How to configure Captive Portal on PFSense Firewall

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to another tech tip by VM nerd our tech topic for today is how to configure captive portal inside of a PF sense firewall as part of this configuration we will leverage the local account database inside of PF sense for authentication and we will also show or at least demo what it means to use a voucher system in place of the local account database and with that let's get started okay guys okay here's what we're going to do we're going to start our video like we normally do with a drawing to depict what it is that we're actually doing and what the current landscape or architecture looks like okay all right let me zoom this in a little bit makes it easier to do in a lot of things okay so we're going to start out with here's our pfSense firewall okay and our pfSense firewall will have I'll actually have more than three interfaces but for the purposes of this drawing we will only show three as that's what we're going to be demonstrating okay so this one here will actually go out to the Internet okay we're using the Internet we are actually using a VPN service so if you see some of our previous videos on how to set up VPN with pfSense I encourage you to check them out this will just show how we connect to the internet okay now on the internal interfaces we actually have one interface which we will label as management so this will be our we'll have a management machine which is where we're currently doing our drawing from so this is our management box he's going to connect to a management interface because as we're configuring the captive portal the last thing we want to do is lock out the machine that we're currently doing the administration with otherwise we'll have to do some pretty tricky things to get back into it okay and then the next thing we will do is connect over to at some point through the videos we will connect over to our guest machine or in this case we labeled it as guest zero one and he will be connecting out our guest interface okay now from an IP perspective the guest network zone is 172 that 1680 0/24 with a gateway of dot 254 that'll be the DNS and everything else for this particular network and then of course the management network is 192 168 254 0/24 ok ok so now that we have our drawing depicted here and you can kind of see what the architecture layout looks like we can go ahead and get configuring so our gateway management interface is 192 168 254 254 so let's go ahead and do that and while we're at it I'm going to go ahead and click over to the guest machine so if you look right here it says guest he's in the 172 1680 Network he can currently as a guest access the Internet just like everyone else okay just so that way you can see that it does work that there's no issues or anything like that going on and if you've noticed at least the URL I'm connecting to if you look it's actually HTTP and I'll explain why in a little while okay so let's go ahead and log into our pfsense box up to 54 ok so we get the standard pfSense untrusted cert and technically you can get rid of that ok so the label for this guy here is gateway dot lab VM Norcom and the first thing we need to do before we get started let's go ahead and configure our certificates ok so the first thing we want to do is go ahead and import the CA certificate now for this demonstration I actually went out and got a trust a real certificate that we're going to use for this demonstration and a lot of that is because I don't really like seeing those ugly you know red you know explanation points and not only that's a good opportunity for you guys to see how you install an SSL a real SSL certificate on a PF sense box so ok so we're going to go ahead and do that we're going to go ahead and click Add under the CA section so when you usually get your certificate from your provider they'll typically give you a certificate and then they'll also give you a CA certificate and some of them actually will give you more but the place where I got mine they embed it all into one single certificate so it makes things easier ok so go ahead and click add and this is a star comm CA and we'll just paste the data from the certificate so start com CA and click Save and that's what will say an external certificate everything is trusted legitimately so we're good there now let's go ahead and click on the certificates and we're going to go ahead and import an existing certificate the skies name is portal lab dot VM intercom and the certificate data is as followed so the first thing what it is let's go ahead and just do the key really quick so paste that in and then pull that out and now we'll go ahead and import the cert let's see paste go ahead and click Save and there you go had no problems okay so now let's go ahead and get started with configuring our captive portal okay so I told you before we have a guest Network we have a management network we have an Internet network and the VPN interface is really just a routing interface which is how we route our traffic to through the VPN tunnel okay so let's go ahead and click on captive portal click Add and for this zone name we'll go ahead and call this guest you can put whatever you want but I'm not going to put anything so click Save and we're going to go ahead and enable captive portal we're going to enable it on the guest network and if you actually were going to do this on multiple interfaces for whatever reason you can just hold ctrl and select whatever interfaces you need I believe never actually tried to do more than one but technically I suppose that would work hard time hard timeouts is usually a good idea to have some sort of a timeout that would force some sort of authentication so let's go ahead and calculate some realistic times here so for this we'll say 8 hours is a reasonable time frame so times 60 minutes it goes it's 480 minutes for a hard time out and then for idle timeout you can do 60 minutes really up to you how you want to handle it and if you also wanted to control the number of connections this would be a way to do that now let's see pastor privilege started these believe it or not these pop-out windows while they're there most browsers actually block them but you can't enable them if you'd like let's see these are here if people are actually going to log in and you want them to automatically be added to the bypass table like the Mac bypass table for this it's an option to put it in there so they'd log in one time or actually depending on what and how you're configuring your screens or whatever you can actually just get it to accept the Mac like there could be an instance where you just want to display a page like a disclaimer page or something you can always just click here and then it'll just allow it to the table okay and here's a place where you can control user bandwidth so for at least this demonstration we're not going to enable that at all and for authentication we're going to go ahead and use local user and it says vouchers so go ahead and allow only user so I have to create a user with this captive portal login privilege set so we'll go ahead and do that before we test it and here's our login information our HTTP configuration so for the name of the server we're going to call it portal lab be a nerd comm and for the SSL start this is the one that we just imported so we'll go ahead and use that one you can disable this but you might make life easier if you didn't and for now we're not going to change any of this stuff pfSense actually has one built in that we can use not really fancy but it's definitely something that can be used so go ahead and click Save now we did define this URL this portal lab VM Norcom now our clients actually don't know how to resolve that right now because this is a lab environment so we need to do is we need to go into the dns resolver section and actually add that in here okay so just paste it wouldn't get rid of the portal part but it appear okay and then for IP address we're going to do the 172 dot 1680 dot two five four okay so go ahead and click Save and we'll validate this before we move on just to make sure okay let's go to interface guest and the IP should be 82 v which is it which it is okay okay so now with that being said the captive portal is actually working now we need to create a user account so let's go here to user manager create a user for what we're doing we will call him VM nerd with the password of the America doesn't matter you can get as elaborate as you want but for this demonstration we don't have to get elaborate click Save and the next thing when you do is actually go back and edit the user and actually grant that privilege that's required so right here where it says effective privileges we're going to go ahead and click add and this is where we're going to select the user services cap the portal login scroll down to the bottom and click Save and if you wanted to actually add more more than just that you could you just hold ctrl and select whatever it is you need but if you look back here to effective privileges it shows that I believe you can actually create a group and do the same thing so I haven't really done that but technically I suppose you could alright let's go ahead and do some tests okay so from our guest machine you know I talked about the home page being msn.com and I'll explain here in just a minute why so if you look right here it forces us directly into this HTTP page with a trusted certificate from our star calm Authority issue to portal about latvia muir comm so if you look at the chain path it's all there okay everything looked like it went good redirected as it was supposed to and for illustration we'll go ahead and login so VM nerd and then password is VM nerd would look like continue and there it is we are in no problem now this is where things get a little interesting so we can go to google do all those things that were normally familiar with so let's go back to our status page click them captive portal and let's see what we see so we see here username VM nerd is logged in with this IP address and MAC address okay now in theory within 8 hours he will be kicked out okay but you know we're not going to wait that long we're going to kick them out sooner okay so one of the big things about captive portal that people don't realize and I've read a lot of blogs and articles about this about how people complain that people are getting HTTP errors and a lot of those errors actually come from the browsers and I'll explain and show you what I'm talking about so right here if you look here we were able to successfully go to our lab no problem and that's because I set the homepage to a standard HTTP site okay so let's go here oh that's not employers event so right here somewhere there it is so right here it's HTTP okay let's go ahead and take this out and let's put HTTPS and we'll send it to Google ok and let's go ahead and click OK go ahead and click the button again and this time I'm expecting an SSL error okay there's nothing you can do about this either okay see this is it so Google actually uses HSTs which is uh I can't remember the exact term but it's basically like pinning the certificate to the actual web servers and because the certificate doesn't match even with the common name the browser doesn't like what it sees okay and therefore says that it thinks that it's attack or something of that nature and they don't want you to click next because they think that you might be in the process again compromised okay so it's a security feature inside the browser's okay and you know Google is is doing this I think Microsoft will actually allow you through but let's find out okay so let's go ahead and switch the homepage to HTTPS and unfortunately there isn't much people can do about this and it doesn't matter whether you have a trusted certificate or not you're all you should always get that error now it looks like Microsoft is actually going to allow me through yeah and it does redirect you like you're supposed to but you know let's face it I mean everybody uses different browsers everybody has their own set default home pages and whatnot that they that they have so unfortunately captive portal doesn't have a mechanism or a way at least as of yet to to get through this or to allow the initial communication which the browser was seeking so the browser would reach out to whatever the home page is that it's trying to get to in our case here it's google.com now the Google Chrome browser says I I don't I don't trust that certificate that's coming through and matter of fact I don't know nothing about it so you're you could be and the process of getting compromised or you know it just doesn't look right so unfortunately there's nothing you can do about that except for when people complain you can always tell them to type in a unsecured site so in this case we'll type msn.com and then it will redirect you to our to your portal page okay then from there they can actually log in okay just a second here well it thinks yeah you can did sometimes I don't have a lot of patience I guess you can always click and it goes faster and things work great now this is a virtualized environment so you know we're not going to get the same kind of response as we would on a typical land ok so now that we went ahead and went through that let's go ahead and check this user out and what we're going to do is we're going to go ahead and turn off basic authentication and we're going to go with voucher based authentication ok or you can use a combination it's really up to you so just take away set that to no authentication and click Save now the next step is to go to the vouchers tab go ahead and able VARs and you can we'll leave the default error messages you can kind of customize them however you see fit and click Save and then let's go ahead and generate some vouchers now the nice thing about pfSense is it already does a lot of this stuff for you and things don't look right or you're not really comfortable with what's already there just go ahead and click Niki's and it switches all that stuff for you so go ahead and click Save and from here we'll go ahead and add about your role now the cool thing is you can make up whatever pretty much whatever you want so in our instance here we're going to use voucher one actually will do one hundred and then how many minutes per ticket so how many minutes of these tickets get for so if you're doing eight hours a day 60 minutes you have 480 minutes like before then it asks how many you would like so from here you can go up to 1023 so you can do 1 0 to 0 you can do 500 however you want click Save and from here that's good now um let's go ahead and download the voucher roll or database or whatever you want to call it so show in folder this up open this in my wonderful notepad plus plus tool let's close all this stuff out and okay so one last thing before you do because of the fact that we're switching authentication types might be better just to go ahead and give the little cap the portal restart and that's what we'll do here so good restart that service so that way it'll actually display the voucher tab on the bottom sounds good and open this up oh I still got the configure for that switch that back to MSN again now that we have an understanding why we'll just make our lives easier for demonstration purposes to use something we're familiar with so it's good with what is working okay so here we go let's go and do a refresh didn't do that all right oh maybe I forgot a checkbox so let's go back into captive portal click Edit and let's switch it to that then yeah maybe maybe it's voucher and/or authentication so let's let's try it without the auth let's see if it comes up there was not the restart service yeah okay so the voucher code did come up so let's go ahead and go back to our management machine and let's go ahead and grab one of the vouchers that was in that text file and we will paste it in here and just try and hit continue and see what happens okay so I can click continue yep no problem let us write in so it looks like that authentication piece go back here looks like authentication has to be set to this or this so you can use either a voucher or a user ID and we'll test that in just a moment okay let's go ahead and go to captive portal if you look right here the username is now the certificate name or the the voucher name here it's kind of cool and if you wanted to check the active vouchers how many minutes got left when it expires kind of neat yeah so going to delete that should check the user right out so go ahead and click MSN again I'm use there now we're back in our portal and you know just for let's just test this after I've already got it set up so we'll try just the authentication without the voucher so we can use either or and it looks like it works so well I guess that's how it works you can use either or you can use either use vouchers or the actual user ID which is kind of cool I didn't actually know that so let's go ahead and check this person out just do some more testing here so let's go ahead and see what we can do to get so we look right here at the active aperture and which is the sky let's do this let's go ahead and expire the vouchers just for fun okay expire and then let's go ahead and login say now tells you the error message this goes back to the area where you can set the messages to what you want what's inside here there you go right here facture expired you put whatever you want the other thing to you know if you wanted to actually customize the page the login screen you could in all that information the bare minimum to get any page going inside of your captive portal is this so if you want well show you what that looks like have some fun here a little bit just create a so index.html let's go ahead and open that with this set the language to HTML least and let's go ahead and do PR so basically what this does is it forces all the text to the next or inning below it to the next line I'm sure it does other stuff to you that's just what I understand to be and these right here kind of hidden anyway so they won't really be seen so here we'll put username password ouch ER ticket whatever you want to call it okay so go ahead and do a save let's go ahead and upload this page so we can see what that looks like that's top so we're going to do a save let's make sure users kicked out let's go ahead and close that open it up MSN there it is look at that and just for fun slog in soviet nerd the end nerd or we can use the voucher looks like it'll take you there or if you don't have patience just click on so let's go ahead and see active users there we go kick them out again and let's go ahead and add an image about that let's have some fun here you know depending on how good your skills are when it comes to HTML or any of these web programming languages you can get pretty creative okay so I have a mic on I guess you can let's see let's just go download an image here's actually you know what I got an idea so IP dot V America let's just download this logo about that that's top okay so now we have an actual image here let's shorten it up just you really don't want to type all that stuff out there so let's go ahead and go back into our file here let's go ahead and do a IMG SRC equals let's do a border equals zero there's just old-school HTML now let's go ahead and upload so if you're going to add some some files to your thing here there's a section up here that says file manager and you can go ahead and add your file in here and upload and if you look right here it actually real Able's the name of the file to tap the portal /v in there dot PNG so we've got to go ahead and copy the name as is and we'll paste it in here as is okay I'm not sure if you have to put a slash or not but we'll test that and lecture let's go let's edit the skin yeah let's just break too in the line and you know I mean technically guys I mean we can get as crafty as we want if you know how to use like bootstrap and stuff like that you can get the you know basically steal their sample code and then just replace the objects with the objects with what you need some of the J s files you know you may have to download in advance or yeah I guess you can always let it through your captive portal and I'll show you guys how to do that next so in text is Gmail so it and upload that it's the same one pretty much just different slightly different configuration see just like that we now have a logo that goes along with our captive portal page and you know like I said there's frameworks and stuff you can actually use that would allow you to modify this and make it as nice and neat as you want okay so one last thing I want to show you which is kind of neat inside of the captive portal itself you can actually allow host names or ip's through so for illustration purposes will actually allow the to allow google.com you know if people are going to make like the search engines their home pages that might actually help get through some of those issues so we're here this purpose here see if you notice it led us right through and if we type in msn.com that actually will force us straight to the portal page and but we can actually get to Google we could probably even do a search so say if we go to the YouTube channel actually will forces directly into our portal which is kind of weird you know no this is Microsoft that's why let's go back to the other browser I'm curious now okay so let's go to wthi-tv-dot-com okay and let's go ahead and type in okay let's click on YouTube and yeah so I think we're going to get the HSTs as well yeah so this appears to be specific to Google if we were to not use a Google service when hitting an HTTP site we might not get that error but let's test HTTP let's try Yahoo comm yeah yeah let's see if you look right here you can actually proceed so it's really specific to Google it looks like the HT HSTs option that information is actually embedded inside the browser so when Google sends out updates and things you know maybe that's some of the stuff that they add and that's about it and I hope you enjoyed our lesson on captive portal how to install it inside your pfSense system we did go through and show you a couple of indication mechanisms so one being the local account database another one being the voucher system we did test by modifying the configuration slightly by uploading our own index.html file for our captive portal screen to make it look neat we did talk a little bit about the the ssl component like I said before a lot of people they do get that a little bit confused when it comes to trying to get to an HTTPS site and they're getting errors so and really what it is is that you know the SSL that's being displayed by your browser does not match the website that the browser is looking for have a great day hey guys don't forget to check out our VM Nerd YouTube channel for more tech tips
Info
Channel: VMNerd
Views: 56,810
Rating: undefined out of 5
Keywords: How To, Howto, VMNerd, DIY, Do It Yourself, Tech, Tech Tips, Captive Portal, SSL, SSL Certificate, PFSense Firewall, Opensource, Open Source, PFSense Opensource, Firewall, PFSense Vouchers, PFSense Authentication
Id: lJRHrxRsyNc
Channel Id: undefined
Length: 32min 22sec (1942 seconds)
Published: Sun Oct 23 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.