                    last edited by Jul 7, 2017, 1:21 PM

                    thanks for the idea, BUT how do you do that? How do you put the captive portal on a subnet, and AUTHENTICATED users on a different subnet?

                    1 Reply Last reply Reply Quote 0
                    • P
                      pox
                      last edited by Jul 7, 2017, 1:29 PM

                      oh now i think i understand what you mean. but what i want to do is give users wifi access, but put them on a different wan gw.
                      if i want the cp to work, the gateway for those wifi users has to be the pfsenae router where the portal runns. but once they authenticate i want them to use a different gw.
                      to do that, i can create a fw rule to change the gw, but the condition <user is="" authenticated="">is missing.</user>

                      1 Reply Last reply Reply Quote 0
                      • N
                        NogBadTheBad
                        last edited by Jul 7, 2017, 1:32 PM

                        1. Interfaces -> VLANs

                        2. Create a new VLAN, assign the parent interface and assign it a number and name.

                        3. Interfaces -> Interface Assignments and add the VLAN to the interfaces.

                        4. Configure the IP info for the new interface.

                        5. Create a new CP zone and assign it to the new interface.

                        6. Create your firewall rules for that interface.

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        1 Reply Last reply Reply Quote 0
                        • N
                          NogBadTheBad
                          last edited by Jul 7, 2017, 1:36 PM

                          @pox:

                          oh now i think i understand what you mean. but what i want to do is give users wifi access, but put them on a different wan gw.
                          if i want the cp to work, the gateway for those wifi users has to be the pfsenae router where the portal runns. but once they authenticate i want them to use a different gw.
                          to do that, i can create a fw rule to change the gw, but the condition <user is="" authenticated="">is missing.</user>

                          Do what I mentioned and use source based policy routing.

                          If your AP / APs support multiple SSIDs and you have switches that support vlans its better doing it this way in the long run.

                          Andy

                          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                          1 Reply Last reply Reply Quote 0
                          • G
                            Gertjan
                            last edited by Jul 7, 2017, 2:11 PM

                            @pox:

                            ….
                            if i want the cp to work, the gateway for those wifi users has to be the pfsenae router where the portal runns. but once they authenticate i want them to use a different gw.
                            to do that, i can create a fw rule to change the gw, but the condition <user is="" authenticated="">is missing.</user>

                            A "user" connects to a wifi (radio) network with SSID "X".
                            This SSID is linked to an unique interface on which a captive portal instance runs (pfSense).
                            The user is thrown to the 'login page'.
                            The user logs in.
                            => Inspect ipfw now and see for yourself that the user's IP and MAC are added to table 1 and 2.  : the user pass through "ipfw" now, the GUI firewall rules for your captive portal will determine what happens next. This is all the magic - there is nothing more, nothing less.

                            There are not options that switches users from one captive portal (instance), ones authenticated, to another captive portal instance - different ipfw rule sets are used and different interfaces thus GUI firewall rules are used. Captive portal instances do not communicate (their settings) with each other.

                            Of course, you can use one AP with multiples SSID's, all attached to their own VLAN's, which means as many captive portal instances. But, ones login to one instance - using a SSID, you can't switch to another one. There is no 'logic' to do so.

                            I guess it's possible to setup one captive portal instance with a which uses interface WAN1 and another instance uses WAN2. But the your will be making the choice : connecting to SSID "1", using WAN1  or SSID "2", using WAN2.

                            Btw : Also possible : I didn't understand the question (yet) …..

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • P
                              pox
                              last edited by Jul 8, 2017, 7:45 AM

                              ok it works now, thank you NogBadTheBad!

                              1 Reply Last reply Reply Quote 0
                              9 out of 14
                              • First post
                                9/14
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.