BLOCK WAN to OPT1 using Schedule but ALWAYS ALLOW Captive Portal on OPT1?



  • Hi everyone,

    I'm relatively new to pfSense but am loving it to death!  It's an amazing product, can't believe something this good exists without some weird "gotya".  Anyway…here's the brunt of my issue:

    • We have the following interfaces: WAN, LAN, OPT1 and OPT2.

    • On OPT1 we have Captive Portal running and it's working very well.

    • Using the OPT1 interface we're "giving away" free wifi access in our cafe, but only want it to be accessible between the hours of 0900 and 1500.

    • At the moment I am restricting access to the free wifi by scheduling the wireless radio our access point.

    What I'd prefer to do though is to have the radio on the access point enabled 24/7 and let it show our Captive Portal - where it tells the user our access times etc and where alternative Internet access is available.

    I thought the easiest way to make this work is to create a firewall rule that will block all traffic from the WAN interface destined for the OPT1 interface outside these times, or by blocking all traffic on the OPT1 interface that is not destined for the OPT1 interface outside these times.  After trying a few different scenarios, I can't seem to make it work.

    From what I gather, in using Captive Portal on the OPT1 interface, there are already rules that block traffic to/from the WAN port until you "authenticate" which causes a rule to be created with allows traffic through the WAN port to your IP address.  Am I correct in thinking this?  It's just a stab in the dark but will help me sleep tonight.  ;D

    Either way, can anyone advise on how to achieve what I have described?  24/7 access to Captive Portal but Scheduled WAN access regardless of successful Captive Portal connection?

    Many thanks in advance,
    Scott.



  • And I guess I should mention that I'm using 2.0-BETA1



  • A couple things:

    1. There is a firewall rule which always exists, and which you do not see in the UI, that allows all packets that are part of an existing state.
    2. User-created firewall rules operate only on connections entering an interface, never leaving.

    So, when a client on OPT1 is able to use the internet, it is because you have created a firewall rule on OPT1 allowing packets to pass from the client to the internet. Rule 1 above takes care of the return packets.

    If you want to use the firewall to block OPT1 clients access to the internet, then you must do it using block rules on OPT1. I expect you should be able to create a rule explicitly allowing clients on OPT1 to access the address of the CP server (i.e., pfsense) and place it at the top. Below that, create your rule to pass packets from OPT1 hosts to anywhere (or !LAN, as the case may be), and use the scheduler to activate and deactivate this rule according to your desired schedule.

    Note that if you disable your pass rule at 15h00 on a schedule, any states existing at that time will continue to pass. You can use CP timeouts to kill these.


Log in to reply