pfsense Captive Portal

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Nice

👍︎︎ 2 👤︎︎ u/vbman213 📅︎︎ Jun 24 2021 🗫︎ replies

Watched yesterday - interesting as always, thanks. Not something needed here, at least for now, but nice to learn about anyway.

👍︎︎ 2 👤︎︎ u/java007md 📅︎︎ Jun 24 2021 🗫︎ replies

Thanks for the very informative video.

👍︎︎ 1 👤︎︎ u/Adelaide-Guy 📅︎︎ Jun 25 2021 🗫︎ replies

Excellent tutorial as always by Lawrence.

👍︎︎ 1 👤︎︎ u/kphillips-netgate 📅︎︎ Jun 25 2021 🗫︎ replies

Captions

tom here from lawrence systems we're going to dive into captive portal on pf sense and some common use cases for it before we dive into the details of this video if you'd like to learn more about me my company head over to lawrences.com if you'd like to hire shared project today hire us button right at the top if you'd like to support this channel in other ways there's some affiliate links down below to get your deals and discounts on products and services we talk about on this channel now let's dive into captive portal and we're going to start with some prerequisites to get this working properly and at its optimal settings and the first thing i want to talk about is the captive portal documentation over at netgate it's great they have a lot of things that's covered in here they have more than we possibly have time to cover in this video so i will reference this as hey if you want to know more there is a lot you can dive into about some you know specific things does not yet support ipv6 that's important for those you that always ask me about ipv ipv6 so yeah that's a issue still in case you're wondering we're also going to mention authenticating openvpn users with free radius i know we're not authenticating vpn users but if you take out vpn users you can just say authenticating users of the free radius this document will help you get free radio setup it's not required that you do this but i'm going to show the advanced use case where you can set up per user bandwidth restrictions and free radius is the way to do that you can set up bandwidth restrictions without free radius but they start applying to everyone as opposed to setting them up on an individual basis so we're going to cover both of those scenarios but i'm going to leave a reference to this document and then we're going to cover and we'll probably just start right here what this lan is we have two of them this is the general wide open where i want all my devices land that are not you know part of the guest network and this is the guest network lan 2 for purposes of this particular video the guest network please note is not too restricted one we have changed the web configuration and the web configuration lives at five five five five and that's important that it's not at your standard port four four three this can interfere with redirection and some of the problems you may run into with captive portal so these are also i'm telling you this because these are some of the things people overlook when they're having trouble with captive portals so if you follow this exactly hopefully you'll have no problems at all setting up your captive portal next is i have this because the guest network blocking access to the web interface on here so no problem we're on a different network we're actually connecting this from externally so i'm allowed to access it but devices on the guest network will not be able to and devices in the guest network have been denied access to things on the land side now something that's important please note dns is not blocked having proper dns is going to be an important prerequisite for this as well so our lan is 192.168.40 and lan 2 our guest network is 192.168.1.1 next we have to make sure that we have a domain name for our captive portal now this is something as i said working optimally can you do it without it yeah you can have it forward with a non-https and that will work but some browsers such as google chrome and some phones may have problems and as more things start to default to https they will also start breaking your captive portal because if you don't have a fully qualified domain name and an ssl certificate on there it will just not forward and kind of get stuck in a loop i noticed that problem with the latest version of chrome it just kind of stops because it's trying to you know redirect via https now we'll cover setting it up i will mention though right now we're running 2.52 rc pf sense community edition but whether you're using the community edition or the pf sense plus here in june of 2021 it's going to look the same on either one there's no difference in capture portal between the two versions and honestly even between older versions of psn's captive portal hasn't changed dramatically it's only gotten a few more features now let's talk about the domain name part we go here service and i have acme cert loaded this is my automatic certificate management engine loaded and grabbing a let's encourage cert for detroit yodelingcompany.com i've covered this before another video i'll leave a link below but basically you want a wildcard certificate so this system and i'm using the dns registration method so you can have wildcard certs this allows you to have that cert so we can create sub-domains such as portal.detroit company to allow the captive portal to have a fully qualified domain name and this solves all those https problems that you may run into with it speaking of which that's why i said dns has to work so if we go here to dns resolver we're going to scroll down and we'll see that i've created portal.detroitcompany.com and i've given it the internal lan 2 guest ip address that's important if i would have gave it the lan ip address for the captive portal that would have been a problem because we've told the guest network you can't talk to the land you can totally talk to land too so by saying portal.detroit.com.detroit.yearlingcompany.com i should have probably picked a shorter domain is one nine two one six eight one one and that is the lan two so this is what the settings look like for that now we have a windows machine that we're gonna be using for captive portal it's at 192.168.1.118. it's behind that land 2 section of the pf sense and right here is the default gateway which of course is the pf sense and when we try to ping portal.detroitlandcompany.com we do indeed get detroit at 192.168.11. so everything matches the request the response these are some of those prerequisites that are really important that they work prior to you even turning on the captive portal now captive portal will allow dns queries to go from machines behind it talking to pfsense but it won't let them go past the pf sense that's where captive portal blocks any type of transactions to go to different websites you may resolve those websites it will do dns answers to it but it will not let them go past and actually route traffic this is one of those reasons i mentioned that it's a guest network but when you're looking at the firewall rules it's once again very important that you do not have dns blocked and that the dhcp server hands out the pf sense for dns if it's not handing out dns then you'll have to whatever dns server you're using you'll have to make sure you have entries wherever the location is for your portal to me it's easier just to have on the guest network have pfsense both do the dns resolution and have that extra entry to where the portal is the other thing i'm not going to cover but i recommend you read if this is a use case you have it's kind of neat that they've built this in i've not really done a lot with it but if you have the use case for vouchers and to pre-build series of vouchers to allow users access that's completely an option they have in there where it can generate essentially tokens which allow a user a certain limited based on the parameters you build for each voucher uh use of access so let's say coffee house example is you want to say with a cup of coffee here's your voucher we're going to tape it to the side of the cup and that will give you x amount of internet based on that vouchers parameters that expires based on once again the voucher's parameters so it's kind of cool that this is all built in but we're not going to be covering it today if there's enough questions about it maybe i'll cover it in a future video but it's not something we see as often and it's relatively easy to set up once you have captive portal working now let's get over and start setting up captive portal and services let me go here to capture portal and i have this one set up we're going to add a new one just cover the basic part to for people that just want to get it done we'll set this demo up right here save and continue enable captive portal and as i said lan two let's walk through the settings basically max and current connections kind of self-explanatory idle hard timeouts traffic quotas pass-through mac address per past two credits for mac address this is where you start getting to some of the allow passing through captive portal with authentication limited number of times a mac address once used up that client can only log in with valid credentials until a waiting period is specified this is where you can really start you know beating up on your guests a little bit make sure they stay within certain parameters on there reset waiting period log out pop-up window don't guarantee that works pop-up windows sometimes don't pop up anymore in browsers so that may or may not work pre-authentication after authentication where do you want to send them afterwards locked mac address url so block mac addresses will go here so if you found some users abusing it you can drop some mac addresses in there preserve connected users across reboot this is a reboot of pf sense not their reboot and this is uh important to a couple of our clients that have a large number of people using the captive portal system because when they've applied an update to pf sense they don't want to have to re-authenticate oh i don't know about 2 000 people against it yes they have that many on there back filtering pass through back per bandwidth restrictions this is kind of neat because this is going to allow us to say per bandwidth and we can say restrict the bandwidth on there and this is something really popular for guest users because well we don't want to give them full speed we want to give them some limited amount of speed per user logged in now you can use a custom uploaded logo you can also use custom captive portal page we're going to skip all that and leave everything default we'll leave this default here we don't even care about authentication we really just want them to click the box to agree to this you know agree to some terms and conditions that no one will read that's all we're going to do and we're going to skip for now this part this is just getting captive portals set up in the most basic of ways right here so now we can go back over to our windows 10 lab we'll try to ping something like google.com it resolves because we're allowing dns and that's it it's not actually going to allow any traffic writing until we open up a browser and get the captive portal so let's go ahead and try and open up something and try to go to a site it's going to sit and think because it tries https let's uh try this come on eventually it'll fail and redirect but these are some of the first problems you run into if you don't have i think we put http http in front of this there we go took a second of trying and then it goes oh i guess you wanted to try http because new chrome tries hps first and i agree to the terms and conditions we can click on the terms and conditions agree to some tnc that no one will read log in it's going to sit and think but while it's thinking we can refresh the page google works cnet's opening things are working again here because we've authenticated the user now we've done this and we can go see authenticated users over here so click on the little icon here we're going to look at the demo when we just set up hey there's that user it says unauthenticated tells me how many bytes received sets and duration we can trash that user and force them to disconnect where we can disconnect all users show last activity of this particular user and let's do something real quick here let's actually do a bandwidth test so here is the internal speed test server and we're going to watch a reasonably fast speed test happen here all right we got plenty of speed plenty of bandwidth on it and you know we don't necessarily want our guests having all that so how do you start narrowing down and doing those restrictions so the guests can't suck up all the bandwidth on the line we're gonna go here to services capture portal play with our demo one then we'll go down here and we're gonna restrict them to uh 200 pretty simple per user bandwidth restriction default download default upload scroll down here hit save then we're going to go back over here actually before i forget i got to get rid of that user so go to demo just gotta go through the reload the page i agree because that was an http speed test page it redirected fast it didn't pause like it did waiting for https but it does pause on the redirect here it's all right now let's see what the bandwidth looks like all right and we get the 0.2 megabits that that's it that's all we're allowed to have here obviously you can tune this however you want and now this is done on a per user so each person that clicks the authentication page each device i should say is going to click it and then be restricted to that amount of bandwidth that you have set inside of there so you know you divvy up the bandwidth and you're allowed then to set up all the users now granted all the users get the same bandwidth and maybe that's as far as you need to go and you don't have to watch the end of this video because this is all you really need to get that basic level of captive portal configured and set up but what if you wanted to go more advanced what if you want to set up speed settings on a per user basis let's go ahead and disconnect all these users okay that user is gone services captive portal and instead of doing any further i'm just going to trash that one and let's go to the more advanced one we have just got to move it over to lan 2 here so this is the detroit italian company one with that domain and all these options are still there but we're going to be using the free radius server to give us more control over this now when we scroll down here use a custom upload logo we checked that i didn't bother creating a custom portal the authentication i think is fine the way it works but that is an option of course then we have the use custom background image same thing some terms and condition no one will read but we'll still click on and use authenticated backend and this is where we get the totally rad auth server and the radius server the next thing we do is scroll down and save yourself some headache if you're wanting to get this per bandwidth user restriction set up make sure this is checked down here if you're using traffic quotas as in you'll limit to exactly how much bandwidth a user can pull you can do that but for the most part you're usually just restricting them so they don't have free rein to use too much bandwidth so we check this box that says use radius pf sends bandwidth max up and ps bandwidth max down attributes yep everything else is the default and enable https login this is the important part and this is that dns entry made portal.detroitleancompany.com and what certificate are we going to use we're going to use that detroit early company certificate that's part of the acme wildcard that we have on there and then we can click save now let's go over and look at free radius under services so we go to services free radius and we have two users we have speedy and slothmore so we'll log into slothmore first and we've got a password set i just set the password to be test we have a redirect page of go to the speed page right afterwards so we can do it redirect no problem there we could set down here is where the bandwidth and we've got this max bandwidth of 2000 kilobits and 2000 kilobits for up and down obviously set them whatever works for you and you do have the ability to do the upload download traffic in megabytes but like i said i unless people i see doing that and then you set the time period for when it does when it resets like they get this much traffic per day or per week or per month or forever like that's it you'll never get any more bandwidth once you've consumed this much but like i said this is one we're going to focus on here then we're going to click save now let's go ahead and go to google.com or any other https page and you notice it has no problem redirecting to a fully certificate valid captive portal it works way faster even google is smart enough to go hey you need to connect to this network and realizes that this wasn't secure and redirects you there immediately even though it was https so we can then use slothmore test don't read those terms and conditions just agree to them and hit log in it redirected this page and we'll do the test and we can see that sophomore is pretty restricted on bandwidth actually we don't even need to finish the test we already know what happens and we know how that story plays out google even automatically redirected and finished redirecting to the https not a problem let's go ahead and first let's edit slothmore so he goes to another hdus site like lawrences.com copy and paste as your friends will scroll down here save then we're going to go to services captive portal just disconnect that particular user actually we'll go to uh news.com make sure it's doing https and where does it go oh not secure didn't work the way i wanted it to so let's try hitting google again these are sometimes errors you run into with captive portal let's just close the browsers it probably thinks it's authenticated they pulled the cache version and after i refreshed the page it did the captive portal and redirected properly this is something i'm happy that it did this these are some of the problems you run into when a user gets dropped but the session cache is still there like inside of the browser it may keep thinking it's connected because the dns resolves but it doesn't actually route the data so it tries to pull local cache copies fyi that's one of those challenges you may run into with captive portal so let's go back over to slothmore test i agree and you can see it did an https redirect to lawrences.com no problem at all no error message involved because it's all https from one html site to another one so that worked perfectly fine we're gonna close the browser before we uh get rid of the user and show you the other user so let me refresh this page fill off this user so we're going to go to services free radius and we're going to look at speedy and speedy we have redirecting to this page here we can really direct and relate any page we want but i want that page because you notice i have no bandwidth restrictions on this one so the user speedy shouldn't have a problem at all and hey for good measure let's open up microsoft edge try to go to bing.com because i think that's where they want us to go and edge works no problem speedy test agreed to something that we're not going to read and we can see that speedy has no problem so he's going to get the full bandwidth on there because we didn't put any restrictions on there now the next question comes up what if i want to restrict them afterwards so we'll put in 400 400 for user speedy hit save and try it now and let's see what happens still getting full bandwidth it's important because that restriction even though i saved it here isn't applied until that user gets disconnected so we're going to go ahead and go to capture portal go here drop this user we'll close the browser so we don't have it in there we can go back to chrome and do this and by the way once you authenticate actually we're supposed to go to bing.com i think yeah once you authenticate on one it'll authenticate in both so if we authenticate here i put the password right i did now there we go as i refresh the page it stopped the redirect but now we can see that this user has been restricted to the 0.4 megabits now if we open up google chrome right now which will actually go pretty slow let's go to google actually i should probably close this it's actually so bandwidth restricted this is painful we're so used to fast internet now so let's go to google there we go with all of its speed it's still working so let's go ahead and go to the speed test now and you're going to get the same speed test in google because it's restricting it based on its mac address and ip information and not going to allow this to have any more bandwidth so it doesn't matter what applications they open it's not authenticating the browser the browser is being used to pass the authentication information over to pfsense go ahead and refresh this page again and there is that particular user telling me how much data that user has sent now the last thing i wanted to cover is the automated mac address authentication so we can just say copy right here and this is where you can do some pretty simple things in the captive portal and let's go ahead and see captive portal we're gonna add pass to this mac address right here allow this winders machine and we'll say 800 kilobits why not that seems like a good bandwidth on there hit save that means this one will automatically pass so let's go here close that go to captive portal go here disconnect the user which means it shouldn't be authenticated but open it back up and it's working a matter of fact let's go to the library speed now and this particular user is restricted just like it was and it doesn't matter if the ip address changes one thing of note when we refresh this right here nothing there is when you're doing it this way it doesn't show anyone authenticated because you've done in that particular captive portal it doesn't show the username session so if we go services captive portal for each allowed mac address it just works you don't have to man it doesn't matter what i p address it gets it doesn't matter um anything else it just says all right if this mac address is assigned to a device obviously this opens you up to the potential for mac spoofing if you were really worried about restricting on there someone imitates the same mac address they're going to be able to make that happen but then you'll end up with a collision on a network if that device is and you'll create other confusions so there are of course ways around it uh it's something though that is handy to use and we actually kind of end up using it frequently when people say hey i have a guest network i really want captive portal and do the bandwidth restrictions but i want to do them in a way that allows these iot devices to be limited in bandwidth it's actually also a really simple way to set up captive portal and use it just to authenticate all your devices implicitly and set a bandwidth restriction on each of them it's just a simple way to make that work and yeah it's something we've definitely used a few times because it's it's quick and easy way to get that functionality in the system all right the next question i want to make sure i cover is that yes it does work on a phone so studio 100 is the device setup that we have connected to this pf sense with that captive portal so what we're going to do is go ahead and connect to studio 100 and the first thing it does is redirect me on my phone here to this speedy and we'll put the password in agree log in and just like normal it redirects us to that page matter of fact let's go back over there and all the same rules applies we can do this speed test right here we can see we still have speedy restricted to this particular amount of bandwidth and as long as you have concurrent logins it will allow more than one login from the same user even if they're on different devices that kind of depends down to that configuration whether or not you want to allow that feature so hopefully that helps you get started with captive portal the last thing like i said if there's enough interest the voucher system i think is pretty neat but i think it would be its own video and kind of be a part two to this one i don't want to get too deep into it i've not used it too often but when i have set it up it is kind of neat to be able to create all the individual tickets and even download them into a spreadsheet and kind of that the use case of any coffeehouse that i mentioned earlier so if there's enough interest in the voucher video maybe i'll take the time to make it leave the comments below and let me know if not go ahead and you know comment on this video let me know what i may have missed what else i need clarification on or have a more in-depth discussion over at our forums all right and thanks and thank you for making it to the end of this video if you enjoyed this content please give it a thumbs up if you'd like to see more content from this channel hit the subscribe button and the bell icon to hire a shared project head over to lawrences.com and click on the hire us button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thank you again and we look forward to hearing from you in the meantime check out some of our other videos you

Info

Channel: Lawrence Systems

Views: 27,975

Rating: undefined out of 5

Keywords: LawrenceSystems, captive portal, captive portal login, captive portal setup, captive portal pfsense, captive portal wifi, captive portal login wifi, captive portal you can use, pfsense captive portal tutorial, pfsense captive portal setup, pfsense captive portal, pfsense firewall, pfsense setup

Id: hdHDCafeFdU

Channel Id: undefined

Length: 26min 25sec (1585 seconds)

Published: Tue Jun 22 2021