Today's sad story:
Wednesday, September 10, 2008
So I'm looking for captive portal setup for my company's guest internet access and initially came across Monowall which seemed to fit the bill. (I think you're supposed to spell it mOnOwall, but I'm not 16 years old.) While Monowall was a minor pain in the butt to install to the hard drive of the old machine that will be acting as my router for this project, it did work and worked well. However, I found it a little bit lacking in both the features department and the 'let's develop new features' department.
While browsing various forums for information about Monowall, I found a couple nods to pfSense, which turns out to be a fork of Monowall with many more features and a snappy interface. Not only that, but pfSense is distributed as an ISO with no-nonsense installer that can actually install the software to a hard drive without the extra steps required by Monowall in this regard. Yay.
So I was really only interested in two features. I'm not too particular. (in fact, it seems like most of my rants involve the need for two related features that no one piece of software can manage to provide) The features are:
1) A captive portal.
2) Scheduled firewall rules.
pfSense has both, but of course, as I'm sure you guessed, that's right, it wouldn't be my life if this wasn't the case, THEY DON'T WORK TOGETHER.
Enable a scheduled for your LAN->any firewall rule and your captive portal will no longer function. In fact, I had to delete the schedule I created and completely restart pfSense before the captive portal came back online.
Why would these two features be mutually exclusive? What if you want to provide guest access via Captive Portal for normal business hours, and no access during non-business hours? I don't think that this is a terribly odd request. If you're providing Wifi access you certainly don't want to worry about some jackass out in the parking lot in the middle of the night trying to hack on your portal. Access to any portion of a network should be off when you know, for sure, that it does not need to be in service. Sure I could enable encryption on the access point, but in this case I'm looking for ease of use over security -- but not completely. After all, I have some control over my parking lot during business hours.
What bothers me most is that a Captive Portal should be on conceptually on top of the firewall, and a firewall schedule should just fire rules at defined times. If you defined a rule that completely disabled access through the firewall at 5:00PM, yes your Captive Portal would stop working -- but so what, that's sort of the point.
- ▼ September (8)