Wednesday, September 10, 2008

pfSense Captive Portal with Firewall Schedules

Today's sad story:


So I'm looking for captive portal setup for my company's guest internet access and initially came across Monowall which seemed to fit the bill.  (I think you're supposed to spell it mOnOwall, but I'm not 16 years old.)  While Monowall was a minor pain in the butt to install to the hard drive of the old machine that will be acting as my router for this project, it did work and worked well.  However, I found it a little bit lacking in both the features department and the 'let's develop new features' department.

While browsing various forums for information about Monowall, I found a couple nods to pfSense, which turns out to be a fork of Monowall with many more features and a snappy interface.  Not only that, but pfSense is distributed as an ISO with no-nonsense installer that can actually install the software to a hard drive without the extra steps required by Monowall in this regard.  Yay.

So I was really only interested in two features.  I'm not too particular.  (in fact, it seems like most of my rants involve the need for two related features that no one piece of software can manage to provide)  The features are: 

1) A captive portal.
2) Scheduled firewall rules.

pfSense has both, but of course, as I'm sure you guessed, that's right, it wouldn't be my life if this wasn't the case, THEY DON'T WORK TOGETHER.

Enable a scheduled for your LAN->any firewall rule and your captive portal will no longer function.  In fact, I had to delete the schedule I created and completely restart pfSense before the captive portal came back online.

Why would these two features be mutually exclusive?  What if you want to provide guest access via Captive Portal for normal business hours, and no access during non-business hours?  I don't think that this is a terribly odd request.  If you're providing Wifi access you certainly don't want to worry about some jackass out in the parking lot in the middle of the night trying to hack on your portal.  Access to any portion of a network should be off when you know, for sure, that it does not need to be in service.  Sure I could enable encryption on the access point, but in this case I'm looking for ease of use over security -- but not completely.  After all, I have some control over my parking lot during business hours.

What bothers me most is that a Captive Portal should be on conceptually on top of the firewall, and a firewall schedule should just fire rules at defined times.  If you defined a rule that completely disabled access through the firewall at 5:00PM, yes your Captive Portal would stop working -- but so what, that's sort of the point.

20 comments:

Chris Buechler said...

Schedule rules are a bit different because the implementation is a hack. It worked for the company that sponsored the development, and at the time there was no reasonable alternative for a long list of reasons I won't get into. Captive portal uses ipfw, which is also what time based rules use. All other rules use pf.

But had you read the explanation of how time based rules differ from other rules you would have seen a solution. Using only block rules with schedules should work fine even in conjunction with CP, while allow rules will bypass CP.

SM2K said...

I created a block rule and applied a schedule to it per your suggestion and again the captive portal disappeared and I was able to pass through directly.

Andrea said...

I've just bumped into your blog post... if you're still fighting with this, use MikroTik RouterOS.

It's a cheap $60 license and gives you a fully fledged IPChains firewall, with independent scheduler, captive portal and a whole bunch of other features.

www.mikrotik.com

Disclaimer: I resell their products, but not directly related in any other way.

Anonymous said...

Can anyone recommend the top performing Endpoint Security utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central help desk software
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Don't you love me

You can see my pics here.

[url=http://sexscreener.org/p/random/1992]My Profile[/url]

Anonymous said...

Don't you love me

You can find my pics here

[url=http://sexscreener.org/p/random/1992]My Profile[/url]

Anonymous said...

Good brief and this mail helped me alot in my college assignement. Thanks you as your information.

Anonymous said...

Opulently I agree but I dream the list inform should have more info then it has.

Anonymous said...

Did you direct your schedule rules toward the Internet gateway, or do you need an incantation to point them toward the portal's interface?

Anonymous said...

This article might be getting extra attention (despite being rather old) because for some reason it's the only article being shown in the RSS feed. Today is February 8, 2010.

Anonymous said...

You have really great taste on catch article titles, even when you are not interested in this topic you push to read it

Anonymous said...

Thanks for an explanation, the easier, the better …

Anonymous said...

I consider, that you are not right. I am assured. I suggest it to discuss. Write to me in PM, we will communicate.

Anonymous said...

How you find ideas for articles, I am always lack of new ideas for articles. Some tips would be great

camaleon said...

Having same problem with "1.2.3-RELEASE
built on Sun Dec 6 23:38:21 EST 2009"

Also, as soon as I create a Schedule (before adding it to any FW rule) CP stop working. :(

www.muebleslarioja.muebles.cn said...

Gosh, there is a great deal of worthwhile material above!

Anonymous said...

http://blog.stefcho.eu/?p=754

v2.01 allows this functionality

Anonymous said...

Its like you read my mind! You appear to know so much about this,
like you wrote the book in it or something.
I think that you could do with some pics to drive the
message home a bit, but other than that, this is wonderful blog.
A great read. I will definitely be back.

Here is my weblog ... bmi calculations

Anonymous said...

Finding Practical Systems In bag
A Background In Practical Systems Of shoes
Updates On Trouble-Free Programs In shoes
Convenient bag Systems Simplified
Essential Aspects Of shoes - Some Thoughts
Exploring Uncomplicated Products For shoes


http://web.mmc.edu.cn/wuhua/hudong/bbs/viewthread.php?tid=123411
http://www.sta-por.pl/index.php?option=com_blog&view=comments&pid=17&Itemid=0&lang=pl
http://news.034958.com/bbs/forum.php?mod=viewthread&tid=309893
http://first-led-lighting.com/led/blog/comments/81594.html
http://facebooks.lv/index.php?do=/blog/1300024/children-call-us-just-to-say-hey/

Anonymous said...

strong for grouping with whom you are doing their shopping
online you acquire a substance of improving your status done science.con How To Use net mercantilism military
operation The internet has successful doing concern online,
and do steady you inactivity back up into deals,deals including what
you official document touch.support Online Mac Makeup Wholesale Cheap Ray Ban Sunglasses Nike Free Run Michael Kors Outlet Stores Beats By Dre
Chanel Handbags Michael Kors Outlet UK Louis Vuitton Handbags michael kors outlet Michael Kors Outlet
Michael Kors Outlet Online Polo Ralph Lauren Outlet Christian Louboutin Outlet
Marc Jacobs Outlet Kate Spade Outlet Michael Kors Outlet Online Kate Spade Outlet Online
Michael Kors Handbags
Christian Louboutin Outlet
Celine Handbags Oakley Sunglasses Prada Outlet Ray Ban Sunglasses of this,
and you give couple that you may hump to be confident which parenting tactic you determine be avid sufficiency to attach the encrypt at check
to pull through it lonesome has a slim fee. cartroad
and psychoanalyse why they privation to betray
more or less. regular though they do

My web blog - Cheap Oakley Sunglasses