Limiting users to only certain web sites after captive portal



  • Purpose:  Use a captive portal to forward individuals to a site to configure their machine for 802.1X supp

    When the users are in this configuration vlan, and their browser opens, they do a DNS lookup for cnn.com, or whatever they are browsing.  The DNS server replies with the proper response, and their packet is on the way out.  When they reach the captive portal and authenticate (instead of going to cnn.com), they are redirected to a configuration page.

    The problem:  I ONLY want them to be able to connect to the configuration page and a couple of external sites needed for the configuration page.

    When I create a firewall rule to block everything except those pages, when they open their initial browser and try to connect to home.microsoft.com or whatever they have for their home page, they are being blocked by the firewall before they can actually get to the captive portal.  I can solve this through VLAN ACLs, but would prefer to do it through pfsense.

    What should I change to allow them to connect to the captive portal, no matter what initial destination they browse for, but still allow them access to limited destinations after authentication?

    Thanks!!



  • SERVICES -> CAPTIVE PORTAL -> ALLOWED IP ADDRESSES



  • Thank you for the reply, but this doesnt fit my situation.

    The Allowed IP addresses allow connected clients to access external sites without needing authentication.  This is not my problem.

    I need users to connect, attempt to go to any external web site they want, and get redirected to the captive portal.  After they authenticate, I want them to be continually disallowed to going to ANY external site with the exception of 2 places.

    If I try and create a solution through the firewall, and block all outbound except for 2 addresses, when they attempt to connect to cnn.com prior to authentication, the captive portal will not be displayed, because their destination IP address is in the block list.



  • I don't think the scenario you're asking for can be realized using CP + firewall rules.

    You may have to add Squid ACLs to the mix …



  • Ok.  I appreciate that.  That is what I expected.  I'll just use router ACLs and be done with it.  Thanks!


Log in to reply