Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hotel internet access with eula agreement

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 8 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Visseroth
      last edited by

      OK, so I have a hotel that I'd like to implement PfSense at and would like to achive the following…..

      Radius server with tolken that allows the customer to access the internet for a given amount of time
      A eula agreement that comes up at first connection that they have to agree to in order to connect to the internet
      Traffic management that keep people from hogging available bandwidth. HTTP and HTTPS needs to take priority
      Filtering of porn and other inappropriate websites
      filtering of torrenting.

      I know how to setup the traffic management and there are lots of articles on it. My struggle is how to stop inappropriate websites without actually using a proxy, without caching data, how to filter torrenting, how to setup a radius tolken server and how to setup the eula.

      So yea, most of it, lol.

      Anyone have any suggestions or should I be looking at another product?

      1 Reply Last reply Reply Quote 0
      • V
        Visseroth
        last edited by

        I see that for the Eula agreement I'll need to setup a captive portal that is bound to the guest interface.
        Found that here…
        https://forum.pfsense.org/index.php?topic=50020.0
        I will read up further on that

        1 Reply Last reply Reply Quote 0
        • R
          Ramosel
          last edited by

          @Visseroth:

          Filtering of porn and other inappropriate websites

          I'd think really hard about what you intend to filter.  As a business serving the "public" you can get into some real headaches with what you deem inappropriate vs. what your guests do.  It may be a lot of work with even more headaches…  and if your guests are using a VPN (as many security minded travelers do) they will be bypassing your filtering anyway.

          Not questioning your intent.  But it may be something best not ventured into without long talks with the legal folks.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            ^ completely agree.. If you want to filter known malware sites as service sure ok.  But what you might or filter might consider porn or inappropriate, is not what a guest might consider the same.

            Limiting bandwidth or fairly sharing it so that 1 guest doesn't ruin the service for other guests..  But I would think long and hard on filtering traffic, especially https and doing any sort of the mitm would be way out of line for any sort of hotspot or free/hotel type wifi..

            If you want to block certain types of service on your free or complimentary service, ok.  Do you offer a premium connection like many hotels do where there is no nat and nothing blocked?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by

              The whole point of HTTPS is that no one can see what you're doing. In theory, what you're requesting is logically impossible. The only way around it is filtering at IP/DNS level.

              1 Reply Last reply Reply Quote 0
              • jahonixJ
                jahonix
                last edited by

                We have an IT company in my town that prevents venue WiFi users to send e-Mail through their systems/public IPs. They fear that venue staff cannot send mails anymore if the IP gets on the Spam blacklists after abuse by a guest. In fact, they only allow HTTP and HTTPS traffic, nothing else.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  @jahonix:

                  We have an IT company in my town that prevents venue WiFi users to send e-Mail through their systems/public IPs. They fear that venue staff cannot send mails anymore if the IP gets on the Spam blacklists after abuse by a guest. In fact, they only allow HTTP and HTTPS traffic, nothing else.

                  Hmm. Just get a /29 and use Outbound NAT. Probably easier to solve that way than to deal with breaking everyone's email.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • jahonixJ
                    jahonix
                    last edited by

                    It was just a mention from me. I wouldn't implement it that way.
                    After much discussions with them they told me that "most personal e-Mail is web-based anyways and corporate traffic is done through VPNs". FWIW

                    1 Reply Last reply Reply Quote 0
                    • V
                      Visseroth
                      last edited by

                      @Ramosel:

                      @Visseroth:

                      Filtering of porn and other inappropriate websites

                      I'd think really hard about what you intend to filter.  As a business serving the "public" you can get into some real headaches with what you deem inappropriate vs. what your guests do.  It may be a lot of work with even more headaches…  and if your guests are using a VPN (as many security minded travelers do) they will be bypassing your filtering anyway.

                      Not questioning your intent.  But it may be something best not ventured into without long talks with the legal folks.

                      Very true. It may be best to just simple put a traffic shaper on the network there by limiting the amount of traffic they can pull so that others can still surf the web

                      What are your thoughts on using snort on a public internet connection to still protect the network?

                      1 Reply Last reply Reply Quote 0
                      • V
                        Visseroth
                        last edited by

                        @johnpoz:

                        ^ completely agree.. If you want to filter known malware sites as service sure ok.  But what you might or filter might consider porn or inappropriate, is not what a guest might consider the same.

                        Limiting bandwidth or fairly sharing it so that 1 guest doesn't ruin the service for other guests..  But I would think long and hard on filtering traffic, especially https and doing any sort of the mitm would be way out of line for any sort of hotspot or free/hotel type wifi..

                        If you want to block certain types of service on your free or complimentary service, ok.  Do you offer a premium connection like many hotels do where there is no nat and nothing blocked?

                        No, it is offered as a free service to guests.

                        1 Reply Last reply Reply Quote 0
                        • V
                          Visseroth
                          last edited by

                          @Harvy66:

                          The whole point of HTTPS is that no one can see what you're doing. In theory, what you're requesting is logically impossible. The only way around it is filtering at IP/DNS level.

                          Oh, no I wasn't planning on filtering out HTTPS, that would keep guests from checking their bank stuff and lots of other stuff. My thought was to just limit bandwidth of all traffic including HTTPS

                          1 Reply Last reply Reply Quote 0
                          • V
                            Visseroth
                            last edited by

                            I had not planned on filtering out VPN. If someone wants to VPN that's a private tunnel and they should be allowed to VPN as such so as to keep their connections private.

                            @jahonix:

                            We have an IT company in my town that prevents venue WiFi users to send e-Mail through their systems/public IPs. They fear that venue staff cannot send mails anymore if the IP gets on the Spam blacklists after abuse by a guest. In fact, they only allow HTTP and HTTPS traffic, nothing else.

                            That is interesting though I believe it would cause problems with ordinary users that just want to check their yahoo, gmail, ect

                            @Harvy66:

                            The whole point of HTTPS is that no one can see what you're doing. In theory, what you're requesting is logically impossible. The only way around it is filtering at IP/DNS level.

                            I could use PfBlocker to block potentially known malicious sites via DNS. I think it would be a good idea to skip using a proxy as it will only further complicate things and make it more difficult for the end users to get online.

                            The only way I can see around that is if a user used their own DNS server or a external DNS server. I've tried redirecting DNS to the firewall but the browser typically throws a fit because the DNS server doesn't have a valid certificate

                            But still, how would one go about setting up tolkiens for the radius server so that the front desk can give someone a key that expires when it is time for them to check out?

                            Eula agreement is solved by implementing a captive portal
                            traffic management is solved by the traffic shaper and setting traffic limiting rules
                            Filtering is changed to the filtering of known malicious sites via PfBlocker using DNS
                            And torrent filtering is still a must. How to filter torrenting?

                            1 Reply Last reply Reply Quote 0
                            • M
                              moikerz
                              last edited by

                              Just use pfSense as the DHCP server with OpenDNS for the guest network. If you're paranoid, also block TCP/UDP port 53 so that they're forced to use OpenDNS. Problem solved. OpenDNS has a "family filter" option.

                              You can include that in your EULA, saying that users shall not circumvent the filtering protection currently offered from OpenDNS. If they don't agree to those terms, user is free to use their own data plan for internet access.

                              Also if paranoid, use a /29 and push the guest network out using a different WAN IP. Or, supply a guest network on it's own signal and router.

                              Or, supply a box of homing pigeons and offer IP-over-carrier-pigeon  ::)

                              1 Reply Last reply Reply Quote 0
                              • V
                                Visseroth
                                last edited by

                                ha, LOL! IP-Pigions!  ;D

                                Any ideas on Torrenting?

                                The OpenDNS idea is a good idea. Have the DNS addresses pushed to the network so all DNS is resolved externally also keeps other machines from seeing each other via DNS, though not completely, assuming client separation on the AP isn't working.

                                1 Reply Last reply Reply Quote 0
                                • P
                                  Pentangle
                                  last edited by

                                  For torrenting, since they'll use any and every port available, i'd specify the http/https ports in the floating firewall rules, and then traffic-shape the hell out of the subsequent catch-all.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.