The I.T Massive!

Disclosure: I am not connected with pfSense/BSD Perimeter LLC in any business manner, I am just a user. I created this feature focus for my own reasons but decided to publish it anyway.

Introduction

For the uninitiated pfSense is a standalone firewall/router the is based on FreeBSD which is designed for use on standard PC hardware. It uses the OpenBSD Packet Filter (hence the pf) for the firewall as well as advanced features such as hardware redundancy via CARP, VPN and Load balancing. However I will be talking about an interesting feature called the captive portal on pfSense 1.x and I will also be having a quick look into pfSense 2.0 which is yet to be released.

A captive portal normally sits between the client hosts on the network and the Internet. It normally requires a login from the user before permitting access. This is useful if you wish to allow/deny some people getting online with your wireless at your house party, stop visitors accessing the internet at the office or simply for displaying an acceptable use policy.

Captive portals will normally permit access to a IP/MAC address pair that has been authenticated by the device. As anyone that knows about networking will tell you both MAC and IP address can be easily spoofed by an attacker on a LAN to an already authenticated pair permitting the attackers traffic through the Portal. This weakness is something to keep in mind when thinking of using a captive portal.

Even though a captive portal has this weakness why is a good idea to implement one? It works on any operating system that supports a web browser (Windows, Mac, Linux, BSD, etc) and requires no additional software to be installed on the host computers. These advantages are obviously great from a management perspective by allowing the device to work with any modern operating system and decreasing some administration overhead by not having to manage more software on the client computers.

Services: Captive Portal

All the configuration of the captive portal is done via the Services menu in the web interface. All the standard options are covered such as:

• The network interface that the portal will run on.
• Maximum concurrent connections per user.
• Idle/hard timeout settings.
• Popup logout window so users can end the current session.

Some of the more interesting features that the pfSense portal has to offer are:

• URL redirection.
• Enable/disable concurrent user logins (one IP/MAC pair per user).
• Enable/Disable MAC filtering settings.
• No/Local/RADIUS authentication.
• HTTP/HTTPS (SSL) portal connections.
• Customisable portal pages for legal messages, ASCII art, etc.

Authentication Options

pfSense has a few diffrent authentication options for the captive portal:

• No authentication.
• Local user management.
• RADIUS authentication.

No authentication will allow traffic through the captive portal without authenticating which is useful for the bandwidth limiting feature. The local user management uses the locally stored database to authenticate users, which is handy for smaller networks with small amount of users. RADIUS authentication uses an RADIUS server which is configured separately for more complex environments with many users.

A Pass-through MAC address is an option which allows a configured MAC address to pass through the captive portal without authentication. There is also an option (MAC filtering) that allows you to disable the verification of MAC address which can prove useful if you have routers or other such layer 3 devices in the way of the captive portal and the clients. The 'allowed IP address' is the same idea as the pass-through MAC address but using the IP address instead of MAC address.

The users tab is where all the local accounts that are used for local authentication are managed. The user account controls are basic allowing username, password, full name (not parsed) and account expiration date when creating a new account. Accounts can also be edited and removed from this interface. Pfsense 2.0 will be improving the user account system drastically, for more information see the pfSense 2.0 section below.

HTTPS (SSL) Login

When there is not a HTTPS login option I always feel really uneasy. Thankfully pfSense has such an option if it's not a little tricky to set up. Three things must be there for HTTPS to work, a server name, the certificate (in a X.509 PEM format) and the key (RSA private key PEM format).

The first required step to enabling the SSL login is a server name for checking against the Common Name on the SSL certificate so it doesn't generate a name mismatch error. A certificate and private key must be pasted into the web interface for the SSL connections to be functional. The certificate and key can be easily generated from the tool on the System: Advanced functions page. Please note that a self-signed certificate will display an error message in the client browser unless its set up to trust it.

Customisable Portal Pages

The customisable pages are a nice feature of the portal to help it fit in with a network (e.g. to show a company style login page). The pfSense captive portal allows highly customisable login and error pages by allowing users to upload customised HTML pages with messages about network use or to add company logos (which are managed by the file manager).

The file manager speaks for its self really, it's the place you manage the uploaded files for the customised captive portal pages. It's nice to see that there is a way to keep track of the uploaded files and that they aren't just stuck in a directory out of the way.

Other Features

The URL redirection feature works by changing the website that would be loaded after going through the captive portal. This is useful for an intranet site or a hard to remember external domain that everyone should be directed through.

The per-user bandwidth restrictions allows you to limit the upload and download speed per user. This is a very useful feature to stop people taking up all the bandwidth which works well with the no authentication mode selected.

2.0 Alpha-Alpha features

Note: These features are taken from a pre-release alpha build of pfSense 2.0 (2.0-ALPHA-ALPHA, built on Tue Jun 23 08:18:08 EDT 2009) and anything said here could change before final release.

The new 2.0 release will allow you to run the captive portal on more that one interface, previously you could only use one interface at a time. This is a small improvement that will help administrators of larger networks deal with scalability and bandwidth concerns.

The users tab in the Captive portal UI (Services:Captive portal) will be replaced with a Vouchers tab in version 2.0 since the user account management has been made more system wide.

2.0 User Manager
While this is not directly a captive portal feature the user manager is a heavy dependency for the local authentication used on many smaller networks. The local user management interface has been moved to System:User Manager (in the System menu under User Manager) and has been vastly improved to support more advanced settings like per user SSH Authorized Keys and will be used in a more system wide manner.

Groups will also be implemented in the User manager so system privileges can limited to only what people require which is naturally a good practice. Restrictions that are assigned to groups, users are then added to groups to have the restrictions applied to their accounts. Restrictions include limiting access to web UI pages and shell access.

A LDAP server backend will be available for user authentication with fall back to the internal user/group database incase of the server being unavailable. This fits in with the vastly upgraded user management system and will surely make administrators happy.

Conclusion

I like to use the captive portal that pfSense provides to allow the use of computers without internet access and allowing other authorised users internet access. I also have used it on a wireless AP (with WPA) to keep some people off the internet while allowing a trusted few at a house party.

The UI on pfSense has a good layout and helpful detailed descriptions for most options which never makes you feel like you need to look up a manual. I have used the pfSense captive portal personally for about 3 months without any stability issues and would be happy to recommend it.

Check it out.