• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Limiting users to only certain web sites after captive portal

Scheduled Pinned Locked Moved Captive Portal
5 Posts 3 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    carzin
    last edited by Mar 16, 2012, 1:00 PM

    Purpose:  Use a captive portal to forward individuals to a site to configure their machine for 802.1X supp

    When the users are in this configuration vlan, and their browser opens, they do a DNS lookup for cnn.com, or whatever they are browsing.  The DNS server replies with the proper response, and their packet is on the way out.  When they reach the captive portal and authenticate (instead of going to cnn.com), they are redirected to a configuration page.

    The problem:  I ONLY want them to be able to connect to the configuration page and a couple of external sites needed for the configuration page.

    When I create a firewall rule to block everything except those pages, when they open their initial browser and try to connect to home.microsoft.com or whatever they have for their home page, they are being blocked by the firewall before they can actually get to the captive portal.  I can solve this through VLAN ACLs, but would prefer to do it through pfsense.

    What should I change to allow them to connect to the captive portal, no matter what initial destination they browse for, but still allow them access to limited destinations after authentication?

    Thanks!!

    1 Reply Last reply Reply Quote 0
    • N
      Nachtfalke
      last edited by Mar 16, 2012, 1:39 PM

      SERVICES -> CAPTIVE PORTAL -> ALLOWED IP ADDRESSES

      1 Reply Last reply Reply Quote 0
      • C
        carzin
        last edited by Mar 16, 2012, 3:17 PM Mar 16, 2012, 3:08 PM

        Thank you for the reply, but this doesnt fit my situation.

        The Allowed IP addresses allow connected clients to access external sites without needing authentication.  This is not my problem.

        I need users to connect, attempt to go to any external web site they want, and get redirected to the captive portal.  After they authenticate, I want them to be continually disallowed to going to ANY external site with the exception of 2 places.

        If I try and create a solution through the firewall, and block all outbound except for 2 addresses, when they attempt to connect to cnn.com prior to authentication, the captive portal will not be displayed, because their destination IP address is in the block list.

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by Mar 16, 2012, 4:29 PM

          I don't think the scenario you're asking for can be realized using CP + firewall rules.

          You may have to add Squid ACLs to the mix …

          1 Reply Last reply Reply Quote 0
          • C
            carzin
            last edited by Mar 19, 2012, 1:03 PM

            Ok.  I appreciate that.  That is what I expected.  I'll just use router ACLs and be done with it.  Thanks!

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received