Netgate SG-1000 microFirewall

Author Topic: Captive portal login  (Read 271 times)

0 Members and 1 Guest are viewing this topic.

Offline asy67

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Captive portal login
« on: December 18, 2017, 07:28:22 pm »
I am new to pfsense.
I have only 1 WAN and 1 LAN ( in my pfsense. I enable captive portal and also in my LAN. when user browse to my captive portal and input the username and password, it is successfully browse the internet. however, when user try to browse during its session, the admin page(pfsense) is appeared. how am i going to avoid the view the admin page while they on their session?

please help.

Online Gertjan

  • Hero Member
  • *****
  • Posts: 2526
  • Karma: +201/-9
    • View Profile
Re: Captive portal login
« Reply #1 on: December 19, 2017, 05:01:20 am »
 however, when user try to browse during its session, the admin page(pfsense) is appeared. how am i going to avoid the view the admin page while they on their session?
Any device hooked up on the LAN can access the GUI - that is normal and by design, all "truisted devcies" should live on LAN, non-trusted devices should use other interface OPT1, OPT
, etc.
Typically, a captive portal is sued by non-trusted devices, you found out the exact reason why, normally, captive portakl should be set up on a OPTx interface.

Visit System => Advanced => Admin Access anc check the "Anti-lockout" checkbox. If it isn't checked, some hidden rules even permits all the time this access from any devices on the LAN.
When this is unchecked, access to the webConfigurator on the LAN interface is always permitted, regardless of the user-defined firewall rule set. Check this box to disable this automatically added rule, so access to the webConfigurator is controlled by the user-defined firewall rules (ensure a firewall rule is in place that allows access, to avoid being locked out!) Hint: the "Set interface(s) IP address" option in the console menu resets this setting as well.

However, what you really need, is a firewall. And, good news, pfSense is a firewall. So, it's becomes a matter of setup up some rules and your done.

I advise you to :
Add a static DHCOP lease for YOUR PC, the device you trust, the device you use to admin pfSense. This way, your device will always receive the SAME IP.
Then, add a rule on the LAN interface that accepts connections coming from your device (== source == IP from your device) to pfSense (destination == "This firewall"), destination port 80 or 443 (in case of https GUI access).
Right after this rule, put in place a block rule, source = Any, destination "This Firewall, destination port 80 and/or 443.
Third rule : put in place an "any to any rule" (for testing purposes only).

After this third rule are your other LAN captive-portal-related rules.

Validate your rules

Then, visit System => Advanced => Admin Access and remove the check for "Anti-lockout" !

Test now, and see that these rules work - use YOUR PC, check that the IP is ok (release and renew your IP to get the right one, the one you are using in your rules !) and that you can login from your PC.
Use ANOTHER "untrusted" PC, login to the portal, and check that you can NOT login - BUT that you are using the third (pass-all) rule.
The counters in front of the rules shown in the GUI-Firewall-LAN will show the rules are used.

If all si ok, remove this third rule - your are using a captive portal, your other firwall rules follow

See image. The "192.1638.1.6" is my trusted IPv4 (2001:470:1f13:5c0:2::c6 also) and as you can see the counters in front of the rule IPv6 work, because I' using IPv6. This is why I have 2 rules. I could also use an Alias for those 2 IP's and combine IPv4+Ipv6 as a rule. Note that I'm using only https access, so only port 443.

« Last Edit: December 19, 2017, 05:08:58 am by Gertjan »