Best Method for limitation



  • So I have two things that need limitation and I'm wondering whether Captive Portal or traffic shaping is the best for each limitation. Please be patient with me as I'm new to both features.

    My first limitation is a guest network: I was to limit the bandwidth of people on my network that have set up specifically for guests that come over and need to use my internet.  Every user on this network is going to be limited to the same max upload/download speeds. Which is better to use captive portal or traffic shaping? Currently, I don't have any limitation, but I have WPA2 security/encryption on the network, should I leave that on on use traffic shaping or would I remove the WPA2 and use captive portal?  In this same process how do I limit users to web browsing, which would includes downloads, only?

    My second limitation relates to the use of slingbox: I need to use wireshark to watch traffic, but I assume that data only flows from the slingbox to the internet when a user logs on to the slingmedia site to watch. I want to make sure that the data flow is limited to very minimal at times when the slingbox is not connected to. And when it is connected to (via slingmedia website) and that computer/user is connected to a VPN in pfSense there needs to be guaranteed bandwidth. Is this all possible??

    Thanks for any insight and help!



  • Captive portal is easier to setup for bandwidth limitation than traffic shaping. Leave the WPA security as is, best left on.
    A blunt way to limit users to web browsing is to block all outgoing ports from the guest lan, except those to destinations of port 80 (http) and 443 (https)
    Re. slingbox, can't help here sorry.



  • Thanks for your input thermo, one more question though.

    If this is a guest network and I have both WPA security and Captive Portal, doesn't that mean that guests that come over to my home have to enter two passwords, both the WPA password, then their captive portal password?



  • As security best practice, it is always recommended that you have a password protected wireless network (with WPA or WPA2 not WEP). If you turn off your security, you may expose your wireless clients to sniffers or hackers, because the information passed between the AP and clients isn't encripted. So, if security is not a concern in your network, you can disable the security without problem.



  • Is there any way to combine it into one login maintaining that level of encryption/security? I don't really want to be giving my wireless AP password out.

    I mean it's not that big of a deal, but if I'm going to give out the AP password I mind as well just use captive portal as a bandwidth limiter instead of user login.

    Thoughts?



  • @broncoBrad:

    My first limitation is a guest network: I was to limit the bandwidth of people on my network that have set up specifically for guests that come over and need to use my internet.  Every user on this network is going to be limited to the same max upload/download speeds. Which is better to use captive portal or traffic shaping? Currently, I don't have any limitation, but I have WPA2 security/encryption on the network, should I leave that on on use traffic shaping or would I remove the WPA2 and use captive portal?  In this same process how do I limit users to web browsing, which would includes downloads, only?

    If I understand your problem, it is better to use squid proxy as your limiter because you only will limit http traffic. To only allow web browsing you have to block all traffic in your interface but outgoing traffic on port 80 (and 443 maybe).

    @broncoBrad:

    Is there any way to combine it into one login maintaining that level of encryption/security? I don't really want to be giving my wireless AP password out.

    I mean it's not that big of a deal, but if I'm going to give out the AP password I mind as well just use captive portal as a bandwidth limiter instead of user login.

    Thoughts?

    I am not a expert, but I thing this is not posible.



  • @broncoBrad:

    Is there any way to combine it into one login maintaining that level of encryption/security? I don't really want to be giving my wireless AP password out.

    I mean it's not that big of a deal, but if I'm going to give out the AP password I mind as well just use captive portal as a bandwidth limiter instead of user login.

    Thoughts?

    • I think you can still have WPA encryption without having to have an AP password.
    • Some wireless hardware support 1 or more AP's, so you can have a guest AP with the captive portal and segregate that from your LAN. So in essence it doesn't matter if you have to give out your guest AP password.

Log in to reply