Firewall rule for captive portal authenticated users



  • hello all,

    i set up the captive portal and everything is working wonderfully and nicely.
    now i'd like to create a firewall rule only for users that are authenticated with the portal.
    is this somehow possible? i saw that an other user wanted to do a similar thing¹, but i can't grasp the way to do it.
    reading this² it says that authenticated users are added to table 1, can i use this information to create an other rule that applies only to those users?

    thanks!

    ¹https://forum.pfsense.org/index.php?topic=132951.0
    ²https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting


  • Galactic Empire

    Put your captive portal users on their own subnet, then use that subnet in your firewall rules



  • How can I do that? I can put all WiFi users on a dedicated subnet (I actually already did that), but how can I put ONLY authenticated captive portal users on a different subnet?


  • Galactic Empire

    Do you have spare LAN port on your pfSense box or a switch that supports vlans ?



  • yes I do


  • Galactic Empire

    @pox:

    yes I do

    Spare LAN port, a switch that supports vlans or both ?



  • I have an AP that supports vlan tags on the ssid, two spare ports on the pfsense router that support vlans, and a managed switch that supports vlan tagging.
    What do you have in mind?

    ps. in the meantime I saw that the portal uses ipfw to create the firewall rules: it would be easy to create custom rules for authenticated users if those rules could add a tag to the packets.


  • Galactic Empire

    If it was me I'd create NON CP and CP vlans on your LAN interface.

    Pass those vlans to the switch and pop the edge ports into NON CP and CP vlans as required.

    Setup a NON CP and CP SSID.

    You can then add firewall rules based on source address.

    I don't think you can modify the ipfw rules via the GUI.



  • thanks for the idea, BUT how do you do that? How do you put the captive portal on a subnet, and AUTHENTICATED users on a different subnet?



  • oh now i think i understand what you mean. but what i want to do is give users wifi access, but put them on a different wan gw.
    if i want the cp to work, the gateway for those wifi users has to be the pfsenae router where the portal runns. but once they authenticate i want them to use a different gw.
    to do that, i can create a fw rule to change the gw, but the condition <user is="" authenticated="">is missing.</user>


  • Galactic Empire

    1. Interfaces -> VLANs

    2. Create a new VLAN, assign the parent interface and assign it a number and name.

    3. Interfaces -> Interface Assignments and add the VLAN to the interfaces.

    4. Configure the IP info for the new interface.

    5. Create a new CP zone and assign it to the new interface.

    6. Create your firewall rules for that interface.


  • Galactic Empire

    @pox:

    oh now i think i understand what you mean. but what i want to do is give users wifi access, but put them on a different wan gw.
    if i want the cp to work, the gateway for those wifi users has to be the pfsenae router where the portal runns. but once they authenticate i want them to use a different gw.
    to do that, i can create a fw rule to change the gw, but the condition <user is="" authenticated="">is missing.</user>

    Do what I mentioned and use source based policy routing.

    If your AP / APs support multiple SSIDs and you have switches that support vlans its better doing it this way in the long run.



  • @pox:

    ….
    if i want the cp to work, the gateway for those wifi users has to be the pfsenae router where the portal runns. but once they authenticate i want them to use a different gw.
    to do that, i can create a fw rule to change the gw, but the condition <user is="" authenticated="">is missing.</user>

    A "user" connects to a wifi (radio) network with SSID "X".
    This SSID is linked to an unique interface on which a captive portal instance runs (pfSense).
    The user is thrown to the 'login page'.
    The user logs in.
    => Inspect ipfw now and see for yourself that the user's IP and MAC are added to table 1 and 2.  : the user pass through "ipfw" now, the GUI firewall rules for your captive portal will determine what happens next. This is all the magic - there is nothing more, nothing less.

    There are not options that switches users from one captive portal (instance), ones authenticated, to another captive portal instance - different ipfw rule sets are used and different interfaces thus GUI firewall rules are used. Captive portal instances do not communicate (their settings) with each other.

    Of course, you can use one AP with multiples SSID's, all attached to their own VLAN's, which means as many captive portal instances. But, ones login to one instance - using a SSID, you can't switch to another one. There is no 'logic' to do so.

    I guess it's possible to setup one captive portal instance with a which uses interface WAN1 and another instance uses WAN2. But the your will be making the choice : connecting to SSID "1", using WAN1  or SSID "2", using WAN2.

    Btw : Also possible : I didn't understand the question (yet) …..



  • ok it works now, thank you NogBadTheBad!


Log in to reply