wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:network:captive

Captive Portal

With the help of our Captive Portal all new or temporary network clients have no access to your network but it is easy for you to manage the access to your network. If you regulate the access to your guests' wifi with the captive portal you can renounce the encryption under certain circumstances.

Initial Setup

There are two different ways to give a client access to the system. it is possible to change the authorization method during operation without loosing access of the already authorized clients.

The Captive Portal can be activated for the green and blue zones.

Terms & Conditions

In this mode, the user only has to accept the terms and conditions. We recommend to use this in the scenario of a cafe or similar place with a larger number of unknown users. To keep the list of authorized clients short, you can set an expiry time after which access for that client is being cut off and it needs to authorize again.

Coupons

If you choose coupons as your way of authorisation you are able to generate one or more coupons with a lifetime from one hour to multiple months and unlimited, too. Every coupon can only used once and coupons with different lifetimes can be created at once.

This is recommended to be used in a hotel or similar scenario with a smaller number of known users.

Exporting Coupons as PDF

Using the “Export Coupons” button you can create a PDF file which contains the list of unused coupons ready to print.

Branding

To customise the Captive Portal to your corporate design and make it recognised by your users, you can set the highlight colour to your brand colour and upload a background image which can also contain a logo.

You should also enter your company name so users know that they are connecting to the correct network.

Examples

Access Control

Revoking Access for a single client

You can just remove the client from the list of authorized clients. Internet access is stopped immediately.

Any clients that have been expired will automatically be purged once a day.

Using the BLUE zone for your Captive Portal

We recommend to use the Blue zone for your wireless network so you separate LAN from Wifi! There are two ways to do so.

You will need to either use the internal IPFire DHCP server or can alternatively use an external one.

IPFire as a Wireless Access Point

In case you have configured your IPFire to work as a wireless access point, the captive portal can be combined with it. Just configure the access point as usual without encryption and enable the Captive Portal on BLUE.

3rd party Wireless Access Point

The IPFire Captive Portal is also compatible with other access points that are connected to the IPFire system via Ethernet. Set up one or multiple access points as usual as an open network and enable the IPFire Captive Portal.

FAQ

Can the Captive Portal be combined with the web proxy/URL filter?

Yes. Just configure the URL filter as usual and consider sending the proxy configuration via DHCP to each client.

In some countries, using Captive Portals is not legal. In some others, they are required in order to offer public WiFi. We cannot give you any legal advise here, so please check the law of your country.

Security Considerations

Giving access to untrusted people can be dangerous. Please make sure that you do not configure any firewall rules that allow access to parts of the network where those people should not have access. They will however have full access to the network zone the captive portal is being operated in and they will also have access to other clients on the network. This is because traffic from one client to another one is not passing through the firewall.

The Captive Portal gives limited DNS access before the client has been authorized to use the network. That is to allow network connections to come up and to let the web browser open a website which will then be redirected to the Captive Portal's authentication page. We have a bandwidth limiter in place that will throttle the number of DNS queries that can pass so that DNS cannot be used to tunnel any other network traffic1).

configuration/network/captive.txt · Last modified: 2018/09/23 21:12 by Jon