Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    captive portal to collect user info without authentication for guests at a restaurtant

    Captive Portal
    4
    18
    471
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DeanB_NYTS last edited by

      i have a resutrant client that wants to have a guest network for the patrons (which is fine and i have that working - vlan setup on pfsense and vlan ID tagged on Unifi Access point controller for the guest wifi SSID ---- works fine)

      however the client wants to be able to show a custom HTML page to devices that join the network so they can collect name and email info for the people who connect. (i have an HTML setup already to gather the info and send it to a database in a google docs sheet - which works seperately on its own)

      however i am not firmiliar with the PFsense capitive portal settings. how can this be done?

      ideally someone would join the guest newtwork - be shown a page - and they would get 4 hours of internet (thats what i have the IP lease set to) and once they need a new IP they would have to resubmit or something - the google docs sheet has a macro for filtering duplicates i made for them so i dont care about duplicates ---- and their email marketing platform has a scrtubbing utility to make sure they are valid emails before they send out mail so they dont get a high bounce rate)

      please advise ---- thanks in advance :)

      1 Reply Last reply Reply Quote 0
      • awebster
        awebster last edited by

        Off the top of my head, you could probably do that with Use custom captive portal page and Authentication method "None", then upload your custom page.

        Details: https://docs.netgate.com/pfsense/en/latest/book/captiveportal/index.html

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by Derelict

          You will have to maintain your own captive portal for that. There are places to accept fields but not for gathering information like an email address. You will need to probably use git and track the changes and merge them into new releases as the underlying/upstream captive portal code changes during the normal development cycles.

          In my personal opinion there are much better ways of gathering email addresses from customers than breaking the free wifi like putting them on an after-auth page that offers them an emailed coupon or something.

          iirc the main places all that happens are /etc/inc/captiveportal.inc and in /usr/local/captiveportal/index.php, both of which are subject to being overwritten on reinstalls and upgrades.

          1 Reply Last reply Reply Quote 0
          • awebster
            awebster last edited by

            @DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

            however the client wants to be able to show a custom HTML page to devices that join the network so they can collect name and email info for the people who connect. (i have an HTML setup already to gather the info and send it to a database in a google docs sheet - which works seperately on its own)

            Correct me if I'm wrong, I think that if he redirects the no authentication post-login page to his google form, that should do the trick without having to dig into the internals of pfSense.

            The use case is:

            • captive portal welcome page which displays T&C for the free service
            • user clicks OK to agree to it, gets redirected to google form
            • user fills in the fields clicks submit
            • user gets presented Thanks for your information page, and they're good to go.
            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by Derelict

              Yeah but there is nothing there that says "give us your email or you can't use the internet" because it is already authenticated.

              There are many, many things that can be done on post-auth pages but they are post-auth. You can also do pre-auth.

              You can't just upload your custom page because that is all parsed by index.php for fields. The simplest thing is to send them to a separate system to gather the information desired.

              1 Reply Last reply Reply Quote 0
              • awebster
                awebster last edited by

                @Derelict said in captive portal to collect user info without authentication for guests at a restaurtant:

                Yeah but there is nothing there that says "give us your email or you can't use the internet" because it is already authenticated.

                Good point, but only if they figure it out. I'd bet a good percentage of users will just happily fill in the form and be on their way.

                1 Reply Last reply Reply Quote 1
                • Gertjan
                  Gertjan last edited by

                  Something like this:
                  When your script, some PHP – executes, first check if you can access the “database”, if not, show an error and exist. While checking, at this moment, you have the IP and MAC of the visiting client, so send them over during the test-check. A reply from the storage (Google) could be: “Yes : Ok, I’m up and accessible – user is unknown, so go head for 4 hours”. Or: “Yes : Ok, I’m up and accessible – user is known for having an access the last 4 hours : deny”.
                  When yes, continue, if ‘Deny’, or no reply from storage after time-out, inform user and exit.
                  Now, it time to show the actual ‘custom captive portal login page’ data entry screen – let the user fill it in. Your screen should have a “Ok” button and a “Gime-the-acces” button.
                  When the form loads (on_load()), have use some java script disabling the “Ok” button and “Gime-the-acces” button at the bottom of the page.
                  Use other java script code to validate the data – like: does the email looks like an email, etc.
                  When all the needed fields are entered, java should enable the “Ok” button. Pressing this button should trigger some code that posts your client info on the storage.
                  If this goes well, enable the “Gime-the-acces” button.
                  This “Gime-the-acces” button validates the ‘custom captive portal login page’ html form so the user can access the net.

                  @DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

                  and they would get 4 hours of internet (thats what i have the IP lease set to) and once they need a new IP they would have to resubmit or something

                  Don’t do this, it’s not needed !

                  You can’t stop the DHCP circuit. It’s hardcoded as a pass on any interface and comes into action even before your own GUI pass and block rules. You will have to modify core pfSense files to change that behavior. It can be done, but why should you? You have something far better than that: because your ‘custom captive portal login page’ can access the storage, you can handle everything in one place: the file you upload as your ‘custom captive portal login page’.

                  Very easy to maintain, everything is in one place.

                  1 Reply Last reply Reply Quote 0
                  • D
                    DeanB_NYTS last edited by DeanB_NYTS

                    ok so i was able to get my custom HTML added to the pfsense and it shows up just dandy.

                    however the issue im currently facing is that when a device joins the guest wifi and gets presented the portal it cant submit the info becasue the device hasnt been authenticated (is my guess)

                    the way my portal is configured is theyt when they fill in the form its sends the formdata to my hosted email marketing platform and then redirects the user to the resturants website.

                    becasue the form cant be submittted its my current woe.

                    please advise. thanks so much for all of your help in this matter!

                    [0_1569092225072_captive portal options-submit to netgate support.pdf](Uploading 81%) submit to netgate.png

                    captive portal options-submit to netgate support.png

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      Allowed IP Addresses
                      Allowed Hostnames

                      Those can be accessed pre-authentication.

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        DeanB_NYTS @Derelict last edited by

                        @Derelict

                        hmmmmmm i just tried it but that seems to bypass the captive portal entirely.

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          if you go directly to that URL yes.

                          You don't have a lot of choices here. Host stuff inside the portal or pass it pre-auth.

                          1 Reply Last reply Reply Quote 0
                          • D
                            DeanB_NYTS last edited by

                            @Derelict please excuse my ignorance but please advise on the below:

                            the portal is meant to show a HTML page witha simple form like this - http://mywifiportal.com/clients/Elea/

                            i have uploaded the HTML to the PFsense SG-3100 device - but i can only add the HTML - not the assets (images, scripts, CSS etc)

                            this portal posts the info to my email marketing service for the client.

                            the issue is ---- all the assets dont load becasue they dont have internet acces becasue they arent authenticated.

                            how can i get this portal page to be shown to users on the guest network and have their info pass to the hosted marketing solution.

                            i really appreciate your help on this matter pfsense is new to me.

                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              Screen Shot 2019-09-21 at 1.35.00 PM.png

                              Assets uploaded here are available for use in your portal page.

                              1 Reply Last reply Reply Quote 1
                              • D
                                DeanB_NYTS last edited by

                                is there possibly a way to allow pre authention access out of the lan to an offsite address?

                                Gertjan 1 Reply Last reply Reply Quote 0
                                • Derelict
                                  Derelict LAYER 8 Netgate last edited by Derelict

                                  @DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

                                  D
                                  DeanB_NYTS 6 minutes ago

                                  is there possibly a way to allow pre authention access out of the lan to an offsite address?

                                  Yes. Allowed IP addresses and Allowed hostnames as I already described.

                                  1 Reply Last reply Reply Quote 0
                                  • Gertjan
                                    Gertjan @DeanB_NYTS last edited by

                                    @DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

                                    way to allow pre authention access out of the lan to an offsite address?

                                    Example :

                                    On your captive portal login page, you could mention a "conditions" page that is hosted somewhere in the Internet.
                                    I have a dedicated server running on the net with the web site of our company.

                                    So I :

                                    				<p><a href="https://www.some-site-on-the-web.tld/" class="linkExternal"><img src="captiveportal-nvx-logo.png" class="centerImage" alt="https://www.some-site-on-the-web.tld Logo" ></a></p>
                                    

                                    I added the some-site-on-the-web.tld URL to the allowed host name list :

                                    a41c832f-ce6b-4580-ba5f-d94ff71cb29b-image.png

                                    This method can also be used for other type of services, like a remote database, what ever ...

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      DeanB_NYTS last edited by

                                      @Gertjan

                                      Hmmm interesting I'll have to try this today. I assumed that "allowed hostnames" was for device names for DNS filtering instead of IP address. I didn't know it could be used for urls!?

                                      So for instance I have most of portal running locally now because another person showed me where I can locally load my assets into the netgate. So if I can just allow the user to fill in the form I then just need to get the authentication scripts from the default portal to also load when they hit the submit button to send there form info.

                                      Gertjan 1 Reply Last reply Reply Quote 0
                                      • Gertjan
                                        Gertjan @DeanB_NYTS last edited by

                                        @DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

                                        was for device names for DNS filtering instead of IP address. I didn't know it could be used for urls!?

                                        URL (host names) or IP's : it's the same thing.
                                        The only difference is that the URL (host names) will get resolved first.

                                        Read https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html first.
                                        Now, use the mentioned ipfw commands (console or SSH access, option 8) and check he captive portals ipfw rules for yourself.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post

                                        Products

                                        • Platform Overview
                                        • TNSR
                                        • pfSense
                                        • Appliances

                                        Services

                                        • Training
                                        • Professional Services

                                        Support

                                        • Subscription Plans
                                        • Contact Support
                                        • Product Lifecycle
                                        • Documentation

                                        News

                                        • Media Coverage
                                        • Press
                                        • Events

                                        Resources

                                        • Blog
                                        • FAQ
                                        • Find a Partner
                                        • Resource Library
                                        • Security Information

                                        Company

                                        • About Us
                                        • Careers
                                        • Partners
                                        • Contact Us
                                        • Legal
                                        Our Mission

                                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                        Subscribe to our Newsletter

                                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                        © 2021 Rubicon Communications, LLC | Privacy Policy