Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal, but not as you know it

    Scheduled Pinned Locked Moved Captive Portal
    6 Posts 5 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      GregoInc
      last edited by

      Hi Folks,

      First time poster but long time reader. I've been trying for some time to configure pfsense but have come up empty… let me explain.

      In a nutshell... I have an Alix 2 board with pfsense loaded on a CF card, nothing new there. The Alix board will be mounted inside a weather proof cabinet mounted to a mast in the middle of a town and run by a solar panel charging batteries.

      The Alix board includes a wireless card that will be connected to a WiFi antenna sitting atop the mast... kind of like a hotspot config. Only difference there will be NO internet connectivity.

      The whole idea behind the 'hotspot' is for people who will be in the town for a concert/celebration can access to the 'hotspot' and gain access to either an information web page or a php based bulletin board page. Again, no internet access is required.

      I have tried a number of times to configure the captive portal to 'capture' the port 80 HTTP traffic... but it only works if the captive portal has access to the internet. And as I said above I don't need internet access, just want the ability for people to 'login' so we capture who they and stop spammers etc. So my question...

      Is there any way pfsense can be configured to allow people to connect to the wifi network, and the port 80 HTTP traffic captured and redirected to a web site/page located on the same pfsense system, essentially allowing people to browse the event web page/site and post comments etc?

      It might we be that pfsense cannot do what I want? All advice/ideas greatly appreciated :D

      1 Reply Last reply Reply Quote 0
      • S Offline
        Slam
        last edited by

        I dont think its possible I could be wrong though, when a user request comes in, pfsense sends out the dns query and this is where you will face a brick wall w/out internet connectivity, since pfsense will forever be waiting for a dns response.

        While not 100% ideal/perfect you could try adding the most common homepages (www.google.com/www.someothersearchengine.com) to "Host override" in Services/DNS forwarder and pointing the entries to the firewall itself, then install a package like vhost and use that to host your page(s).

        It should work in theory but that relies on host overrides/users homepage matching, and this could grow hugely over time.

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG Offline
          GruensFroeschli
          last edited by

          I've been doing something similar for an event i help organise.

          What i did:
          Run a webserver on our local server. (lighttpd).
          Replace the captive portal page with:

          My local domain is "jan"
          The server has the name "program" (–> you can access the server with the URL program.jan)
          On the DNS-forwarder config page i resolve program.jan to the IP of the server serving the page.
          On the captive portal config page i've set the domain "program.jan" to the white-list.

          If someone connects to this wireless lan, most moblile phones show immediately this page without them ever having to start their browser.

          You can take a look at the page i server here: http://m.may.nu/jan/
          If you plan to serve this page on mobile phones make sure that everything is able to scale to different screen-sizes. -> Try changing your browser window, the displayed content should scale with the size.
          The content of the page is generated dynamically with a shellscript depending on the time :)

          As Abdsalem wrote one of the problems is, that without internet the very first DNS lookup might now work.
          To get around this you could create a wildcard DNS forwarder according to this:
          http://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder
          Not sure if you can create a wildcard that catches everything.
          You might need to create wildcard catches for the tlds.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • G Offline
            GregoInc
            last edited by

            Thanks for the feedback and ideas, I will try the suggestions you've put forward.

            I was also thinking if the captive portal wont work due to DNS issues, then perhaps I could make a webpage that has some king of authentication built into it?

            The only reason I was looking at a captive portal in the first place was due to it's ability to capture port 80 and redirect. But if there is another way to do that using just a web site/page then I am happy to give that a go.

            1 Reply Last reply Reply Quote 0
            • N Offline
              nothing
              last edited by

              You will definitely need a fake dns. All the clients will first do a DNS query and then initiate TCP/80
              With bind it would look like this:

              named.conf

              zone "." IN {
                      type master;
                      file "master.conf";
              };

              master.conf

              $ORIGIN .
              $TTL 86400
              .      IN      SOA    pfs.domain.tld. admin.domain.tld. (
                                      2013080100
                                      10800
                                      900
                                      604800
                                      86400
                                      )
                      NS      192.168.0.1
              *      A      192.168.0.1

              Now all the queries sent to such dns will return 192.168.0.1 ;)
              And now just run your info page on 192.168.0.1
              No captive, no nat.

              1 Reply Last reply Reply Quote 0
              • E Offline
                efimrus
                last edited by

                Hello!
                Sorry for my English!  :-[
                Where is it all change? You forgot to specify the path to the halyards …
                I have exactly the situation as the author of the post. But an adequate solution and nenashel. I would be very grateful for any help.  :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.