Can pfSense do any of the following?
I have been using pfSense in some small/medium hotels to provide guest gateway access to the internet. Mainly I am using the captive portal and traffic shaping features.
I was just handed a detailed technical spec document regarding what needs to be provided by the gateway. I need help to determine if any of these features are supported. To my knowledge, not many are. It seems the spec has been written to a specific product. I can find only one such vendor that provides a product that meets all of the requirements. The product is called Nomadix Access Gateways. There appears to be two vendors in all of the US.
The list of requirements is quite long and I do not have in electronic format (yet). I will give the highlights for some of the required features.
1. User must be able to obtain web access if:
- System is set to DHCP, OR if it has a static IP address configured. (What that means is that the user could have a static address on their corporate/home network that differs from the guest network subnet.)
- System is set to obtain DNS automatically or is using a static DNS configuration. (Same as above)
- User has ANY proxy setting configured.
2. Enforce per user bandwidth requirements and:
- Identify users who are consuming a disproportionately large amount of bandwidth.
- Ability to limit such users bandwidth use.
3. Must support all of the following VPN protocols:
- SSL VPN
4. To support VPN connections, must be able to allocate static IP addresses for use by those VPN connections
5. Proxy ARP on the guest network must be supported.
6. Automatically detect virus attacks and automatically block PCs sending out the attack.
7. Each guest room and individual switch port must be configured with a separate VLAN to ensure:
- Isolation of network traffic
- room to room security
8. IDS system flagging suspicious activity and logging all logins and administrative changes.
Pretty nasty requirements. Is there any hope of meeting these with pfSense?
Thanks in advance.
You are correct, that was written for the Nomadix product line. You can obtain them from Zones, Inc. for example but they have to source them specially. I know, I have one, an AG-3000 model that just EOL'd the end of June (support-wise, but it's still running). They're pretty cool devices actually, though a royal pain to configure (complex, poor user interface). Meant for guest services industry like hotels or places offering public wifi, free or paid. The coolest feature is the "any config" feature where it will basically take a client computer that has any IP configuration (static IP, etc.) and "mask" their settings and make it "just work" regardless. However, I think it's rare these days to find a laptop, that someone uses on free wifi, that is not set for DHCP. I assume it happens, just probably not too often, or most hotspots wouldn't work.
The Nomadix does do all of the above, though some of the VPN stuff requires a public IP (sometimes per user) available the "each guest room on one VLAN" requirement can be done with some switches using Private VLANs as a switch feature, regardless of the firewall/captive portal (and the Nomadix needs network support to do this as well if I recall). And it does to rate-limiting if you "have a virus" which means if a worm is scanning outbound it sees the high number of connections and throttles it. However, you can throttle connection rates per pfSense rule as well which could have a similar effect.
So…yes. It's written to the Nomadix, and a pfSense box won't compete line by line, however I would argue that many of those features are either not as important as they'd make out, require extra setup and/or equipment that may or may not be a part of the system or do the same with another solution, or can be worked around in other ways. The single Nomadix I do use (and I know others who use them) do work and they work well, too. But they're expensive (I think mine was $1200-ish with a $300 or $400 annual support renewal that we can't renew since it's EOL now), supports 50 simultaneous users out of the box (up to 100 with addl license on the AG-3000 model, significantly more with the AG-5000 though I think there are even newer models, this one is 4-ish years old), and as I said, has a pretty complex configuration. Mine's in use now but I'm very likely going to experiment with the Captive Portal features in pfSense (haven't had time and it's not urgent since the Nomadix works) and switch over to it soon. The extra features don't justify the complexity of the Nomadix in my environment IHMO (free wifi in a mid-sized church). I wasn't aware of pfSense when I put it in, and I knew others using the Nomadix at the time successfully. Once I figured it out, like I said it's actually a nice box with some cool niche features.
Thank you David for your reply. I agree with you that some of the requirements are somewhat dated. My concern is regarding the ramifications of not complying with the document as described. I surely do not want to have a hotel penalized for not meeting the requirements. I will be working on clarifying on that front.
If the requirements were copied and pasted from a specific vendor's spec sheet, odds are that they really don't know what they want, or they are trying to force a specific device to be used. If it's the former, then you can probably just clarify what exactly they hope to have from the device. If it's the latter, you may just have to bite the bullet and get what they are essentially demanding.
Exactly. My guess is that someone got ahold of the Nomadix features list and pasted into a requirements spec. Whether this was intentional to sell Nomadix or someone liked the feature list and stole it or there's really a need for some of those features…no way to know without asking. Will require clarification, but like Jim confirmed, if they absolutely have to have that exact feature set, you've gotta buy the Nomadix pretty much. Like I said it's a good device though complex to set up and expensive.