 I'm here from Lawrence systems and we're going to dive into captive portal on pfSense and some common use cases for it Before we dive into the details this video if you'd like to learn more about me my company head over to Lawrence systems comm If you'd like to hire short project or a hires button right at the top if you'd like to support this channel Other ways just some affiliate links down below to get you deals and discounts on products and services We talk about on this channel now Let's dive into captive portal and we're gonna start with some prerequisites to get this working properly and at its optimal settings The first thing I want to talk about is the captive portal documentation over at netgate. It's great They have a lot of things that's covered in here. They have more than we possibly have time to cover in this video So I will reference this as hey if you want to know more there is a lot you can dive into about some You know specific things does not yet support IPv6 That's important for those of you that always ask me about IPv6. So yeah, that's a issue still in case you're wondering We're also going to mention Authenticating open VPN users with free radius. I know we're not authenticating VPN users But if you take out VPN users, you can just say authenticating users of the free radius This document will help you get free radius setup It's not required that you do this But I'm going to show the advanced use case where you can set up per user Ban with restrictions and free radius is the way to do that you can set up bandwidth restrictions without free radius But they start applying to everyone as opposed to setting them up on an individual basis So we're going to cover both of those scenarios But I'm going to leave a reference to this document and then we're going to cover and we'll probably just start right here What this LAN is we have two of them This is the general wide open where I want all my devices LAN that are not You know part of the guest network and this is the guest network LAN too for purposes of this particular video The guest network, please note is not too restricted one We have changed the web configuration and the web configuration lives at 5 5 5 5 and That's important that it's not at your standard port 4 4 3 This can interfere with redirection and some of the problems you may run into with captive portal So these are also I'm telling you this because these are some of the things people overlook when they're having trouble with captive portal So if you follow this exactly, hopefully you'll have no problems at all setting up your captive portal Next is I have this because the guest network blocking access to the web interface on here So no problem. We're on a different network. We're actually connecting this from externally So I'm allowed to access it But devices on the guest network will not be able to and devices in the guest network have been denied access to things on the LAN side Now something that's important. Please note DNS is not blocked having proper DNS is going to be an important prerequisite for this as well So our LAN is one nine two one six eight forty dot one and land to our guest network is one nine two one six eight one dot one Next we have to make sure that we have a domain name for our captive portal Now this is something as I said working optimally. Can you do it without it? Yeah, you can have it forward with a non HTTPS and that will work But some browsers such as Google Chrome and some phones may have problems and as more things start to default to HTTPS They will also start breaking your captive portal because if you don't have a fully qualified domain name and an SSL certificate on there It will just not forward and kind of get stuck in a loop. I noticed that problem with the latest version of Chrome It just kind of stops because it's trying to you know, redirect via HTTPS now We'll cover setting it up. I will mention though right now. We're running 2.5 to RC PF sense community edition But whether you're using the community edition or the PF sense plus here in June of 2021 It's gonna look the same on either one There's no difference in captive portal between the two versions and honestly even between older versions of PF sense captive portal hasn't changed dramatically It's only gotten a few more features Now let's talk about the domain name part We go here service and I have ACME cert loaded This is my automatic certificate management engine loaded and grabbing a Let's Encrypt cert for Detroit Yiddling company calm I've covered this before another video. I'll leave link below But basically you want a wild card certificate So this system and I'm using the DNS registration method so you can have wild card certs This allows you to have that cert so we can create sub domains such as portal dot Detroit Yiddling company calm To allow the captive portal to have a fully qualified domain name and it solves all those HTTPS problems that you may run into with it Speaking of which that's why I said DNS has to work So if we go here to DNS resolver, we're gonna scroll down and we see that I've created portal dot Detroit Yiddling company calm And I've given it the internal land to guest IP address That's important if I would have gave it the LAN IP address for the captive portal That would have been a problem because we've told the guest network. You can't talk to the land You can totally talk to land to so by saying portal that's right Yiddling account dot Detroit Yiddling company calm. I should have probably picked a disorder domain Is 192 168 11 and that is the land to so this is what the settings look like for that Now we have a windows machine that we're gonna be using for captive portal. It's at 192 168 1.118 it's behind that land to section of the PF sense and right here is the default gateway Which of course is the PF sense and when we try to ping portal dot Detroit Yiddling company calm We do indeed get Detroit Yiddling company comment 192 168 11 so everything matches the request the response These are some of those prerequisites that are really important that they work prior to you even turning on the captive portal now Captive portal will allow DNS queries to go from machines behind it talking to PF sense But it won't let them go past the PF sense That's where captive portal blocks any type of transactions to go to different websites. You may resolve those websites It will do DNS answers to it, but it will not let them go past and actually route traffic This is one of those reasons I mentioned that it's a guest network But when you're looking at the firewall rules, it's once again very important that you do not have DNS blocked and at the DHCP Server hands out the PF sense for DNS if it's not handing out DNS Then you'll have to whatever DNS server you're using you'll have to make sure you have entries wherever the location is for your portal To me, it's easier just to have the guest network have PF sense both do the DNS resolution and have that extra entry to where the portal is The other thing I'm not going to cover, but I recommend you read if this is a use case You have it's kind of neat that they've built this in I've not really done a lot with it But if you have the use case for vouchers and to pre-build series of vouchers to allow users access That's completely an option. They have in there where it can generate Essentially tokens which allow a user a certain limited based on the parameters you build for each voucher Use of access. So let's say coffee house example is you want to say with a cup of coffee. Here's your voucher We're going to tape it to the side of the cup and that would give you X amount of internet based on that vouchers parameters That expires based on once again the vouchers parameters So it's kind of cool that this is all built in but we're not going to be covering it today If there's enough questions about it, maybe I'll cover it in a future video But it's not something we see as often and it's relatively easy to set up once you have captive portal working Now let's get over and start setting up captive portal and services Let me go here to captive portal and I have this one set up We're going to add a new one just covered the basic part to for people that just want to get it done We'll set this demo up right here save and continue Enable captive portal and as I said land to let's walk through the settings Basically max and current connections kind of self-explanatory idle hard timeouts traffic quotas pass through MAC address Per pass through credits for MAC address This is where you circuit into some of the allow passing a through captive portal with authentication limited Number of times a MAC address once used up that client can only log in with veiled credentials until a waiting period is specified This is where you can really start, you know beating up on your guests a little bit Make sure they stay within certain parameters on there reset waiting period log out pop-up window Don't guarantee that works pop-up windows sometimes don't pop up anymore in browsers So that may or may not work pre authentication after authentication. Where do you want to send them afterwards? Locked MAC address URL so blocked MAC addresses will go here So if you found some users abusing it, you can drop some MAC addresses in there Preserve connected users across reboot. This is a reboot of pfSense not their reboot And this is important to a couple of our clients that have a large number of people using the captive portal system Because when they've applied an update to pfSense, they don't want to have to re authenticate Oh, I don't know about 2,000 people against it. Yes, they have that many on there Mac filtering pass through Mac per bandwidth restrictions This is kind of neat because this is going to allow us to say per bandwidth And we can say restrict the bandwidth on there And this is something really popular for guest users because well, we don't want to give them full speed We want to give them some limited amount of speed per user logged in now You can use a custom uploaded logo. You can also use custom captive portal page We're going to skip all that and leave everything default. We'll leave this default here We don't even care about authentication. We really just want them to click the box to agree to this, you know Agree to some terms and conditions that no one will read. That's all we're going to do and we're going to skip for now This part this is just getting captive portal set up in the most basic of ways right here So now we can go back over to our windows 10 lab. We'll try to ping something like google.com It resolves because we're allowing DNS and that's it It's not actually going to allow any traffic routing until we open up a browser and get the captive portal So let's go ahead and try and open up something and try to go to a site It's going to sit and think because it tries HTTPS. Let's Try this come on Eventually, it'll fail and redirect But these are some of the first problems you run into if you don't have I think we put HTTP HTTP in front of this There we go took a second of trying and then it goes Oh, I guess you wanted to try HTTP because new Chrome tries HTTPS first and I agree to the terms and conditions We can click on the terms and conditions Agree to some TNC that no one will read log in It's going to sit and think but while it's thinking we can refresh the page Google works CNets opening things are working again here because we've authenticated the user now We've done this and we can go see authenticated users over here. So click on the little icon here We're gonna look at the demo when we just set up. Hey, there's that user It says unauthenticated tells me how many bytes receive sesson duration We can trash that user and force them to disconnect where we can disconnect all users show last activity of this particular user And Let's do something real quick here. Let's actually do a bandwidth test So here is the internal speed test server and we're gonna watch a reasonably fast speed test happen here All right We got plenty of speed plenty of bandwidth on it and you know, we don't necessarily want our guests having all this How do you start narrowing down and doing those restrictions so the the guests can't suck up all the bandwidth on the line We're gonna go here to services kept a portal play with their demo one then we'll go down here And we're gonna restrict them to 200 Pretty simple per user bandwidth restriction default download default upload Scroll down here hit save Then we're gonna go back over here Actually before I forget I got to get rid of that user so go to demo this has got to go through the Reload the page. I agree because that was an HTTP speed test page it redirected fast It didn't pause like it did waiting for HTTPS But it does pause on a redirect here. It's all right now, let's see what the bandwidth looks like all right and We get the point two megabits that That's it. That's all we're allowed to have here Obviously, you can tune this however you want and now this is done on a per user So each person that clicks authentication page each device I should say is going to click it and then be restricted to that amount of bandwidth that you have set inside of there So, you know, you divvy up the bandwidth and you're allowed then to set up all the users now Granted all the users get the same bandwidth and maybe that's as far as you need to go and You don't have to watch the end of this video because this is all you really need to get that basic level of Captive portal configured and set up. But what if you wanted to go more advanced? What if you want to set up speed settings on a per user basis? Let's go ahead and disconnect all these users Okay, that user's gone services Captive portal and instead of doing any further we're just going to trash that one and let's go to the more advanced one We have it's got to move it over to land to here So this is the Detroit Yodeling company one with that domain and all these options are still there But we're going to be using the free radius server to give us more control over this now when we scroll down here Use a custom upload logo. We checked that I didn't bother creating a custom portal the authentication I think is fine the way it works, but that is an option, of course Then we have the use custom background image same thing some terms of condition no one read but we'll still click on and Use authenticated back end and this is where we get the totally rad off server and the radius server The next thing we do is scroll down and save yourself some headache If you're wanting to get this per bandwidth user restriction set up Make sure this is checked down here And if you're using traffic quotas as in you'll limit to exactly how much bandwidth a user can pull you can do that But for the most part you're usually just restricting them So they don't have free reign to use too much bandwidth. So we check this box It says use radius pf since bandwidth max up and ps Man with max down attributes. Yep everything else is the default and Enable HTTPS log in this is the important part and this is that DNS century made portal dot Detroit Odeline company calm And what certificate are we going to use we're going to use that Detroit Odeline company certificate That's part of the Acme wild card that we have on there and then we can click save now Let's go over and look at Free radius under services. So we go to services Free radius and we have two users. We have speedy and sloth more So we'll log in a sloth more first and we've got a password set. I just set the password to be test We have a redirect page of go to the speed page right afterwards so we can do it redirect no problem there We could set down here is where the bandwidth and we've got this max bandwidth of 2,000 kilobits and 2,000 kilobits for up and down obviously set them whatever works for you And you do have the ability to do the upload download traffic in megabytes But like I said, I'm less people I see doing that and then you set the time period for when it does When it resets like they get this much traffic per day or per week or per month or forever Like that's it You'll never get any more bandwidth once you've consumed this much But like I said, this is one we're gonna focus on here and we're gonna click save now let's go ahead and Go to Google.com or any other HTTPS page And you notice it has no problem redirecting to a fully certificate valid Captoportals it works way faster even Google is smart enough to go Hey, you need to connect to this network and realizes that this wasn't secure and redirects you there immediately Even though it was HTTPS so we can then use sloth more Test don't read those terms and conditions just agree to them and hit log in it redirect his page And we'll do the test and we can see that sloth more is pretty restricted on bandwidth Actually, we don't even need to finish the test where they know what happens and we know how that story plays out Google even automatically redirected and finished redirecting to the HTTPS not a problem. Let's go ahead and first let's edit sloth more so he goes to another HTTPS site like lornsystems.com Copy and paste as your friends. We'll scroll down here save And then we're gonna go to services captive portal just disconnect that particular user Actually, we'll go to news.com Make sure it's doing HTTPS And where does it go? Oh? not secure Didn't work the way. I wanted it to so we'll try hitting Google again These are sometimes errors you run into with captive portal. Let's just close the browsers I probably think it's all authenticated it pulled the cache version and after I refresh the page It did the captive portal and read directed properly. This is something. I'm happy that it did this These are some of the problems you run into when a user gets dropped But the session cache is still there like inside of the browser It may keep thinking it's connected because the DNS resolves, but it doesn't actually route the data So it tries to pull local cache copies FY that's one of those challenges you may run into with captive portal So let's go back over to sloth more test I agree And you can see it did an HTTPS redirect to lornsystems.com no problem at all No error message involved because it's all HTTPS from one HTTPS site to another one So that worked perfectly fine. We're gonna close the browser before we get rid of the user and show you the other user So maybe refresh this page Fill off this user We're gonna go to services free radius and we're gonna look at speedy and Speedy we have redirecting to this page here We can really direct and relate any page we want but I want that page because you notice I have no bandwidth restrictions on this one So the user speedy shouldn't have a problem at all and hey for good measure. Let's open up Microsoft Edge Try to go to Bing comm because I think that's where they want us to go and Edge works no problem speedy test Agreed to something that we're not gonna read and We can see that speedy has no problem So I'm gonna get the full bandwidth on there because we didn't put any restrictions on there Now the next question it comes up. What if I want to restrict them afterwards, so we'll put in 400 400 for a user speedy it save and Try it now And let's see what happens Still getting full bandwidth. It's important because That restriction even though I saved it here isn't applied until that user gets disconnected. So we're gonna go ahead and go to cap to portal Go here Drop this user We'll close the browser so we don't have any near we can go back to Chrome and do this and by the way Once you authenticate actually we're supposed to go to bing.com. I think yeah, once you authenticate on one It'll authenticate in both. So if we authenticate here I put the password right I did now there we go As I refresh the page it stopped the redirect But now we can see that this user has been restricted to the point for megabits now if we open up Google Chrome right now Which will actually go pretty slow. Let's go to Google Actually, I should probably close this. It's actually so bandwidth restricted. This is painful We're so used to fast internet now. So let's go to Google There we go with all of its speed. It's still working So let's go ahead and go to the speed test now And you're gonna get the same speed test in Google because it's restricting it based on its MAC address and IP information and Not going to allow this to have any more bandwidth. So it doesn't matter what applications they open It's not authenticating the browser the browser is being used to pass the authentication information over to pfSense which we'll go ahead and refresh this page again and There is that particular user telling me how much data that user has sent now The last thing I wanted to cover is the automated MAC address authentication So we can just hit copy right here and this is where you can do some pretty simple things in the captive portal and let's go ahead and see Captain portal We're gonna add pass to this MAC address right here allow this Windows machine And we'll say 800 Kilobits why not that seems like a good bandwidth on there hit save that means this one will automatically pass. So let's go here Close that Go to captive portal go here Disconnect the user which means it shouldn't be authenticated But open it back up and it's working a matter of fact, let's go to the Libre speed now and This particular user is restricted just like it was and it doesn't matter if the IP address changes one thing of note when we refresh this right here Nothing there is when you're doing it this way It doesn't show any one authenticated because you've done in that particular captive portal It doesn't show the username session. So if we go services captive portal For each allowed MAC address, it just works. You don't have to matter. It doesn't matter what IP address it gets It doesn't matter Anything else it just says all right if this MAC address is assigned to a device Obviously this opens you up to the potential for max spoofing if you were really worried about restricting on there or someone Imitates the same MAC address they're gonna be able to make that happen But then you'll end up with a collision on a network if that device is and you'll create other confusion So there are of course ways around it It's something though that is handy to use and we actually kind of end up using it frequently when people say Hey, I have a guest network. I really want captive portal and do the bandwidth restrictions But I want to do them in a way that allows these IOT devices to be limited in bandwidth It's actually also a really simple way to set up captive portal and use it just to authenticate all your devices Implicitly and study bandwidth restriction on each of them. It's just a simple way to make that work and yeah It's something we've definitely used a few times because it's it's quick an easy way to get that functionality in the system All right, the next question. I want to make sure I cover is that yes, it does work on a phone so studio 100 is the Device setup that we have connected to this PF sense with that captive portal So what we're gonna do is go ahead and connect to studio 100 and The first thing it does is redirect me on my phone here to this Speedy and we'll put the password in Agree Log in and just like normally it redirects us to that page Matter of fact, let's go back over there and all the same rules applies We can do this speed test right here We can see we still have speedy restricted to this particular amount of bandwidth and as long as you have concurrent logins It will allow more than one login from the same user Even if they're on different devices that kind of depends down to that configuration whether or not you want to allow that feature So hopefully that helps you get started with captive portal the last thing like I said if there's enough interest the voucher system I think is pretty neat, but I think it would be its own video and kind of be a part two to this one I don't want to get too deep into it. I'm not used it too often But when I have set it up it is kind of needs to be able to create all the individual tickets and even download them into a spreadsheet and kind of that Use case of any coffee house that I mentioned earlier. So if there's enough interest in about your video Maybe I'll take the time to make it leave the comments below and let me know if not go ahead and you know comment on this video Let me know what I may have missed. What else I need clarification on or have a more in-depth discussion over at our forums All right, and thanks And thank you for making it to the end of this video if you enjoyed this content Please give it a thumbs up if you like to see more content from this channel Hit the subscribe button and the bell icon to hire a sure project head over to Lawrence systems calm and click on the Hire us button right at the top to help this channel out in other ways There's a join button here for YouTube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store We have a wide variety of shirts and new designs come out. Well randomly so check back frequently and Finally our forums forums that Lawrence systems comm is where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thank you again, and we look forward to hearing from you in the meantime check out some of our other videos