How to secure internet access to go only via captive portal rules?



  • I have set up a pfSense Captive portal service witch blocks access for unauthorized users. Generally, without CP enabled, packets can pass away with no restriction.

    The thing I want is to set the firewall in the way the traffic can pass only via CP rules. When I add a firewall rule that blocks everything at the end of the list, then authenticated users cannot use the internet, because it seems that firewall rules applies before CP rules.

    The reason why I want to set strict rules is that if the CP service fails to start for some reason, without aditional firewall rule, internet access will be open for everyone, witch can be dangerous.

    How can I create block rule in fw without blocking CP?



  • @milan778:

    I have set up a pfSense Captive portal service witch blocks access for unauthorized users. Generally, without CP enabled, packets can pass away with no restriction.

    We know.
    You didn't give a follow up on your other thread …

    @milan778:

    The thing I want is to set the firewall in the way the traffic can pass only via CP rules. When I add a firewall rule that blocks everything at the end of the list, then authenticated users cannot use the internet, because it seems that firewall rules applies before CP rules.

    Both apply for authorized users, and non authorized.
    The thing that changes for authorized users is that their MAC and IP are added to table 1 and 2.
    See https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting for all the details.

    @milan778:

    The reason why I want to set strict rules is that if the CP service fails to start for some reason, without aditional firewall rule, internet access will be open for everyone, witch can be dangerous.

    Take some good hardware, an UPS and you'll be in for years of non-interrupted Captive Portal services.
    At least, it works for me very well for the last decade.

    Btw : when the captive portal starts (it isn't a program or service actually), it just inserts a bunch of rules into ipfw. And these stay there for years or more, as long you need them to be there. Firewall rules won't "disappear" like that.
    The same ipfw will redirect connecting users to a build in web server that show the login page. Submitting this page will anter users MAC and IP into the ipfw tables.

    So, if this web server goes down users will be locked out (and will not be able to go to the net).

    @milan778:

    How can I create block rule in fw without blocking CP?

    I don't get the question.
    Are you running a Captive portal on the LAN interface (if possible, don't ! - use a dedicated interface OPT1 for it - and live will be so much easier) ?



  • Thanks for the reply.

    By meaning of it:

    How can I create block rule in fw without blocking CP?

    I wanted to add the firewall rule than blocks all the traffic at the end of list, so that CP rules for redirection, and rules that allows users IP + MAC to pass apply before that rule.