Captive Portal, but not as you know it

GregoInc

Hi Folks,

First time poster but long time reader. I've been trying for some time to configure pfsense but have come up empty… let me explain.

In a nutshell... I have an Alix 2 board with pfsense loaded on a CF card, nothing new there. The Alix board will be mounted inside a weather proof cabinet mounted to a mast in the middle of a town and run by a solar panel charging batteries.

The Alix board includes a wireless card that will be connected to a WiFi antenna sitting atop the mast... kind of like a hotspot config. Only difference there will be NO internet connectivity.

The whole idea behind the 'hotspot' is for people who will be in the town for a concert/celebration can access to the 'hotspot' and gain access to either an information web page or a php based bulletin board page. Again, no internet access is required.

I have tried a number of times to configure the captive portal to 'capture' the port 80 HTTP traffic... but it only works if the captive portal has access to the internet. And as I said above I don't need internet access, just want the ability for people to 'login' so we capture who they and stop spammers etc. So my question...

Is there any way pfsense can be configured to allow people to connect to the wifi network, and the port 80 HTTP traffic captured and redirected to a web site/page located on the same pfsense system, essentially allowing people to browse the event web page/site and post comments etc?

It might we be that pfsense cannot do what I want? All advice/ideas greatly appreciated :D

Slam

I dont think its possible I could be wrong though, when a user request comes in, pfsense sends out the dns query and this is where you will face a brick wall w/out internet connectivity, since pfsense will forever be waiting for a dns response.

While not 100% ideal/perfect you could try adding the most common homepages (www.google.com/www.someothersearchengine.com) to "Host override" in Services/DNS forwarder and pointing the entries to the firewall itself, then install a package like vhost and use that to host your page(s).

It should work in theory but that relies on host overrides/users homepage matching, and this could grow hugely over time.

GruensFroeschli

I've been doing something similar for an event i help organise.

What i did:
Run a webserver on our local server. (lighttpd).
Replace the captive portal page with:

My local domain is "jan"
The server has the name "program" (–> you can access the server with the URL program.jan)
On the DNS-forwarder config page i resolve program.jan to the IP of the server serving the page.
On the captive portal config page i've set the domain "program.jan" to the white-list.

If someone connects to this wireless lan, most moblile phones show immediately this page without them ever having to start their browser.

You can take a look at the page i server here: http://m.may.nu/jan/
If you plan to serve this page on mobile phones make sure that everything is able to scale to different screen-sizes. -> Try changing your browser window, the displayed content should scale with the size.
The content of the page is generated dynamically with a shellscript depending on the time :)

As Abdsalem wrote one of the problems is, that without internet the very first DNS lookup might now work.
To get around this you could create a wildcard DNS forwarder according to this:
http://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder
Not sure if you can create a wildcard that catches everything.
You might need to create wildcard catches for the tlds.

GregoInc

Thanks for the feedback and ideas, I will try the suggestions you've put forward.

I was also thinking if the captive portal wont work due to DNS issues, then perhaps I could make a webpage that has some king of authentication built into it?

The only reason I was looking at a captive portal in the first place was due to it's ability to capture port 80 and redirect. But if there is another way to do that using just a web site/page then I am happy to give that a go.

nothing

You will definitely need a fake dns. All the clients will first do a DNS query and then initiate TCP/80
With bind it would look like this:

named.conf

zone "." IN {
        type master;
        file "master.conf";
};

master.conf

$ORIGIN .
$TTL 86400
.      IN      SOA    pfs.domain.tld. admin.domain.tld. (
                        2013080100
                        10800
                        900
                        604800
                        86400
                        )
        NS      192.168.0.1
*      A      192.168.0.1

Now all the queries sent to such dns will return 192.168.0.1 ;)
And now just run your info page on 192.168.0.1
No captive, no nat.

efimrus

Hello!
Sorry for my English!  :-[
Where is it all change? You forgot to specify the path to the halyards …
I have exactly the situation as the author of the post. But an adequate solution and nenashel. I would be very grateful for any help.  :)