Time restriction for CP users possible with pfSense?

  • Hi there,

    I'm running a Free WiFi hotspot where users can use the Internet after acknowledging the terms of use.
    They do not need to authenticate in any way, they just have to tick a checkbox and click the submit button on the CP page.
    (It's a requirement that the "login" process should be as easy and simple as possible and all the users are strangers, so it's not practical to deliver usernames and passwords to them… It will always be a (more or less) anonymous system)

    Now, I would like to restrict both the amount of traffic and the time the users can access the Internet.

    For example:
    Users should be able to use the Internet only for 4 hours per day and they are allowed to cause not more than 400 MB of traffic on that day.
    As soon as one of both limits are reached, the connection to the Internet is blocked. The next day (or a configurable amount of time later) the user should be able to "log in" again (i.e. see the CP again). The users should be recognized by their MAC address (i.e. one MAC address is only allowed to be online for 4 hours and a max of 400 MB).

    I've already tried several approaches, but I did not find a convenient solution yet. Is there any support in pfSense for this usage scenario?
    Any workarounds or tricks how this could be accomplished?
    I know that FreeRADIUS could work with time-based tickets, but as I do not have usernames which I could authenticate on the RADIUS server, it's difficult to use RADIUS...

    Best regards,

  • Just to clarify what it is you are asking. Do you want to restrict individual users to the limit, which is not really doable, as you have no users to apply the limits too or do you mean that the total amount of traffic used is the cut off point?

    I suspect the former and the only way I can think of doing anything like that would be to log the device MAC address in something like mysql and list traffic against it with a daily reset on data used.
    If bandwidth/data hogs are your issue try enabling per-user bandwidth restriction on the CP page and tweek it so that if they use all the bandwidth allocated for 4 hours the traffic equals 400MB.
    However it won't take them long to work out that a logout and login will reset that.

    The real problem is that with no user base there is nothing to work with except the device and the CP is not really designed to be used that way. It might also be worth looking at some DHCP magic, depending on what your DHCP server is, that will limit the lease time and refuse to renew at the 4 hour mark.

    BTW FreeRadius works fine with MAC addresses as the user but it's a chicken and egg scenario as you need the MAC address to apply the rules and you don't have that until after the users are connected.

  • The plan is to both have a time limit for the users and to limit the amount of traffic for the users.
    Regarding the timing issue, I know that this is difficult when not having a users database to authenticate against. The only way would be to use the device's Mac addresses and to check when they logged in for the first time and then measure the time from then…

    Regarding the amount of traffic, I currently use ntopng to monitor and count the traffic the users are generating and as soon as they reached the 400 MB, I add their IP address to the firewall's block list. That's not a really convenient solution, as it involves manual tweaking where I thought ipSense could help...

    Are anonymous hotspot really that rare that there's no support needed for such features?
    (I think the free WiFi hotspots are becoming more and more common ... I think that the CP in pfSense would be even more attractive if there were more options for anonymous users... But's just my opinion. I still find it a great product and I can get what I need ;-) )

    Regarding the suggestion with FreeRADIUS: This would be a great solution, but I have to create the users (i.e. the Mac addresses) first in order to be able to authenticate against the user database. As I don't know the Mac addresses of the customers, this is quite difficult... Best would be if such users be generated on the fly by the RADIUS server...

Log in to reply