Upgrade Alix board with pfSense 1.2.3 to pfSense 2.0 RC3

Introduction

After having  enough of tests with the RC3 in virtual environment, I decide to upgrade my pfSense 1.2.3 appliance running on Alix2d13. Considering my Dual WAN setup with load balancing and some other rules, I didn’t really want to lose any of my configurations during this process.

If I made in-place upgrade what is my rollback strategy?!

If I performed clean install and just restored configuration backup what are the guaranties that is will work. Of course I can test it in my virtual lab, but there are risks with the physical scenario that I can’t predict using this method. So I needed and alternative.

Scenario

I want to test upgrade my pfSense 1.2.3 to 2.0 RC3. For that purpose I need a reliable rollback plan with no data loss, and minimal operations required. How did I achieve it you can find in the Explanation section.

Setup

The setup is described in this post: SoHo Firewall Appliance with Alix2d13 and pfSense

,noting change there since.

Configuration

First I made a backup of the full configuration of the 1.2.3, you know just in case.

Then download the image file: pfSense-2.0-RC3-4g-i386-20110621-1821-nanobsd-upgrade.img.gz

And extract the image from the archive.

Now as it is described here: Installation on a standard PC (CF/IDE version)

We need the physdiskwrite tool to write the image to the Compact Flash (CF). I’ve used the

physdiskwrite 0.5.2 + PhysGUI

Then I plug in the new CF in the card reader make sure there are no portions on it using the Disk Management Console (Start > Run> diskmgmt.msc), otherwise you will receive error message like the one in the Issue section below.

Then start physdiskwrite with PhysGUI, select the CF disk.

Right click on the disk select Image laden (Load Image), Offnen (Open). Brows to the extracted image and select it.

You will see this warning message window, tick the check box next to Remove 2GB restriction, mine is 8 Gigs, if your CF is smaller then don’t.

Yet another warning message windows, asking you if you really want to overwrite the disk with the image.

No you have about 20 – 30 minutes of waiting, so be patient, do some other stuff.

We are ready.

 

Explanation

Finally I get it, instead of changing the content of my original Compact Flash, why not get second one and use is for the tests instead? This way I can retain my original configuration and with just a swap of the cards be right back where I started.

Testing

After successful installation I’ve just swap the CFs and configured pfSense 2.0 RC3 using console cable.

Then using the WebGUI restored the backup configuration from the 1.2.3. Now it is time to check the functionality.

The Interface configuration like interfaced configuration was in place but the Load Balancing configuration was gone. Also my OpenVPN configurations were restored but in a non-working state. The firewall rules were applied but with the missing Load Balancer there was little use of them. After about half hour of checks, I decided to roll back to 1.2.3. Swap the CFs again and everything works the old way.

Issues

Writing to the CF card, As stated in Special considerations for Windows Vista/7

If you get write errors shortly after physdiskwrite has begun writing to the target disk (usually after 65536 bytes), this may be caused by existing partitions on the disk. Use the Disk Management utility (right-click on the “Computer” icon on the desktop and select Manage, then navigate to Computer Management (Local)/Storage) to delete all partitions on the target disk before starting physdiskwrite.

If you are unable to delete all the partitions with the Disk Management utility, try the following procedure:

1.     Open a command window as admin (“cmd”)

2.     Type “diskpart” and hit enter.

3.     Type “list disk” and hit enter to find out the number of your drive.

4.     Type “select disk X” (where you replace X with the number of your drive) and hit enter.

5.     Type “clean” and hit enter.

 

So I had to clean the disk first but it was a breezy task. Then everything was alright.

Conclusion

Up until the restoration of the configuration backup everything is ok. Now I have to test the restoration in my lab, or better yet reproduce my original configuration there. I ought to think for the second alternative more.

To configure everything in the lab and then just backup and restore the configuration from the same one and the same version sound reasonable to me. Better yet I will know that it works.

I’ll have to test Dual WAN in fail-over configuration, then test recreate my OpenVPN configurations, and test all the rules that I have applied.


OpenVPN on pfSense 2.0 RC3 with OpenLDAP Authentication on CentOS 5.6

Introduction

After writing OpenVPN with LDAP authentication on pfSense 2.0 RC1, a reader of my blog shared some problems with configuring OpenLDAP on CentOS.  So I decide to build such a setup and test.

Scenario

The scenario is as follows, authenticating users requiring access to the OpenVPN server against OpenLDAP service running on CentOS.

Setup

I’ve spent most time in preparing the CentOS server. Initially my decision was to use CentOS 6.0, but after a few failed attempts to configure it and the absence of how to guides for this purpose, I’ve decided to fall back to 5.6.

For this version there is a wonderful how to guide here:

OpenLDAP on CentOS 5.6

Install And Configure OpenLDAP 2.4.25 On CentOS 5.6

Following this instructions I’ve managed to setup OpenLDAP very fast.  The only comment that I have is in this section:

All data loaded is in LDIF format. Create a file to initialize the LDAP database:

# vi ldap-init.ldif

dn: dc=mycompany,dc=com

objectclass: dcObject

objectclass: organization

o: Example

dc: mycompany

dn: cn=Admin,dc=mycompany,dc=com

objectclass: organizationalRole

cn: Admin

 

you have to have one new row, otherwise the import in the next step fails. So the above should look like:

# vi ldap-init.ldif

dn: dc=mycompany,dc=com

objectclass: dcObject

objectclass: organization

o: Example

dc: mycompany

 

dn: cn=Admin,dc=mycompany,dc=com

objectclass: organizationalRole

cn: Admin

 

 

Next step is to create a few test users.  For that purpose I’ve used :

LDAP Admin

Ldap Admin is free Win32 administration tool for LDAP directory management. This application lets you browse, search, modify, create and delete objects on LDAP server. It also supports more complex operations such as directory copy and move between remote servers and extends the common edit functions to support specific object types (such as groups and accounts).

You can use it to manage Posix groups and accounts, Samba accounts and it even includes support for Postfix MTA. Ldap Admin is free Open Source software distributed under the GNU General Public License.

Configuration

It is time to configure the pfSense. I will skip all the steps described in the previous posts. You can find them here:

pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

OpenVPN with LDAP authentication on pfSense 2.0 RC1

Now let’s get straight to System > User Manager and on the Servers leaf.

Hostname or IP address: this it the address of the CentOS server

Base DN: this is the domain name

Authentication container: after insterted the Bind credentials, it was visible, but when I’ve click on the Save button, nothing happen. So I’ve typed it in manually.

Bind Credentials: enter User DN and Password. , I’ve tested it and with Use anonymous binds to resolve distinguished names, it works also.

Group Member Attribute: you can modify this with the Uid=%s, if you need.

Testing

Just for reference this is my test user.

After preforming the OpenVPN configuration, enter the user name and the password.

If everything is OK, you should be successfully connected and see something similar in the OpenVPN logs:

You can also test the connection using the Diagnostics > Authentication, Select the Authentication Server, in my case the CentOS OpenLDAP connection is named Test. Enter Username and Password, and see the result.

If you get error, you can check the Status> System Logs on the System leaf for errors.

I’ve got this error when the CentOS server was turn off.

Issues

The issues that I faced was the problem with selecting the OU in which my users resides. Hope this will be fixed in future versions. On the CentOS side the problems were releted with the changes of OpenLDAP in the 6.0 version.

Conclusion

That’s it. Thank you for reading.


pfCenter

These days I’ve looked at the tweets of Scott Ullrich and what catch my attention is the mentioning of pfCenter several times.

As written here:

pfCenter is the product we are working on to allow administration of multiple pfSense boxen from one GUI / Appliance.

and here

pfCenter now supports tags! Later this summer we will change how large scale deployments of pfSense are managed.

After I have took a look at the shred screen shots from his image gallery.

There is even a thread in the forum with obscure information: Next Gen of pfSense <—> pfCenter

 

My suspicion is that this center will perform tasks similar to Astaro Command Center.

There will be a Real-Time Monitoring, Site-to-Site VPN configuration for multiple sites made quick and easy. We can hope for centralisation of Device Maintenance tasks such as firmware upgrades and configurations propagation, some kind of Inventory Management component that can show us what, where and in what state we have. Access Management so you must know only one set of credentials to manage all hooked up devices. I really do hope that there will be some form of Aggregated Reporting functionality, RRD is great for some purposes, but alone is not enough and NTOP is great but a dedicated appliance is better suited for it alone.

The next logical question is where you would you place such thing?

On a pfSense box, might be, but a dedicate Appliance sounds more reasonable, taking into account the amount of data and load, that such a solution could generate. As alternative a Virtual Appliance sounds as a good idea. Last but not least as an option is a service in the cloud, a hosted multi-tenant installation of the pfCenter. Which of these alternatives will be the one we’ll see?

Until then, take a look at the teasers:

 

The source of these images is Scott Ullrich twitpic gallery.


Install Open VM Tools package on pfSense 2.0 RC3 for VMWare

In my previous posts we’ve Install pfSense 2.0 RC1 on VMWare Workstation 7 and adjusted the memory of the Virtual Machines in pfSense 2.0 RC1 on VMware Workstation 7.1.4 – RAM size.

Now let’s continue with the setup of the Virtual Machine with the installation of VMware Tools for pfSense.

For that purpose go to System > Packages

, and on the Available Packages find Open-VM-Tools. Click on the “+” next to it and start the installation.

Wait it to finish, and on the Installed packages you should see it listed. Click on the link below Package Info, to see the instructions how to verify successful installation.

The operation boils down to connecting to the console and executing first and monitor the output.

ps ax|grep vmware

 

kldstat

That's it.


Upgrade pfSense 2.0 from RC1 to RC3.

In this post we will upgrade pfSense 2.0 from RC1 to RC3.

For the purpose go to this page with the news about the RC3 release:

2.0-RC3 now available!

and click on the Upgrades link: http://www.pfsense.org/mirror.php?section=updates

select a mirror and download the image that suits you, in my case it was:

pfSense-Full-Update-2.0-RC3-i386-20110621-1542.tgz

Now go to System > Firmware and click on Enable Firmware uploads.

Click on Choose File button, select the file that we just downloaded, and click on Upgrade Firmware button.

Wait for the firmware upgrade process complete.

That’s it. If you want more graphical representation, I’ve just uploaded a video here with the whole process.

 

 


pfSense 2.0 RC1 – Captive Portal with RADIUS Authentication and Vouchers

Introduction

After we have setup Captive Portal and customized the pages in the previous posts. Now let’s wrap it up with the other two authentication methods. In this article we are going to configure RADIUS authentication for users, and create Vouchers for our Guests.

Scenario

In the previous post pfSense 2.0 RC1 – Configure Captive Portal for Guests, we used Local User Manager for authentication. But managing users in multiple systems can be dull task. For that reason we could provide our Users with a way to use their Active Directory user accounts to authenticate against the Captive Portal.

For our Guest We can create one Guest user account in Active Directory, but a better solution would be to provide them with one time use Voucher, that can be dispose of at the end of day.

Setup

The only change from our previous setup is the use of one Windows Server 2008 R2, with Active Directory Domain Services and Network Policy Server roles.

Configuration

Network Policy Server (NPS) aka RADIUS Server, Configuration

We can reuse the setup of NPS from OpenVPN with RADIUS authentication on pfSense 2.0 RC1, up until the pfSense configuration. So I would not duplicate the steps here.

On the pfSense side:

Now go to the Services > Captive Portal

On the Captive Portal leaf, scroll down to the Authentication Section.

As Authentication choose RADIUS Autentication

Primary RADIUS server, IP address – 10.10.9.99

Enter Shared Secret

Optionally if you wish tick the send RADIUS accounting packets check box.

And under RADIUS options, RADIUS NAS IP Attribute, select the LAN interface. I presume that behind this interface is your RADIUS server.

Save the configuration.

Vouchers Configuration

The first time you Enable the Vouchers, a pair of RSA keys are generated for you automatically.

The pre generated RAS keys are 32 bits.  For now we will use the default. But if you want to create 64 bit keys, you can check our the article Captive Portal Vouchers.

For the Save Interval, the default value is 5 minutes, but I do not want the state of the vouchers to be kept in my configuration file, so I’ll change it to 0. Leave the rest of the fields to default values. Save the configuration.

 

No let’s generate some vouchers, in the Voucher Rolls section, click on the “+” sign.

On the new page, enter

Roll# – 16, Minutes per Ticker – 460 (8 hours), Count – 10 this is the number of vouchers generated. You can put some comment for reference. Save it.

Upon return to the Vouchers leaf, click on the circle with “i” in it to export the list of vouchers.

The result should look similar to this:

Testing

Open a browser on a computer connected to the Guest interface of pfSense, enter a web address, and you should be presented with the Captive Portal page.

For RADIUS test , enter a user name and password, from the Active Directory, and you should successfuly log in.

For test of the Voucher system, copy one of the rows from the csv file, and paste it in the Voucher field.

The web address that you typed should load, and you will have access for the next 8 hours.

On the web GUI, you could check that the user is successfuly connected.


References

http://doc.pfsense.org/index.php/Category:Captive_Portal

Aggregated all topics related to Captive Portal in pfSense Documentation

http://doc.pfsense.org/index.php/Captive_Portal_Vouchers

Specific article for the Vouchers

http://doc.m0n0.ch/handbook/captiveportal.html

m0n0wall documentation of the Captive Portal, can be used for cross references.

Conclusion

During the last three posts we look at the basic configuration of Captive Portal in pfSense 2.0 RC1. Also we customized the Portal pages, and used different authentication methods available. Using this feature of pfSense you can safely provide Internet access to your users and guests. Of course there are many other options that we have not covered, but they are left for future posts.

Thank you for reading, and I hope it was helpful.


pfSense 2.0 RC1 – Customize Captive Portal Pages and implement HTTPS

Introduction

In the previous post pfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Management we configured a basic Captive Portal. Now I want to customize a little the web pages that are presented to the guests. Users will send credentials, and it is better to use HTTPS, that’s why will will configure it too.

Scenario

I want to customize the pages put custom colors and logo. Moreover the default page does not have a voucher field available, and I want this too. Granting access to guests, must follow some rules, so Acceptable Use Policy that have to be acknowledged is suitable for such a page

You can see the default pages below

Configuration

Certificate for the HTTPS/SSL

Go to System > Cert Manager

On the CAs leaf, select Create and internal Certificate Authority. Fill in the form to your likings. Make note of the Common name and the Descriptive name.

Go to the Certificates leaf, and Create an internal Certificate, fill in the form. The Common Name for the certificate must match to firewall name. In my case it is pfSense.localdomain. Also note the Descriptive name of the certificate.

Export the Certificates

On the CAs leaf click on the downward pointing triangle with rollover info export ca.

On the Certificate leaf, click on both downward pointing triangles for the Captivate Portal Cert.

You will end up with three file with similar names to this

DNS Record

Go to Services > DNS Forwarder

Add new record that will override the results from the forwarders

Enter Host, Domain, IP Address and Description. In my case the host is pfSense, the domain is localdomain, the IP address is the IP used by pfSense for the Guest network and I’ve entered some useful description.

Put the Certificate data in the fields

Now open the certificates in your favourite text editor. I’ve used Notepad++, and copy and paste the content in the Services > Captive Portal pages.

Paste Captive+Portal+Cert.crt in HTTPS certificate section

Paste Captive+Portal+Cert.key in HTTPS private key section

Paste Captive+Portal+CA.cert  in HTTPS intermediate certificate section

Save your configuration.

Upload the logo

Go to the File manager leaf of the Captive portal. Click on the + sign. And choose your logo image.

Then click on the Upload button.

Take a note of the name of the image, if it is different from the one used in your pages update them before uploading.

Upload the pages

Go back to the Captive portal leaf, and scroll down to the Portal page contents section.

Click on Choose File button and select your page file. Do the same for the Authentication error page contents page with the index_error.html page. Save your configuration.

Explanation

I’ve used the build in Certificate Manager, because it works for me. The alternative is to use OpenSSL as explained in the pfSense forums. This is closely related to the DNS record.

By customizing the pages we can brand them and in the same time create more enterprise look and feel. Opening the voucher field is first step to my next post. There the main topic will be configuration of vouchers and RADIUS authentication.

About the pages code:

Index.html

<style type=”text/css”> makes the background black.

<img src=”captiveportal-logo.png” alt=”logo”/> adds the Image

<td align=”right”>Voucher:</td><td align=”left”><input name=”auth_voucher” type=”text” style=”border: 1px dashed;”> add the Vaucher field

<TEXTAREA id=”aup” name=”aup” rows=”15″ cols=”50″> adds the Acceptable Use Policy, I’ve borrowed this from How To: Using m0n0wall to create a Wireless Captive Portal – Step 4: Create the Captive Portal Page.

You can see the original page here: http://www.smallnetbuilder.com/images_old/myimages/howto/captiveportal/portal.htm

<script type=”text/javascript”> – force the guest to accept the use policy. I’ve borrowed this code from Only submit if at least one checkbox is checked example, and with a little help from a friend integrated in to this form.

 

<html>
<style type=”text/css”>
body {
background-color: #000;
}
body,td,th {
color: #090;
}
</style>
<body>
<form method=”post” action=”$PORTAL_ACTION$” onsubmit=”return CheckBoxesValidations() ;”>
<input name=”redirurl” type=”hidden” value=”$PORTAL_REDIRURL$”>
<center>
<center>
<img src=”captiveportal-logo.png” alt=”logo”/>
</center>
<table cellpadding=”6″ cellspacing=”0″ width=”550″ height=”380″ style=”border:1px solid #000000″>
<tr height=”10″ bgcolor=”#990000″>
<td bgcolor=”#663366″ style=”border-bottom:1px solid #000000″>
<font color=’white’>
<b>
Stefcho’s captive portal
</b>
</font>
</td>
</tr>
<tr>
<td>
<div id=”mainlevel”>
<center>
<table width=”100%” border=”0″ cellpadding=”5″ cellspacing=”0″>
<tr>
<td>
<center>
<div id=”mainarea”>
<center>
<table width=”100%” border=”0″ cellpadding=”5″ cellspacing=”5″>
<tr>
<td>
<div id=”maindivarea”>
<center>
<div id=’statusbox’>
<font color=’red’ face=’arial’ size=’+1′>
<b>

</b>
</font>
</div>
<br/>
<div id=’loginbox’>
<table>
<tr><td colspan=”2″><center>Welcome to the Stefcho’s Wireless Network Captive Portal!</td></tr>
<tr><td colspan=”2″><center>Enter User Credentials, or Voucher Code to gain access.</td></tr>
<tr><td>&nbsp;</td></tr>
<tr><td align=”right”>Username:</td><td align=”left”><input name=”auth_user” type=”text” style=”border: 1px dashed;”></td></tr>
<tr><td align=”right”>Password:</td><td align=”left”><input name=”auth_pass” type=”password” style=”border: 1px dashed;”></td></tr>
<tr><td>&nbsp;</td></tr>
<tr><td align=”right”>Voucher:</td><td align=”left”><input name=”auth_voucher” type=”text” style=”border: 1px dashed;”></td></tr>
<tr><td></td><td><tr><td></td><td>
<tr><td></td><td><tr><td></td><td>
<P align=”center”><TEXTAREA id=”aup” name=”aup” rows=”15″ cols=”50″> Acceptable Use Policy (AUP).
</TEXTAREA>
</td></tr>
</tr>
</table>
<input id=”iagree” type=”checkbox” name=”CHKBOX1″ value=”1″>Accept</p>
<input name=”accept” type=”submit” value=”Continue”>
</div>
</center>
</div>
</td>
</tr>
</table>
</center>
</div>
</center>
</td>
</tr>
</table>
</center>
</div>
</td>
</tr>
</table>
</center>
</form>
<script type=”text/javascript”>
function CheckBoxesValidations()
{
if(document.getElementById(‘iagree’).checked == false)
{
alert(“Please read and accept the User agreement to proceed!”);
return false;
}
else
return true;
}
</script>
</body>
</html>

 

Index_error.html – The only change here is the addition of “Invalid credentials specified.”. I did not add the “$PORTAL_MESSAGE$”, because it is for RADIUS only.

The contents of the HTML/PHP file that you upload here are displayed when an authentication error occurs. You may include “$PORTAL_MESSAGE$”, which will be replaced by the error or reply messages from the RADIUS server, if any.

<tr>
<td>
<div id=”mainlevel”>
<center>
<table width=”100%” border=”0″ cellpadding=”5″ cellspacing=”0″>
<tr>
<td>
<center>
<div id=”mainarea”>
<center>
<table width=”100%” border=”0″ cellpadding=”5″ cellspacing=”5″>
<tr>
<td>
<div id=”maindivarea”>
<center>
<div id=’statusbox’>
<font color=’red’ face=’arial’ size=’+1′>
<b>
Invalid credentials specified.
</b>
</font>
</div>
<br/>

 

You can download my pages from here:

index

index_error

Testing

Connect to the guest network and try to open a web page. You will see a warning about your certificate, go over it. Now you are supposed to see your new custom page. Enter your username and password, look at the Acceptable Use Policy and Click on the Accept check box. Then on the Continue button. If you don’t tick the Accept check box a warning message windows will appear, that will inform you that you must accept the policy first.

In case that you intentionally or not mistype your user name and/or password, you will see in red Invalid credentials specified. Now you can try to enter then again.

After successful log in you will have internet access, and on the Status > Captive portal page you will be able to see the currently logged on users.

Issues

DNS record surprise me because I have not used it up until now.

References

Here are some materials that could help you further develop the Captive Portal Pages:

http://doc.pfsense.org/index.php/Category:Captive_Portal

Free, cool, and easy Captive Portal (Guest portal)

How To: Using m0n0wall to create a Wireless Captive Portal – Step 4: Create the Captive Portal Page

pfSense: Captive Portal Logo Edit

Как в pfsense 2.0 сделать Captive portal доступным из разных сетей

Установка и настройка Wi-FI HOT-SPOT системы на примере программного роутера PfSense 2.0.(Часть 1)

 

A good base for the Acceptable Use Policy:

Acceptable Use Policy for the Wireless Network

Acceptable Use Policy for Wireless Access

Acceptable Use Policy

Conclusion

Now we have better looking pages displayed to our guest, and well communicated Acceptable Use Policy of the Guest Network. The credentials of our users are transferred using SSL cannel and are not in plain text.

 

Update 03.07.2011: Sorry for the typos, I’ve fixed them in the html pages.


pfSense 2.0 RC3 released!

Good news, today RC3 was released, is supposed to be the last RC before RTM which is very promising.

If the news are right we are waiting for RTM in a month, I hope that this is a realistic estimation for the time needed.

You can read the original news here

2.0-RC3 now available!

Downloads are available, I’m in process of upgrading my lab from RC1 to RC3. For that purpose I will user clean install and restore a configuration backup. Upgrading is not of my preference, but will eventually try it later on.

 

pfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Management

Introduction

More or less it is expected from a company to provide some form of Wireless Internet Access to guest, clients and partner visiting their premises. Providing them with such could pose a security risk if you use just a simple wireless access point directly connected to your LAN. It is better to isolate them in separate network segment without access to your LAN. For that purpose we will use an Optional Interface and the Captive Portal feature of pfSense 2.0 RC1.

Scenario

You want to provide your guest with Internet Access using single of multiple Wireless Access Point, but you want to prevent them from lurking around your servers and workstations. Even worse they can be infected with some malicious code that could try to take over your network.  You have probably seen what enterprise grade wireless solutions offer as functionality, but the price of these solutions is prohibitive to implement for Small Office Home Office (SoHo) uses.

In this post we will look at the basic configuration of Captive Portal, a feature of pfSense, and how to implement a basic scenario with required authentication of guests, which will be quarantined from our internal network, but will have almost full Internet Access at their disposal.

Setup

We have a simple setup of pfSense 2.0 RC1 with three network interfaces. The WAN gives us access to the Internet, behind the LAN interface resides our servers and workstations, and we will put the guests behind the GUESTS interface. For reference take a look at the network diagram.

 

Some hardware appliance on which pfSense is running might have Wireless Network Interface Cards installed initially, in that case you can use that interface for GUESTS, but currently I do not have such card available for testing. At near future when I do get one, I will test this scenario too.

 

If you are unfortunate enough to have only two network interfaces, but you are fortunate to have a VLAN capable switch you can separate the LAN and the GUESTS into separate VLANs.  Take a look at the network diagram below for reference. Yet again this is a separate scenario that I will leave for the future posts.

 

Configuration

Configure the Guests Interface.

If you haven’t configured the third network interface already, let’s configure it now.

Go to Interface > (assign), and click on the + button, and then click on Save button to save the configuration.

Not go to you newly added interface, the name by default is OPT1.

Tick the Enable Interface and click Save.

Now you can enter a Description for this interface, in my example I used Guests.

Select Static as Type.

In the Static IP configuration section, enter IP Address for the interface and a subnet mask. In my case these are 192.168.0.1/24.

Then click on the Save button, and Apply changes.

 

Setup a DHCP Server for this Interface

Go to Services > DHCP Server,

 

on the Guests leaf, tick the Enable DHCP server on Guests Interface.

Enter a Range aka Pool of IP addresses available for our guests, in my case 192.168.0.10-20.

Enter 192.168.0.1 as value for DNS Server and a Gateway, then Save the configuration.

Apply Firewall rules on the Guests Interface

As we stated in the Scenario section, we want to provide our guests only with Internet access, and NO access to our LAN resources, also preventing them from accessing the Web GUI of the pfSense is a good idea.

I used for a base for the required firewall rules this wonderful article here: How To: Using m0n0wall to create a Wireless Captive Portal – Security

As you know pfSense is a fork of m0n0wall, so the rules still apply.

So here are my rules:

The NetBIOS Block rules do exactly that the description states.

Web GUI Block prevent guest from accessing the management interface of the pfSense from the wireless network.

The WAN Address / Subnet Block, prevent the guest from accessing any devices connected directly on our WAN port in case you have something like modem or anything else that could be configured using web or other interface.

The last Guests to Any Other Than LAN network provide our guest with the so much needed Internet Access.

As additional test I’ve made a rule that block all traffic on this interface during no business hours. This is the first time that I used a Schedule for a rule, so accept is as experimental. The idea for this rule is inspired by this blog post: pfSense Captive Portal with Firewall Schedules

If you’re providing Wifi access you certainly don’t want to worry about some jackass out in the parking lot in the middle of the night trying to hack on your portal.

Configure Captive Portal

Go to Services > Captive Portal.

Tick the Enable captive portal, and select our Guests Interface. You can leave to the defaults values for now Maximum concurrent connection, Idle timeout. For Hard timeout you can choose a period depending on the average stay of your guests, for my test purposes a value of 60 minutes is fine.

If you really believe that you guest a conscience enough you can enable the Logout popup window, and give then the possibility to logout by themselves, but for the sake of simplicity I will not enable this feature.

Very nice feature is the Per-user bandwidth restriction, you can limit the amount of bandwidth that each user can consume. This will slow down their access but will provide resources for more concurrent users. It is up to you to decide whether to use this or not. In my setup, I’ve enabled this feature for testing purposes, and the results were satisfactory.

For Authentication, we have three options, No authentication can be used for a page with Acceptable Use Policy for the Wireless Network, which your guest must only acknowledge.

For this example I will use Local User Manager. In a future blog post I will take a look at RADIUS Authentication.

For now scroll down to the end of the page and click Save.

User Management

Go to System > User Manager and create new user.

For my example User name is guest, type in a Password, and Full name.

Explanation

The purpose of the Captive Portal is to force guest users to visit a page before they are provided with Internet Access, whether you will simply require them to accept a use policy, or to authenticate in some manner it is up to you and your needs.

Testing

Now I suppose that you have connected one or more Wireless Access Points to the Guests Interface of the pfSense, and configured a SSID for guests. After that you have connected to this Wireless Network. Now when you open a browser and type in some website address, you will be redirected to the Captive Portal page and be required to enter user name and password, use the guest account.  After successful authentication you will be redirected back to the original web site address that you have entered.

Conclusion
Now you can connect one or more Wireless Access Point to the Guest interface of pfSense and distributed the guest user name and password to clients coming over. Whether you will limit the services on to normal business hours, or limit the bandwidth for each user I leave up to you.
In the following post I will look at the possibilities to customize the Captive Portal pages, and implementation of Vouchers and RADIUS authentication.