API - Commands to remove and add rules

Lekenby

I am trying to work out a system to add a firewall rule. Basically I want to create a rule which adds unlimited access to a mac address. My idea would be to create a webpage of some sort, where users login, enter mac address into text box and press ok, and then it creates the rule.

I will develop this futher, but I can work out how to do this, then I can work backwards.

In the end, ill create an interface which users sign up for a montly subscription of £10, and each user account can add mac addresses of computers. If the payment is over 14 days late, the account will be deactivated and rules automatically removed.

The whole system would be quite easy to do (seens as we develop backends etc), and if we can get a way to remove and add rules using a script (I suppose SSH), we would be happy to contribute the development back to the community.

So let me summerise this post, I need to commands to -

Add firewall rule consisting of:
mac address, interface, all services on WAN, description = username signed up with

delete firewall rules with specific text in description

Anyone help?

Bern

What if your users are behind a SOHO router or WAP? You'll only get one MAC hitting your firewall and it's happy days for their whole office for one subscription.

Lekenby

More expense, and we want to charge by computer, otherwise they could add 50 and leave us with no BW

GruensFroeschli

What bern is trying to say: your solution will not work if someone puts a router between your pfSense and his network.

Also why are you trying to do this by hand?
Why not just use the captive portal?

Lekenby

ah sorry, misunderstood his post. I see what you mean.
Well say we charged £10 per office, how could we work that out?

What we are trying to get round is this. One office has two computers, one has thirty. We don't want them to pay the same because the second business can afford more, and will use much more bandwidth.

Lekenby

Ok, hang on, let me think of this another way
We put a wireless router in each office, with all computers connected. Each of the routers is 192.168.2.1, with WAN port set as 10.162.0.whatever
Then register mac addresses in the firewall, and allow access to internet via mac address
Then non-payment, we just remove the mac address until payment, and all is well

Is there a way I could make it route to a webpage, kind of like the captive portal, saying payment not recieved or access denied to internet when the mac is not registered in the firewall?

jahonix

You have to get rid of identifying your customers by their MAC addresses.
If there's a (WLAN-) router between you and their office computers then all you see is the MAC of that one router. You won't be able to identify or even count single hosts behind it.

You should listen carefully to what GruensFroeschli wrote. He's right usually!

GruensFroeschli

As jahonix said: try not to use the MAC as something to bill/identify your customers.
ANYONE can sniff on your network, fake their MAC and have pretty fast full access.

IMO you're better off if you assign each office a subnet and restrict by IP/subnet.
To control access you could use the Captive Portal and/or a FreeRADIUS server.
You allow per customer only his own subnet/IP's. If he uses other IP's of other customers he's simply blocked.

To counter NAT-able devices this thread might help you:
http://forum.pfsense.org/index.php/topic,10392.0.html