Possible: Captive Portal Access from Multiple Sites



  • I've done a bit of searching but am still not sure if what I'd like to achieve is possible.

    We offer our clients free access to the internet when in any of our offices, until now its been offered by way of a wpa secured AP in each office, this is getting a bit cumbersome to operate and regularly change passphrases etc.

    Each AP is a separate router and WAP which has its own ADSL connection, they are not attached to our LAN it is 100% self contained for security reasons.

    I have today setup a PFSense box on our HQ free internet connection and acitvated captive portal - customised and it works really well.

    What I'd like to do is pass all internet traffic from the other sites through this same box. Each site has a range of static IPs and I have full access to the routers etc to make changes.

    The reason I'd like everything going through this one box is so that all authentication is in one place ad I don't have to manage 6 separate PFSense boxes etc.

    Can this be done, I simply want to use it for Captive Portal really but the other features would be handy, scheduling can however be done at router level in each site.

    Is any of this possible?

    Thanks in advance.

    Shaun ???



  • Do you want just one box because of the managment of the users, or actually the managment of the boxes?
    If it's just the users you could install the FreeRADIUS package on one box and authenticate all users against this FreeRADIUS.
    This also has the advantage that you dont have to route the whole traffic of your offsites through your HQ.

    Also how would you force the traffic from your offsites to the box at your HQ where the authentication would happen?
    With a VPN-tunnel? Then you would need a device at each site and you have to manage them all again.

    I've set up a network where we had a pfSense in multiple places.
    All these places where connected with directional WLAN antennas to a central place.
    Each site had it's own broadband-connection.
    The users where on the LAN. The CP was active on the LAN.
    The FreeRADIUS-Server was at the HQ. This server was also reachable from the internet.
    The authentication was done over the WLAN and if the WLAN should happen to be down (for whatever reason) the backup IP was the public IP of the same FreeRADIUS server.
    The idea was that each site had direct access to the servers at the HQ (higher speeds) than over the broadband-internet which was shared with lots of users for normal web-browsing.

    internet
                          |
                          |
                        HQ
                         
                           
                             
                               
                                relais–-----
                                  /|             
                                /  |               
                              /    |                 
                            /      |                   
                          /      site2---\           
    internet------site1        |    internet     
                          |          |                    site3------internet
                          |          |                        |
                      LAN        LAN                    LAN



  • Its not really feasible for me to have pfsense at each site. We have no IT Staff at the other sites.

    Ideally I'd be happy with the authenication happening on one site for all and the access going out through each local ADSL connection, I'm guessing it's not going to be quite this easy though. :(



  • I dont say it's not possible to do the authentication at one place.

    But my question still stands: How would you force traffic from the sites to your HQ.

    As far as i see it you would need an additional device at each site no matter what solution you implement.
    With what i posted above you have a pfSense at each site, and the authentication will happen at a central FreeRADIUS server.

    You dont need IT-personal on your sites to have a box standing there ;)



  • Captive Portal depends on detecting the client MAC address. Your easiest solution would be to use a pfSense firewall at the remote location. It is possible to remotely access pfSense and you can manage and even repair many things remotely. I have been managing a pfSense firewall for a location that I have only been to 1 time and it is a 1000 miles away.



  • I agree with the radius. I use the radius setup to manage 10 different networks, and it works very well for me.


Log in to reply