Captivve Portal by IP address



  • Hi,
    I'm running pfsense 2.1.2-release for my home firewall and I want to set a limit (say daily) for some of the internal users - the kids.
    I want to be able to, say, set them to 1GB/day and when they've used that then the internet is blocked. (Internal LAN is fine, but given they are all on the same switch and same subnet, that won't be a problem).

    But I want it to be transparent to them. ie, I don't want to have to force them through a login screen. Just by their IP address (or DNS would be even better) will be fine. I can ensure they get the same IP all the time & they don't have the knowledge/permissions to change it :)

    I thought Captive Portal would be my solution, but I can't see how to make it transparent and just work off IP address.

    The clients are a mixture of Win7 desktops/laptops and Android smartphones if that's important….

    Anyone able to point me in the right direction? Is this even possible? I can't be the only Dad in the world who wants this :)



  • @Rincey:

    Hi,
    I'm running pfsense 2.1.2-release for my home firewall and I want to set a limit (say daily) for some of the internal users - the kids.
    I want to be able to, say, set them to 1GB/day and when they've used that then the internet is blocked. (Internal LAN is fine, but given they are all on the same switch and same subnet, that won't be a problem)…...

    I really think your question mentions the solution !!

    There is even a button in the pfSense admin interface that will make this all possible.

    It's been called : UPGRADE.

    Some new (version 2.1.4) options are present in the captive portal, like:
    Waiting period to restore pass-through credits
    Clients will have their available pass-through credits restored to the original count after this amount of time since using the first one. This must be above 0 hours if pass-through credits are enabled.
    Reset waiting period on attempted access
    Enable waiting period reset on attempted access
    If enabled, the waiting period is reset to the original duration if access is attempted when all pass-through credits have already been exhausted.

    Btw: connect time is measured in 'time', not Gigabytes, if that's ok for you.



  • I want it to be transparent to them. ie, I don't want to have to force them through a login screen. )

    Just insert the devices MACs in the Pass-though MAC page in the Captive Portal settings…works fine.



  • Thanks for the replies.

    Gertjan - 'time' as a measurement isn't what I'm wanting. It has to be traffic so I can assign it out to the kids to keep the household's traffic cap as a whole under control.
    johnjohn - I didn't realise that's what that meant. I thought passthru meant the CP was bypassed completely (eg, I'd put my PC in that category)



  • Your still going though the portal….
    You can set up speed limits for each user in the passthough mac section.

    To cap the amount of data probably needs a Radius solution.

    Personally I would isolate the kids onto a separate subnet, use firewall time rules to limit  access hours, then send them to a queue to give them a limited amount of bandwidth.



  • The kids are 15 & 16… they are responsible for and aware of their own time management. Traffic management on the other hand they aren't aware of (or don't care). Hence why I need a tech solution.

    Searching around I found a wiki article on combining CP + RADIUS, but it looks like a bit of work (I'm not familiar with RADIUS)…

    Anyone implemented this and advise on their success?

    Might just have to give it a go.... gulp! ;)



  • In the Captive Portal forum - there where you posted : =https://forum.pfsense.org/index.php?topic=63791.0PFsense 2.1 MultiCP and https with Windows Radius Guide

    But this setup means: more hardware - more setup - more to learn, check, etc.

    So, it all boils to time again:
    YOUR time (as a nearly full time sys admin) so bytes are counted (a solution that is really used, so you'll find less examples …)
    Counting their time will simplify things a lot - for YOU.



  • I appreciate the replies, but I think you are missing my point. I have a couple of teenagers that will sit on youtube and various tvondemand sites (some of these used to be traffic free with my ISP, but they got bought out and now everything is metered :(). They are absolutely chomping through the household traffic cap.

    I don't want to have to manually police it (and constantly have to repeat myself)….

    Time as a measure isn't any good in this situation. Why? Because say I want to limit them to 1GB (each device) per day. Using time as a measure, I'd have to say how long would it take to use a gig? On a straight download it's only mere minutes. On a streaming service it'll depend on the quality of the video but let's be generous and say an hour. An hour internet per day... that's not going to work for them.

    There's a link to a tutorial on the page I linked to, but unfortunately it's in Spanish and google translate is, well, google.



  • Not missing the point, its just that setting traffic quotas is rarely called for.
    As an alternative, you could flash a suitable wifi router with Gargoyle firmware, it has this feature built in. Much simpler than trying to set up Radius for domestic use.