Firewall Rules and Captive Portal

  • Hi.

    Is there an easy, fast and efficient way to apply this Firewall Rule for this local group created and authenticated by pfSense Captive Portal?

    What i need is, if a user from group "Fix Department" log, the rule is applied and facebook is blocked, otherwise, if a user from group "Admin" login, the rule is ignored.

    EDIT: pfSense 2.1 - Squid - Captive Portal with pfSense local group users


  • Hi,
    I'm interested too about this argument.
    Has the thread been redirected?


  • @simone:

    I'm interested too about this argument.
    Has the thread been redirected?


    Since 2014 ?
    This thread has died silently.

    Btw : it is impossible to consult some sort of "database with all users that are member of a group" so a rule in a firewall can apply, or not.
    What do you think what happens when you attach this rule on a 1 Gbit network ? The workload would be …. what is bigger then huge multiplied by enormous ?
    And how should a firewall know when it looks at an IP packet that comes in, that it belongs to user "Freddo", member of that group ? All it sees is the source IP, MAC, some sequential info, packet type and the state. And that it.

    But, of course, the solution has been found for many years already.
    You just discovered one of the reasons why a captive portal should not be activated on the LAN interface, it should be used on a dedicated interface - NIC. With it's own firewall rules.

  • Hi,
    thank you for your reply.
    I get used with these concepts by working with Paloalto appliances:

    and in my opinion, even if it is resource consuming it is a good thing to have.

    I didn't anything yet through cli, so is it not possible to do a user-mapping script (maybe involving the AD and doing some session caching)?

    Thanks a lot,
    best regards,


  • Well it is doable. (ident and more groups.)
    Just install ident client on clients, and configure e2guardian
    I find it more difficult to set up on pfsense then in smoothwall but i guess it is only a matter of time.

  • @simone:


    So, before accessing your network that support this User-ID, the user should have this User-Id ….

    I guess I place my bets on an alias that lists all Facebook IP's (IPv4 at least, and with IPv6 at best) - a list that would refresh every xx hours or so. Just some script file and the the cron package.

    Or, this one : - I'm sure it could block all DNS resolving easily by returning or ::1 if a "" passes by.

Log in to reply