Is this plugin idea even possible?

  • After more than a year of searching for something that does this i have not found anything that suits my needs so i am now considering writing my own pfsense plugin/package

    I am currently a java developer with a very limited understanding of php, C and HTML so before i can even start this project i will need to do what i suspect will be many days of research before i can get started. So before i start i would like to know if what i am thinking of is even possible.

    What i need is very simple. I need a way to restring the monthly data usage of each user on my network (Thatd Data usage NOT Bandwidth usage if there is one thing i have learned in all my research its that a lot of people cant tell the difference between those)

    Example: Say i have 3 users on the network and my ISP allows me to use 60GB of data per month. I would like to be able to limit each user to no more that 20GB a month.
    It sounds simple but so far i have not found anything that can do this.

    Some key features i would need to implement:
    Peak/Off Peak data caps.
    Ability to monitor data used/remaining for each user.
    Ability to split a users data allowance into weekly/daily allowances to avoid a user using their entire allowance in the first few days of the month.
    Ability to give users a 1 off allowance increase in the event they exceed their cap but still need internet access for something important.

    Some features that would be nice to have:
    The ability to use the existing captive portal feature for user management.

    The ability to assign a MAC address to a user so they do not need to login each time they access the network.
    When a user exceeds their allowance they are redirected to a custom information page.
    A web portal that allows users to monitor their data usage.

    So my question is does what im describing sound possible? And if so would it be a simple project or a massive undertaking?

    on a side note if anyone happens to know of something that can already do all that i would be very happy to hear about it. But as far as i can tell there is nothing that can do this. At least nothing outside of very expensive enterprise grade equipment.

    Edit: The only other option i can think of would be to replace my pfsense router with a linux server and write a program (preferably in java) that does everything i need via IP tables. But i have not looked into that yet so i dont know how viable that solution would be.

  • It'll be a huge undertaking to create what you want/need.

    You could possibly try using captiveportal & radius-accounting.

  • @heper:

    It'll be a huge undertaking to create what you want/need.

    You could possibly try using captiveportal & radius-accounting.

    Thanks heper if i can get that to work it would definitely save a lot of time.

    The biggest issue i see so far is it does not look like i will be able to have separate peak/off-peak allowances. But as i dont care as much about off-peak i may be able to find a way to disable accounting during off peak time.  Maby i can do that with a script or something? (I have not looked into using scripts on pfsense yet)

    Another issue is as far as i can tell there is no way to check how much data a user has used. But i may just be missing something. I cant really do any research until i switch back over to off peak data tonight because i am currently out of peak. (The situation i am hoping to avoid using this system)

  • Ok so i think by combining this with a couple cron scripts i can get it to do everything i need. If i can get Accounting to actually work that is… I thought i had it working at one point when i set the data limit to 0.1MB but with it set to 1 MB i can not get it to work at all... Im hoping i just have something configured wrong. Maby someone can help me out?

    I cant post screenshots until i switch over to off peak data so here is a quick rundown of all of the config changes i have made.

    Captive Portal:
    Disable Concurrent user logins = true
    Authentication method = RADIUS Authentication
    RADIUS protocol = PAP (There was nothing about this in the documentation so i assume its not important)
    Primary RADIUS server = (The routers ip)
    RADIUS shared secret = test321
    Send RADIUS accounting packets to the primary RADIUS serve = true
    Accounting updates =  Stop/Start - Also tried "Stop/Start (FreeRADIUS)"
    Reauthenticate connected users every minute = true

    FreeRADIUS User:
    (I am using a new user that does not have a pfsense user account but i have also tried using one of the existing pfsense accounts)
    Amount of Download and Upload Traffic = 1
    Time Period = Daily

    FreeRADIUS NAS / Clients:
    Client IP Address =
    Client Shared Secret = test321

    FreeRADIUS Interfaces:
    Interface IP Address = *
    Port = 1812

    FreeRADIUS Settings:
    All default

    Anything not listed above i left at default.

    The "max-octets-<username>" and "used-octets-<username>" files are created inside /var/log/radacct/datacounter/daily but used-octets never gets updated.

    If i can get this working i should hopefully be able to implement most of the functionality i need by manipulating those 2 files with scripts.
    Thats assuming i can get freeradius to actually load changes i make to those files. Theoretically if i stop the freeRADIUS service, make changes then restart the service it should load everything from
    disk when it starts. But before i can test any of that i need to actually get it working.

    So any ideas as to what i could be doing wrong?</username></username>

  • Ok so i figured out the problem. It should probably be noted in the documentation that in order for accounting to work FreeRADIUS needs an interface set to listen on port 1813 for Accounting packets.

    But now i have a new problem. According to the documentation to reset the counter you simply have to delete the used-octets- <username>file. Well for some reason that does not work. When it regenerates the file it simply picks up where it left off.

    At this point i dont think i will even use radius to handle the data caps i will just use it as a counter and handle everything with scripts. But its going to make things a lot more complicated if i cant reset the counter.

    Edit: Im also noticing something odd about the accounting. It seems the usage counter continues to increase at a rate of a few hundred KB per minute even when the user is no longer connected to the network. Meaning a user can login then disconnect their machine from the network and until their login session times out they will continue to use data at a relatively slow rate. That will get rather annoying if i cant figure out how to fix it…

    Edit2: Its worse that i thought. A user that isnt even connected to the network just used around 20MB in about 10 minutes. Thats going to make this completely unusable...

    Edit3: Unless im just missing something stupid i think radius accounting may just be broken on PFSense. I just tried a fresh pfsense install on a different system and its doing the exact same thing...
    So... Any ideas?

    Oh and what i said about it showing 20MB used in 10 minutes... It got worse than that. It seems a bit random but after a bit more testing i left the test user connected and went to bed. In the morning the user had been disconnected for reaching the 100GB limit set...</username>

Log in to reply