captive portal to collect user info without authentication for guests at a restaurtant

DeanB_NYTS

i have a resutrant client that wants to have a guest network for the patrons (which is fine and i have that working - vlan setup on pfsense and vlan ID tagged on Unifi Access point controller for the guest wifi SSID ---- works fine)

however the client wants to be able to show a custom HTML page to devices that join the network so they can collect name and email info for the people who connect. (i have an HTML setup already to gather the info and send it to a database in a google docs sheet - which works seperately on its own)

however i am not firmiliar with the PFsense capitive portal settings. how can this be done?

ideally someone would join the guest newtwork - be shown a page - and they would get 4 hours of internet (thats what i have the IP lease set to) and once they need a new IP they would have to resubmit or something - the google docs sheet has a macro for filtering duplicates i made for them so i dont care about duplicates ---- and their email marketing platform has a scrtubbing utility to make sure they are valid emails before they send out mail so they dont get a high bounce rate)

please advise ---- thanks in advance :)

awebster

Off the top of my head, you could probably do that with Use custom captive portal page and Authentication method "None", then upload your custom page.

Details: https://docs.netgate.com/pfsense/en/latest/book/captiveportal/index.html

Derelict

You will have to maintain your own captive portal for that. There are places to accept fields but not for gathering information like an email address. You will need to probably use git and track the changes and merge them into new releases as the underlying/upstream captive portal code changes during the normal development cycles.

In my personal opinion there are much better ways of gathering email addresses from customers than breaking the free wifi like putting them on an after-auth page that offers them an emailed coupon or something.

iirc the main places all that happens are /etc/inc/captiveportal.inc and in /usr/local/captiveportal/index.php, both of which are subject to being overwritten on reinstalls and upgrades.

awebster

@DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

however the client wants to be able to show a custom HTML page to devices that join the network so they can collect name and email info for the people who connect. (i have an HTML setup already to gather the info and send it to a database in a google docs sheet - which works seperately on its own)

Correct me if I'm wrong, I think that if he redirects the no authentication post-login page to his google form, that should do the trick without having to dig into the internals of pfSense.

The use case is:

• captive portal welcome page which displays T&C for the free service
• user clicks OK to agree to it, gets redirected to google form
• user fills in the fields clicks submit
• user gets presented Thanks for your information page, and they're good to go.

Derelict

Yeah but there is nothing there that says "give us your email or you can't use the internet" because it is already authenticated.

There are many, many things that can be done on post-auth pages but they are post-auth. You can also do pre-auth.

You can't just upload your custom page because that is all parsed by index.php for fields. The simplest thing is to send them to a separate system to gather the information desired.

awebster

@Derelict said in captive portal to collect user info without authentication for guests at a restaurtant:

Yeah but there is nothing there that says "give us your email or you can't use the internet" because it is already authenticated.

Good point, but only if they figure it out. I'd bet a good percentage of users will just happily fill in the form and be on their way.

Gertjan

Something like this:
When your script, some PHP – executes, first check if you can access the “database”, if not, show an error and exist. While checking, at this moment, you have the IP and MAC of the visiting client, so send them over during the test-check. A reply from the storage (Google) could be: “Yes : Ok, I’m up and accessible – user is unknown, so go head for 4 hours”. Or: “Yes : Ok, I’m up and accessible – user is known for having an access the last 4 hours : deny”.
When yes, continue, if ‘Deny’, or no reply from storage after time-out, inform user and exit.
Now, it time to show the actual ‘custom captive portal login page’ data entry screen – let the user fill it in. Your screen should have a “Ok” button and a “Gime-the-acces” button.
When the form loads (on_load()), have use some java script disabling the “Ok” button and “Gime-the-acces” button at the bottom of the page.
Use other java script code to validate the data – like: does the email looks like an email, etc.
When all the needed fields are entered, java should enable the “Ok” button. Pressing this button should trigger some code that posts your client info on the storage.
If this goes well, enable the “Gime-the-acces” button.
This “Gime-the-acces” button validates the ‘custom captive portal login page’ html form so the user can access the net.

@DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

and they would get 4 hours of internet (thats what i have the IP lease set to) and once they need a new IP they would have to resubmit or something

Don’t do this, it’s not needed !

You can’t stop the DHCP circuit. It’s hardcoded as a pass on any interface and comes into action even before your own GUI pass and block rules. You will have to modify core pfSense files to change that behavior. It can be done, but why should you? You have something far better than that: because your ‘custom captive portal login page’ can access the storage, you can handle everything in one place: the file you upload as your ‘custom captive portal login page’.

Very easy to maintain, everything is in one place.

DeanB_NYTS

ok so i was able to get my custom HTML added to the pfsense and it shows up just dandy.

however the issue im currently facing is that when a device joins the guest wifi and gets presented the portal it cant submit the info becasue the device hasnt been authenticated (is my guess)

the way my portal is configured is theyt when they fill in the form its sends the formdata to my hosted email marketing platform and then redirects the user to the resturants website.

becasue the form cant be submittted its my current woe.

please advise. thanks so much for all of your help in this matter!

[0_1569092225072_captive portal options-submit to netgate support.pdf](Uploading 81%)

Derelict

Allowed IP Addresses
Allowed Hostnames

Those can be accessed pre-authentication.

DeanB_NYTS

@Derelict

hmmmmmm i just tried it but that seems to bypass the captive portal entirely.

Derelict

if you go directly to that URL yes.

You don't have a lot of choices here. Host stuff inside the portal or pass it pre-auth.

DeanB_NYTS

@Derelict please excuse my ignorance but please advise on the below:

the portal is meant to show a HTML page witha simple form like this - http://mywifiportal.com/clients/Elea/

i have uploaded the HTML to the PFsense SG-3100 device - but i can only add the HTML - not the assets (images, scripts, CSS etc)

this portal posts the info to my email marketing service for the client.

the issue is ---- all the assets dont load becasue they dont have internet acces becasue they arent authenticated.

how can i get this portal page to be shown to users on the guest network and have their info pass to the hosted marketing solution.

i really appreciate your help on this matter pfsense is new to me.

Derelict

Assets uploaded here are available for use in your portal page.

DeanB_NYTS

is there possibly a way to allow pre authention access out of the lan to an offsite address?

Derelict

@DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

D
DeanB_NYTS 6 minutes ago

is there possibly a way to allow pre authention access out of the lan to an offsite address?

Yes. Allowed IP addresses and Allowed hostnames as I already described.

Gertjan

@DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

way to allow pre authention access out of the lan to an offsite address?

Example :

On your captive portal login page, you could mention a "conditions" page that is hosted somewhere in the Internet.
I have a dedicated server running on the net with the web site of our company.

So I :

				<p><a href="https://www.some-site-on-the-web.tld/" class="linkExternal"><img src="captiveportal-nvx-logo.png" class="centerImage" alt="https://www.some-site-on-the-web.tld Logo" ></a></p>

I added the some-site-on-the-web.tld URL to the allowed host name list :

This method can also be used for other type of services, like a remote database, what ever ...

DeanB_NYTS

@Gertjan

Hmmm interesting I'll have to try this today. I assumed that "allowed hostnames" was for device names for DNS filtering instead of IP address. I didn't know it could be used for urls!?

So for instance I have most of portal running locally now because another person showed me where I can locally load my assets into the netgate. So if I can just allow the user to fill in the form I then just need to get the authentication scripts from the default portal to also load when they hit the submit button to send there form info.

Gertjan

@DeanB_NYTS said in captive portal to collect user info without authentication for guests at a restaurtant:

was for device names for DNS filtering instead of IP address. I didn't know it could be used for urls!?

URL (host names) or IP's : it's the same thing.
The only difference is that the URL (host names) will get resolved first.

Read https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html first.
Now, use the mentioned ipfw commands (console or SSH access, option 8) and check he captive portals ipfw rules for yourself.