Limiting Captive Portal users to certain web sites



  • Hi.

    We are trying to set up pfSense to offer free but limited wifi. The idea is that anyone can browse our website and a few selected others (BBC news, local guide etc.) Everything except HTTP and POP3/IMAP/SMTP would be blocked.

    Captive Portal works but we need to find a way of limiting users to those web sites. My first thought was to use DNS but it is easily circumvented by using alternative servers. Would it be possible to perhaps block DNS packets from clients via the firewall so that only pfSense's DNS servers are usable.

    My other idea was to use Squid as a transparent proxy. Has anyone tried it?



  • use proxy in transparent mode.



  • I have got this working now.

    Install Squid and set it up as a transparent proxy. Install SquidGuard and have a rule that blocks everything, then add rules to whitelist the sites you want. You can use the whitelist function but I found it easier to just add the sites via the web interface since there is only a small number.

    I then set up the SquidGuard rewrite to redirect all blocked sites to our company site. I wanted Google and Yahoo to be available but added a rule to match Google Shopping and redirect that to our site as well :) Finally I set up the captive portal with no users and a custom portal page.

    The only slightly tricky thing is that you need to check the sites you whitelist to catch all the domains they use. For example the BBC has a separate image hosting domain on some parts of it's site, and Facebook has a separate login domain.

    The captive portal limits bandwidth. I created firewall rules to allow DNS, HTTP and HTTPS and then a final block-all rule to prevent the use of any other protocols. I don't think the traffic shaper can shape connections after a certain amount of data has passed like Tomato can, but that would be helpful as a lot of non-web stuff uses port 80 now.

    There is one outstanding issue. I can't get access to the web interface via the WAN port, which is of course actually connected to our main router. To access it from our LAN it needs to be available on the WAN interface, but even with rules set up I couldn't get to it. It seems to be a known issue and unsupported in pfSense. As an alternative I changed the web interface port to a random high one and enabled HTTPS, as well as using a strong password.



  • @mojo-chan:

    There is one outstanding issue. I can't get access to the web interface via the WAN port, which is of course actually connected to our main router. To access it from our LAN it needs to be available on the WAN interface, but even with rules set up I couldn't get to it. It seems to be a known issue and unsupported in pfSense. As an alternative I changed the web interface port to a random high one and enabled HTTPS, as well as using a strong password.

    You didn't make perfect sense in what your trying to do here. BUT, it's easy to access the GUI via WAN. And easy to disable access to GUI via LAN. And easy to do both simultaneously.
    It helps (in fact, often required) in your rules to NOT refer explicitly to interfaces, but rather networks. And, this is a best practice for backup / restore reasons as well, where interfaces may change on the the restore.
    Also, don't forget to disable the GUI anti lockout rule if you are trying to disable access to GUI via LAN.
    And regardless of what the note tells you on the static route page, it is often necessary to include a static route for networks assigned to pfSense interfaces, and it doesn't hurt anything.



  • Thanks, I will try your suggestions. I am also looking at the Acer Aspire Revo as a potential all-in-one system for this sort of thing. I am having trouble finding reliable information on the wifi card it uses but since it's just Mini-PCIe it won't be hard to replace with a nice Intel one. Might change the HDD for a compact flash card. Add an external antenna and I think it could be a really nice system.



  • my suggestion is the following config:

    1.U can add an opt network interface and set up a dhcp server on it.
    After that from firewall do your rules as u wish for the entire class of ip`s o this NIC.
    this one works if u can attach your wireless AP/Routers directly to this nic
    2. U can make ip aliases an use them in firewall rules


Log in to reply