Captive Portal Hard Limits



  • I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users. I thought or disconnecting somehow Unauthenticated users only, say for 15 minutes even if I would have to do it thru command line/console or cron. Anyone have done this or any ideas where to find the active Unauthenticated users and ane be able to disconnect it in anyway after minutes specified?


  • Rebel Alliance

    pfsense doesnt have such feature
    if you need this, you will need to implement it yourself..sorry



  • @free4 Thank you for the response. I am aware that pf dont have it so I was wondering if anyone knows how to find unauthenticated users using console and then issuing a command to disconnect it?


  • Galactic Empire

    I don’t use captive portal, but can’t you implement captive portal and Freeradius.


  • Rebel Alliance

    @tmtechonline depend what do you want exactly

    pfsense is using ipfw under the hood for running the captive portal

    you can compare ipfw to linux's netfilter / iptables.

    you could list ipfw rules, tables and pipes by issuing the commands ipfw list, ipfw table all list ipfw pipe list

    also, the pfsense GUI is tracking who is connected using an SQLite database (which is located in /var/db on any pfsense appliance)

    every time an user (dis)connect, an entry is added/removed from the SQLite DB, and ipfw commands are issued to perform the required action

    this mean you could add or remove ipfw entries if you want
    but the GUI won't reflect the changes, unless you also update the SQLite DB



  • @free4 great info and thanks for initial ideas.

    What I wanted to do is be able to get the unauthenticated user info which will give me a way to disable that user after 15 minutes leaving authenticated users connected unlike using hard timeout which will disconnect all users connected to the captive portal.

    No option to do that in CP GUI.

    Can I get unauthenticated users using ipfw and disconnect them once 15 minutes since they logged in?

    I will see what I can find using the info you provided.

    Just a follow up, can I also query the db and use that to get the actual ipfw line and disconect that user?


  • Rebel Alliance

    @tmtechonline yes, exactly

    also, few things you need to know :

    • since you are thinking about making your own script, you may want to have a look to the pfSense source code. you should check:

    • pfSense is running a modified version of PHP, multiple functions have been created in order to send ipfw commands. These functions have been implemented in C++ and directly communicate with the FreeBSD kernel using low-level procedures (IP_FW3 sockets), for speed improvement.



  • @free4 thanks for your kind help. I will look into it see what I can do though I am not really focused on development.

    If there's a command/short script that would simplify getting the unauthenticated user and then disconnecting it after 15 minutes even running it on cron then that will be very helpful.

    Thanks again.



  • @tmtechonline said in Captive Portal Hard Limits:

    I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users.

    That's as documented :

    1c389341-4460-4ba7-a622-318ac74b7875-image.png

    @tmtechonline said in Captive Portal Hard Limits:

    somehow Unauthenticated users only

    Unauthenticated devices can be connected to the portal network, but the gateway is not available for them.
    What's the use of having a device being connected ?

    There are not firewall rules for "
    I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users. I thought or disconnecting somehow Unauthenticated users" so there is nothing to do for them on pfSense.

    Are you using the portal using the Authentication Method set to None ?



  • @Gertjan said in Captive Portal Hard Limits:

    @tmtechonline said in Captive Portal Hard Limits:

    I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users.
    

    That's as documented :

    1c389341-4460-4ba7-a622-318ac74b7875-image.png

    @tmtechonline said in Captive Portal Hard Limits:

    somehow Unauthenticated users only

    Unauthenticated devices can be connected to the portal network, but the gateway is not available for them.
    What's the use of having a device being connected ?

    There are not firewall rules for "
    I just completed setting up captive portal and immediately the issue I saw is that once Hard Timeout is set, it disconnects all users. I thought or disconnecting somehow Unauthenticated users" so there is nothing to do for them on pfSense.

    Are you using the portal using the Authentication Method set to None ?

    I am using authenticated users local database and the set up allows initial users (unauthenticated) to connect until hard limit is reached and will be diconnecred and prompted to enter username/password or voucher.

    Using the hard timeout disconnects all users both authenticated and not. What I just wanted to do is disable hard limit and manually or thru script get unauthenticated users where logon times is 15 or more minutes will be disconnected and will be required to enter username/password or voucher.



  • @tmtechonline said in Captive Portal Hard Limits:

    unauthenticated users

    Who are these ?
    Are the shown on the captive portal page ?



  • @Gertjan yes, those users will be shown in Captive Portal status Active Users.



  • You are using :

    8fd869f8-09da-4aec-b30c-be2b061d6c04-image.png

    ?

    edit : if so .... open /etc/inc/captiveportal.inc - locate 3600 (there are two of them) - change them for 60. Now the "Wating periode to restore ..." will be in minutes, not hours.
    Btw : I didn't test.



  • @Gertjan said in Captive Portal Hard Limits:

    You are using :

    8fd869f8-09da-4aec-b30c-be2b061d6c04-image.png

    ?

    edit : if so .... open /etc/inc/captiveportal.inc - locate 3600 (there are two of them) - change them for 60. Now the "Wating periode to restore ..." will be in minutes, not hours.
    Btw : I didn't test.

    Hi @Gertjan That is for the reset of the unauthenticated account which means after an unauthenticated user has reached the limit, user will just have to wait minutes and they will have access again.

    What I need is to:

    1. Determine who are the unauthenticated users
    2. Get the login times of those unauthenticated users
    3. once the login times equals or more than 15 minutes, then I will run a command, batch or script which will disconnect those unauthenticated users.

    This is nowhere available in CP settings.

    My current settings are:

    Idle Time: = 15 (minutes)
    Hard Time out = 0 (hour/hours meaning disabled, if enabled by inputting 1 or more hours, that would mean after that hour, all users (Authenticated, Unauthenticated and Voucher Users will all be diconnected so I have to put 0 since I don't want all to be disconnected.

    Pass-through credits per MAC address = 1 ( I just need unauthenticated users to be allowed to access once and after that they will be prompted to use username/password or voucher key.

    Waiting period to restore pass-through credits = 24 hours (since I wanted an unauthenticated user to be able to access the CP without authenticating after 24 hours.

    Hope this make sense :)

    So to tackle, first, what command in console I use to find unauthenticated users in CP? I have tried IPFW LIST ALL but it shows all connected users but only showing MAC info where user unauthenticated or authenticated is not shown.



  • @tmtechonline said in Captive Portal Hard Limits:

    IPFW LIST ALL

    will not work.
    Command line commands can't be all capitals : check here :
    https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html#ipfw-tables

    Try :

    ipfw table all list
    

    I'm pretty sure these 'clients' are in the table called "xxxx_pipe_mac" where xxxxx is your captive portal zone name.

    Also : there are close to none CLI commands to do what you want. pfSense is GUI based.
    There are no (or very (few) CLI possibilities.

    But, with some scripting there is no limit about what can be done.



  • @Gertjan Thanks for your quick reply and really appreciate your help here.

    I tried that command too but as mentioned I cannot determine which is unauthenticated using that.

    Not that good in scripts, will you be able to draft me just a general function to search the unauthenticated and I can probably find my way in between?



  • The good news :
    The captive portal is just two files.
    /usr/local/captiveportal/index.php
    and
    /etc/inc/captiveportal.inc

    The bad news : you have to read and understand the whole thing - only then you will know what needs to be done that fits your needs..



  • @Gertjan Got it! So as my last hope to finding a solution to my needs, can you help me out how will I be able to query CP DB and list its contents using console?



  • Yep.

    Make a file with this in it :

    #!/usr/local/bin/php -q
    <?php
    	require_once("/etc/inc/util.inc");
    	require_once("/etc/inc/functions.inc");
    	require_once("/etc/inc/captiveportal.inc");
    
    	/* Read in captive portal db */
    	/* Determine number of logged in users for all zones */
    
    	$count_cpusers = 0;
    	/* Is portal activated ? */
    	if (is_array($config['captiveportal']))
    		/* For every zone, do */
    		foreach ($config['captiveportal'] as $cpkey => $cp)
    			/* Sanity check */
    			if (is_array($config['captiveportal'][$cpkey])) 
    				/* Is zone enabled ? */
    				if (array_key_exists('enable', $config['captiveportal'][$cpkey])) {
    					$cpzone = $cpkey;
    					$result = captiveportal_read_db();
    					foreach ($result as $cpentry) {
    					print_r($cpentry);
    					}
    				}
    ?>
    

    Execute like this : php -q test.php



  • @Gertjan Great! I think I saw that code somewhere.

    Will start with this one. Thanks a lot @Gertjan.

    If anyone has other ideas that can make this happen, please do add some lines here :)


Log in to reply