Hotel internet access with eula agreement



  • OK, so I have a hotel that I'd like to implement PfSense at and would like to achive the following…..

    Radius server with tolken that allows the customer to access the internet for a given amount of time
    A eula agreement that comes up at first connection that they have to agree to in order to connect to the internet
    Traffic management that keep people from hogging available bandwidth. HTTP and HTTPS needs to take priority
    Filtering of porn and other inappropriate websites
    filtering of torrenting.

    I know how to setup the traffic management and there are lots of articles on it. My struggle is how to stop inappropriate websites without actually using a proxy, without caching data, how to filter torrenting, how to setup a radius tolken server and how to setup the eula.

    So yea, most of it, lol.

    Anyone have any suggestions or should I be looking at another product?



  • I see that for the Eula agreement I'll need to setup a captive portal that is bound to the guest interface.
    Found that here…
    https://forum.pfsense.org/index.php?topic=50020.0
    I will read up further on that



  • @Visseroth:

    Filtering of porn and other inappropriate websites

    I'd think really hard about what you intend to filter.  As a business serving the "public" you can get into some real headaches with what you deem inappropriate vs. what your guests do.  It may be a lot of work with even more headaches…  and if your guests are using a VPN (as many security minded travelers do) they will be bypassing your filtering anyway.

    Not questioning your intent.  But it may be something best not ventured into without long talks with the legal folks.


  • LAYER 8 Global Moderator

    ^ completely agree.. If you want to filter known malware sites as service sure ok.  But what you might or filter might consider porn or inappropriate, is not what a guest might consider the same.

    Limiting bandwidth or fairly sharing it so that 1 guest doesn't ruin the service for other guests..  But I would think long and hard on filtering traffic, especially https and doing any sort of the mitm would be way out of line for any sort of hotspot or free/hotel type wifi..

    If you want to block certain types of service on your free or complimentary service, ok.  Do you offer a premium connection like many hotels do where there is no nat and nothing blocked?



  • The whole point of HTTPS is that no one can see what you're doing. In theory, what you're requesting is logically impossible. The only way around it is filtering at IP/DNS level.



  • We have an IT company in my town that prevents venue WiFi users to send e-Mail through their systems/public IPs. They fear that venue staff cannot send mails anymore if the IP gets on the Spam blacklists after abuse by a guest. In fact, they only allow HTTP and HTTPS traffic, nothing else.


  • LAYER 8 Netgate

    @jahonix:

    We have an IT company in my town that prevents venue WiFi users to send e-Mail through their systems/public IPs. They fear that venue staff cannot send mails anymore if the IP gets on the Spam blacklists after abuse by a guest. In fact, they only allow HTTP and HTTPS traffic, nothing else.

    Hmm. Just get a /29 and use Outbound NAT. Probably easier to solve that way than to deal with breaking everyone's email.



  • It was just a mention from me. I wouldn't implement it that way.
    After much discussions with them they told me that "most personal e-Mail is web-based anyways and corporate traffic is done through VPNs". FWIW



  • @Ramosel:

    @Visseroth:

    Filtering of porn and other inappropriate websites

    I'd think really hard about what you intend to filter.  As a business serving the "public" you can get into some real headaches with what you deem inappropriate vs. what your guests do.  It may be a lot of work with even more headaches…  and if your guests are using a VPN (as many security minded travelers do) they will be bypassing your filtering anyway.

    Not questioning your intent.  But it may be something best not ventured into without long talks with the legal folks.

    Very true. It may be best to just simple put a traffic shaper on the network there by limiting the amount of traffic they can pull so that others can still surf the web

    What are your thoughts on using snort on a public internet connection to still protect the network?



  • @johnpoz:

    ^ completely agree.. If you want to filter known malware sites as service sure ok.  But what you might or filter might consider porn or inappropriate, is not what a guest might consider the same.

    Limiting bandwidth or fairly sharing it so that 1 guest doesn't ruin the service for other guests..  But I would think long and hard on filtering traffic, especially https and doing any sort of the mitm would be way out of line for any sort of hotspot or free/hotel type wifi..

    If you want to block certain types of service on your free or complimentary service, ok.  Do you offer a premium connection like many hotels do where there is no nat and nothing blocked?

    No, it is offered as a free service to guests.



  • @Harvy66:

    The whole point of HTTPS is that no one can see what you're doing. In theory, what you're requesting is logically impossible. The only way around it is filtering at IP/DNS level.

    Oh, no I wasn't planning on filtering out HTTPS, that would keep guests from checking their bank stuff and lots of other stuff. My thought was to just limit bandwidth of all traffic including HTTPS



  • I had not planned on filtering out VPN. If someone wants to VPN that's a private tunnel and they should be allowed to VPN as such so as to keep their connections private.

    @jahonix:

    We have an IT company in my town that prevents venue WiFi users to send e-Mail through their systems/public IPs. They fear that venue staff cannot send mails anymore if the IP gets on the Spam blacklists after abuse by a guest. In fact, they only allow HTTP and HTTPS traffic, nothing else.

    That is interesting though I believe it would cause problems with ordinary users that just want to check their yahoo, gmail, ect

    @Harvy66:

    The whole point of HTTPS is that no one can see what you're doing. In theory, what you're requesting is logically impossible. The only way around it is filtering at IP/DNS level.

    I could use PfBlocker to block potentially known malicious sites via DNS. I think it would be a good idea to skip using a proxy as it will only further complicate things and make it more difficult for the end users to get online.

    The only way I can see around that is if a user used their own DNS server or a external DNS server. I've tried redirecting DNS to the firewall but the browser typically throws a fit because the DNS server doesn't have a valid certificate

    But still, how would one go about setting up tolkiens for the radius server so that the front desk can give someone a key that expires when it is time for them to check out?

    Eula agreement is solved by implementing a captive portal
    traffic management is solved by the traffic shaper and setting traffic limiting rules
    Filtering is changed to the filtering of known malicious sites via PfBlocker using DNS
    And torrent filtering is still a must. How to filter torrenting?



  • Just use pfSense as the DHCP server with OpenDNS for the guest network. If you're paranoid, also block TCP/UDP port 53 so that they're forced to use OpenDNS. Problem solved. OpenDNS has a "family filter" option.

    You can include that in your EULA, saying that users shall not circumvent the filtering protection currently offered from OpenDNS. If they don't agree to those terms, user is free to use their own data plan for internet access.

    Also if paranoid, use a /29 and push the guest network out using a different WAN IP. Or, supply a guest network on it's own signal and router.

    Or, supply a box of homing pigeons and offer IP-over-carrier-pigeon  ::)



  • ha, LOL! IP-Pigions!  ;D

    Any ideas on Torrenting?

    The OpenDNS idea is a good idea. Have the DNS addresses pushed to the network so all DNS is resolved externally also keeps other machines from seeing each other via DNS, though not completely, assuming client separation on the AP isn't working.



  • For torrenting, since they'll use any and every port available, i'd specify the http/https ports in the floating firewall rules, and then traffic-shape the hell out of the subsequent catch-all.


Log in to reply