Captive portal - client isolation
-
In my scenaio, pfsense is only used for captive portal; captive portal is setup like this: pfsense machine –> switch –> access point
I would like to setup client isolation for this setup, meaning that every user connecting to the captive portal is not allowed to communicate with eachother and is limited to internet access only.
Is this possible to achieve with pfsense ?
Thanks in advance,
J -
So enable client isolation on the AP.
-
Unfortunately the ap doesn't support it. Is there a way to achieve this from the pfsense itself ?
-
No. That traffic does NOT go through pfSense at all.
-
Get an AP that does. Note that if you have more than one AP or wired + wireless clients you need isolation in the switch. Asymmetric VLANs can do this. Cisco PVLAN edge is even better (easier to configure).
-
Note that if you have more than one AP or wired + wireless clients you need isolation in the switch. Asymmetric VLANs can do this. Cisco PVLAN edge is even better (easier to configure).
Another solution exists, while still using 'no-brain' (non-expensive) switches.
I (still) use inexpensive Linksys (Cisco now) AP's - ejected the original firmware and installed DD-WRT.The secret is : use 'ebtables' (yep, that not iptables.)
#!/bin/ash insmod ebtables insmod ebtable_filter ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT ebtables -t filter -A FORWARD -j DROP
00:0f:b5:fe:4e:e7 = The MAC of my Portal Interface NIC
(DHCP) broadcasts are permitted.
Traffic TO and FROM the portal NIC are permitted.These rules enforce:
A client who is connected by Wifi on AP "1" cannot not communicate with any other clients that are connected on other AP's (AP "2", "3", etc).
All connections are only permitted TO the gateway, the pfSense Portal Interface NIC.