So I'm looking for captive portal setup for my company's guest internet access and initially came across Monowall which seemed to fit the bill. (I think you're supposed to spell it mOnOwall, but I'm not 16 years old.) While Monowall was a minor pain in the butt to install to the hard drive of the old machine that will be acting as my router for this project, it did work and worked well. However, I found it a little bit lacking in both the features department and the 'let's develop new features' department.
While browsing various forums for information about Monowall, I found a couple nods to pfSense, which turns out to be a fork of Monowall with many more features and a snappy interface. Not only that, but pfSense is distributed as an ISO with no-nonsense installer that can actually install the software to a hard drive without the extra steps required by Monowall in this regard. Yay.
So I was really only interested in two features. I'm not too particular. (in fact, it seems like most of my rants involve the need for two related features that no one piece of software can manage to provide) The features are:
1) A captive portal.
2) Scheduled firewall rules.
pfSense has both, but of course, as I'm sure you guessed, that's right, it wouldn't be my life if this wasn't the case, THEY DON'T WORK TOGETHER.
Enable a scheduled for your LAN->any firewall rule and your captive portal will no longer function. In fact, I had to delete the schedule I created and completely restart pfSense before the captive portal came back online.
Why would these two features be mutually exclusive? What if you want to provide guest access via Captive Portal for normal business hours, and no access during non-business hours? I don't think that this is a terribly odd request. If you're providing Wifi access you certainly don't want to worry about some jackass out in the parking lot in the middle of the night trying to hack on your portal. Access to any portion of a network should be off when you know, for sure, that it does not need to be in service. Sure I could enable encryption on the access point, but in this case I'm looking for ease of use over security -- but not completely. After all, I have some control over my parking lot during business hours.
What bothers me most is that a Captive Portal should be on conceptually on top of the firewall, and a firewall schedule should just fire rules at defined times. If you defined a rule that completely disabled access through the firewall at 5:00PM, yes your Captive Portal would stop working -- but so what, that's sort of the point.
Schedule rules are a bit different because the implementation is a hack. It worked for the company that sponsored the development, and at the time there was no reasonable alternative for a long list of reasons I won't get into. Captive portal uses ipfw, which is also what time based rules use. All other rules use pf.
ReplyDeleteBut had you read the explanation of how time based rules differ from other rules you would have seen a solution. Using only block rules with schedules should work fine even in conjunction with CP, while allow rules will bypass CP.
I created a block rule and applied a schedule to it per your suggestion and again the captive portal disappeared and I was able to pass through directly.
ReplyDeleteI've just bumped into your blog post... if you're still fighting with this, use MikroTik RouterOS.
ReplyDeleteIt's a cheap $60 license and gives you a fully fledged IPChains firewall, with independent scheduler, captive portal and a whole bunch of other features.
www.mikrotik.com
Disclaimer: I resell their products, but not directly related in any other way.
Can anyone recommend the top performing Endpoint Security utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central help desk software
ReplyDelete? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!
Good brief and this mail helped me alot in my college assignement. Thanks you as your information.
ReplyDeleteOpulently I agree but I dream the list inform should have more info then it has.
ReplyDeleteDid you direct your schedule rules toward the Internet gateway, or do you need an incantation to point them toward the portal's interface?
ReplyDeleteThis article might be getting extra attention (despite being rather old) because for some reason it's the only article being shown in the RSS feed. Today is February 8, 2010.
ReplyDeleteYou have really great taste on catch article titles, even when you are not interested in this topic you push to read it
ReplyDeleteThanks for an explanation, the easier, the better …
ReplyDeleteI consider, that you are not right. I am assured. I suggest it to discuss. Write to me in PM, we will communicate.
ReplyDeleteHow you find ideas for articles, I am always lack of new ideas for articles. Some tips would be great
ReplyDeleteHaving same problem with "1.2.3-RELEASE
ReplyDeletebuilt on Sun Dec 6 23:38:21 EST 2009"
Also, as soon as I create a Schedule (before adding it to any FW rule) CP stop working. :(
Gosh, there is a great deal of worthwhile material above!
ReplyDeletehttp://blog.stefcho.eu/?p=754
ReplyDeletev2.01 allows this functionality
Its like you read my mind! You appear to know so much about this,
ReplyDeletelike you wrote the book in it or something.
I think that you could do with some pics to drive the
message home a bit, but other than that, this is wonderful blog.
A great read. I will definitely be back.
Here is my weblog ... bmi calculations