pfSense: Captive Portal
Wednesday, July 22, 2009 at 12:23PM Disclosure: I am not connected with pfSense/BSD Perimeter LLC in any business manner, I am just a user. I created this feature focus for my own reasons but decided to publish it anyway.
Introduction
For the uninitiated pfSense is a standalone firewall/router the is based on FreeBSD which is designed for use on standard PC hardware. It uses the OpenBSD Packet Filter (hence the pf) for the firewall as well as advanced features such as hardware redundancy via CARP, VPN and Load balancing. However I will be talking about an interesting feature called the captive portal on pfSense 1.x and I will also be having a quick look into pfSense 2.0 which is yet to be released.
A captive portal normally sits between the client hosts on the network and the Internet. It normally requires a login from the user before permitting access. This is useful if you wish to allow/deny some people getting online with your wireless at your house party, stop visitors accessing the internet at the office or simply for displaying an acceptable use policy.
;)
Captive portals will normally permit access to a IP/MAC address pair that has been authenticated by the device. As anyone that knows about networking will tell you both MAC and IP address can be easily spoofed by an attacker on a LAN to an already authenticated pair permitting the attackers traffic through the Portal. This weakness is something to keep in mind when thinking of using a captive portal.
