Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiting users to only certain web sites after captive portal

    Captive Portal
    3
    5
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      carzin
      last edited by

      Purpose:  Use a captive portal to forward individuals to a site to configure their machine for 802.1X supp

      When the users are in this configuration vlan, and their browser opens, they do a DNS lookup for cnn.com, or whatever they are browsing.  The DNS server replies with the proper response, and their packet is on the way out.  When they reach the captive portal and authenticate (instead of going to cnn.com), they are redirected to a configuration page.

      The problem:  I ONLY want them to be able to connect to the configuration page and a couple of external sites needed for the configuration page.

      When I create a firewall rule to block everything except those pages, when they open their initial browser and try to connect to home.microsoft.com or whatever they have for their home page, they are being blocked by the firewall before they can actually get to the captive portal.  I can solve this through VLAN ACLs, but would prefer to do it through pfsense.

      What should I change to allow them to connect to the captive portal, no matter what initial destination they browse for, but still allow them access to limited destinations after authentication?

      Thanks!!

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        SERVICES -> CAPTIVE PORTAL -> ALLOWED IP ADDRESSES

        1 Reply Last reply Reply Quote 0
        • C
          carzin
          last edited by

          Thank you for the reply, but this doesnt fit my situation.

          The Allowed IP addresses allow connected clients to access external sites without needing authentication.  This is not my problem.

          I need users to connect, attempt to go to any external web site they want, and get redirected to the captive portal.  After they authenticate, I want them to be continually disallowed to going to ANY external site with the exception of 2 places.

          If I try and create a solution through the firewall, and block all outbound except for 2 addresses, when they attempt to connect to cnn.com prior to authentication, the captive portal will not be displayed, because their destination IP address is in the block list.

          1 Reply Last reply Reply Quote 0
          • D
            dhatz
            last edited by

            I don't think the scenario you're asking for can be realized using CP + firewall rules.

            You may have to add Squid ACLs to the mix …

            1 Reply Last reply Reply Quote 0
            • C
              carzin
              last edited by

              Ok.  I appreciate that.  That is what I expected.  I'll just use router ACLs and be done with it.  Thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.