This wiki is a community-maintained resource about everything there is to know about IPFire.
With the help of our Captive Portal all new or temporary network clients have no access to your network but it is easy for you to manage the access to your network. If you regulate the access to your guests' wifi with the captive portal you can renounce the encryption under certain circumstances.
There are two different ways to give a client access to the system. it is possible to change the authorization method during operation without loosing access of the already authorized clients.
The Captive Portal can be activated for the green and blue zones.
In this mode, the user only has to accept the terms and conditions. We recommend to use this in the scenario of a cafe or similar place with a larger number of unknown users. To keep the list of authorized clients short, you can set an expiry time after which access for that client is being cut off and it needs to authorize again.
If you choose coupons as your way of authorisation you are able to generate one or more coupons with a lifetime from one hour to multiple months and unlimited, too. Every coupon can only used once and coupons with different lifetimes can be created at once.
This is recommended to be used in a hotel or similar scenario with a smaller number of known users.
Using the "Export Coupons" button you can create a PDF file which contains the list of unused coupons ready to print.
To customise the Captive Portal to your corporate design and make it recognised by your users, you can set the highlight colour to your brand colour and upload a background image which can also contain a logo.
You should also enter your company name so users know that they are connecting to the correct network.
You can just remove the client from the list of authorized clients. Internet access is stopped immediately.
Any clients that have been expired will automatically be purged once a day.
You will need to either use the internal IPFire DHCP server or can alternatively use an external one.
In case you have configured your IPFire to work as a wireless access point, the captive portal can be combined with it. Just configure the access point as usual without encryption and enable the Captive Portal on BLUE.
The IPFire Captive Portal is also compatible with other access points that are connected to the IPFire system via Ethernet. Set up one or multiple access points as usual as an open network and enable the IPFire Captive Portal.
Yes. Just configure the URL filter as usual and consider sending the proxy configuration via DHCP to each client.
In some countries, using Captive Portals is not legal. In some others, they are required in order to offer public WiFi. We cannot give you any legal advise here, so please check the law of your country.
Giving access to untrusted people can be dangerous. Please make sure that you do not configure any firewall rules that allow access to parts of the network where those people should not have access. They will however have full access to the network zone the captive portal is being operated in and they will also have access to other clients on the network. This is because traffic from one client to another one is not passing through the firewall.
The Captive Portal gives limited DNS access before the client has been authorized to use the network. That is to allow network connections to come up and to let the web browser open a website which will then be redirected to the Captive Portal's authentication page. We have a bandwidth limiter in place that will throttle the number of DNS queries that can pass so that DNS cannot be used to tunnel any other network traffic - https://uk.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152.