This how to will explain how to setup a guest network using the captive portal.Guest Networks are widely used to allow guests controlled internet access athotels, RV Parks or businesses.
Note
For the example we expect the GUESTNET interface to be connected with youractual guest network switch or access point. This tutorial does not explainhow to setup a wireless network.
Businesses¶
Businesses usually want to share internet access with their guest and show thema landing page with a welcome message and some usage guidelines (policy). At thesame time it is important to make sure guests won’t be able to access the company’slocal network and limit the maximum internet usage.
Hotels and RV Parks¶
Hotels and RV parks usually utilize a captive portal to allow guests (paid) accessto internet for a limited duration. Guests need to login using a voucher they caneither buy or obtain for free at the reception. OPNsense has built-in support forvouchers and can easily create them on the fly. With this example we will showyou how to setup the Guest Network for this purpose and setup a reception accountfor creating new vouchers.
Advanced¶
The Captive portal can also be combined with the category based web filtering ofthe proxy. This tutorial will explain how to combine both features.
Prerequisites¶
We will start configuration with a fresh OPNsense install, updated to the latestpatch level (16.1.5_1 in our example). You will need a system with a minimum of3 ports (LAN/WAN/GUESTNET) for this tutorial.
Good to know¶
As the Hotel/RV Parks setup is almost identical to the business setup we will startwith that and after finishing add/change the specifics to match the Hotel Guest setup.
Step 1 - Configure Interface¶
For the Guest Network we will add a new interface.Go to Interfaces ‣ Assignments And use the + to add a new interface.Press Save. The new interface will be called OPT1, click on [OPT1] in theleft menu to change its settings.
Select Enable Interface and fill in the following data for our example:
Description | GUESTNET | A descriptive name for the interface |
Block Private networks | unselected | |
Block bogon networks | unselected | |
IPv4 Configuration Type | Static IPv4 | Set a static IPv4 address for the example |
IPv6 configuration Type | None | |
MAC address | (Leave Blank) | |
MTU | (Leave Blank) | |
MSS | (Leave Blank) | |
Speed and duplex | Default | You may also select the speed when known |
Static IPv4 address | 192.168.200.1/24 | We will use this segment for our guests |
IPv4 Upstream Gateway | Default |
Press Save and then Apply changes.
Step 2 - Configure DHCP Server¶
Go to Services ‣ DHCPv4 ‣ [GUESTNET].
- Fill in the following to setup the DHCP server for our guest net (leave everything
else on its default setting):
Enable | Checked | Enable the DCHP server on GUESTNET |
Range | 192.168.200.100 to 192.168.200.200 | Serve IPs from this range |
DNS servers | 192.168.200.1 | Supply a DNS with the lease |
Gateway | 192.168.200.1 | Supply a gateway with the lease |
Click Save.
Step 3 - Add Firewall Rules¶
Go to Firewall ‣ Rules to add a new rule.
Now add the following rules (in order of prevalence):
Allow DNS¶
Allow the guests access to the DNS forwarder.Rule content (leave all other options default):
Action | Pass | Allow this traffic |
Interface | GUESTNET | The GuestNet Interface |
Protocol | TCP/UDP | |
Source | GUESTNET net | |
Destination | GUESTNET address | |
Destination port range | DNS/DNS | from DNS to DNS |
Category | GuestNet Basic Rules | Category used for grouping rules |
Description | Allow DNS |
Click Save.
Allow Captive Portal Login¶
Action | Pass | Allow this traffic |
Interface | GUESTNET | The GuestNet Interface |
Protocol | TCP | |
Source | GUESTNET net | |
Destination | GUESTNET address | |
Destination port range | 8000/10000 | (other) used for the cp zones |
Category | GuestNet Basic Rules | Category used for grouping rules |
Description | Allow Captive Portal Login |
Click Save.
Block Local Networks¶
Action | Block | Block this traffic |
Interface | GUESTNET | The GuestNet Interface |
Protocol | any | |
Source | GUESTNET net | |
Destination | LAN net | |
Category | GuestNet Basic Rules | Category used for grouping rules |
Description | Block Local Networks |
Click Save.
Action | Block | Block this traffic |
Interface | GUESTNET | The GuestNet Interface |
Protocol | any | |
Source | GUESTNET net | |
Destination | GUESTNET address | |
Category | GuestNet Basic Rules | Category used for grouping rules |
Description | Block Firewall Access |
Click Save.
Note
These rules are used to block access to our local LAN network and firewall accessfrom the Guests. If you have multiple local networks then you need to blockeach of them with multiple rules or use a bigger subnet to cover them all.
Allow Guest Networks¶
Action | Pass | Allow this traffic |
Interface | GUESTNET | The GuestNet Interface |
Protocol | any | |
Source | GUESTNET net | |
Destination | any | |
Destination port range | any | |
Category | GuestNet Basic Rules | Category used for grouping rules |
Description | Allow Guest Network |
Click Save and then Apply changes
Your rules should look similar to the screenshot below:
Step 4 - Create Captive Portal¶
Go to Services ‣ Captive Portal ‣ Administration
To add a new Zone press the + in the lower right corner of the form.
Note
When using multiple interfaces with the captive portal then each interface canhave its own zone or multiple interfaces can share a zone.
For the Business setup we will start with the following settings:
Enabled | Checked | |
Interfaces | GUESTNET | Remove the default and add GUESTNET |
Authenticate using | (blank) | Remove any default setting |
Idle timeout | Disable Idle Timeout | |
Hard timeout | No hard timeout | |
Concurrent user logins | Unchecked | A user may only login once |
SSL certificate | none | Use plain http |
Hostname | (leave blank) | Used for redirecting login page |
Allowed addresses | (leave blank) | |
Custom template | none | Use default template |
Description | Guest Network | Choose a description for the zone |
Save and the Apply
Step 5 - Create Template¶
The template feature is one of the most powerful features of OPNsense’s CaptivePortal solution and it’s very easy to work with.
Let’s create a custom landing page, to do so click on the tab Templates andclick on the download icon in the lower right corner ( ).
Now download the default template, we will use this to create our own.Unpack the template zip file, you should have something similar to this:
Most files of the template can be modified, but some are default and may not bechanges. Upon upload any changes to the files listed in exclude.list will beignored. Currently these include the bootstrap JavaScript and some fonts.
With the captive portal enabled the default screen looks like:
Let’s change this default with a new logo and a welcome message, to this:
To do so use your favourite editor and open the index.html file to make thechanges.
Let’s make the following changes to the template:
Change the logo to company-logo.png
Remove the navigation bar on the top
Remove the height and width from the <img> tag
Add a welcome text
Make a link to the company website
Find the following part:
<header class="page-head"><nav class="navbar navbar-default" > <div class="container-fluid"> <div class="navbar-header"> <a class="navbar-brand" href="#"> <img class="brand-logo" src="images/default-logo.png" height="30" width="150"> </a> </div> </div></nav></header>
And change to:
<header class="page-head"> <div align="center"> <a href="#"> <img class="brand-logo" src="images/company-logo.png"> </a> <h1>Welcome to My Company Guest Network.</h1> <h2>Feel free to use the guest network for profesional usage</h2> <h3>See our website for more details: <a href="https://www.opnsense.org">My Company</a></h3> </div></header>
Copy the company logo to the image directory.Now zip the template directory and upload the new template by pressing the +on the Template tab.
Download the example Template (full)
Enter a Template Name, for this example we use Company.Hit Upload ( 
)
To enable the captive portal on the GUESTNET interface just click on Apply.
Step 6 - Limit Guests Bandwidth¶
For our example we will reserve 10 Mbps down and 1 Mbps Up for the Guest Network’sInternet Access. This bandwidth will be shared evenly between connected clients.
Note
With sharing evenly we mean that if 10 users at the same time try to useas much bandwidth as possible then everyone gets 1/10th. So in our examplethat would be 1 Mbps down stream (download). It is also possible to limitthe traffic per user see also Setup Traffic Shaping
Go to: Firewall ‣ Shaper ‣ Pipes.
Create a pipe for the Download by pressing the + in the lower right corner ofthe form and enter the following details:
Enabled | Checked |
bandwidth | 10 |
bandwidth Metric | Mbit/s |
mask | Destination |
Description | pipe_10Mbps_down |
Click Save changes.And add another pipe for the upload traffic.
Enabled | Checked |
bandwidth | 1 |
bandwidth Metric | Mbit/s |
mask | Destination |
Description | pipe_1Mbps_up |
Click on Save changes.
Create the traffic shaper rules. Click on the tab Rules and press the +to do so.
First toggle the advanced mode (upper left corner of the form) and then fill inthe following details (leave everything not specified on defaults):
sequence | (leave on default) |
interface | WAN |
interface 2 | GUESTNET |
direction | in |
target | pipe_10Mbps_down |
description | Limit Guests download to 10 Mbps |
Click Save changes.
sequence | (leave on default) |
interface | WAN |
interface 2 | GUESTNET |
direction | out |
target | pipe_1Mbps_up |
description | Limit Guests upload to 1 Mbps |
Click Save changes.
Now click on Apply to apply the changes.
Step 7 - Test Business GuestNet¶
Connect your PC or laptop to the Guest Network and start your favourite browser.Enter an address to browse to and you will be presented with the Login form wecreated with the template in the previous step. Click on login and start browsing.
To test your traffic shaper go to a speed test site such as http://www.speedtest.net/After testing your result should be similar to this (if your internet connectionhas sufficient bandwidth).
Note
Keep in mind we have only one connected client in this test, so all reservedbandwidth will be available for our client.
Royal Hotel Example¶
From this point we will implement the Hotel/RV Park solution. You need to followstep 1-7 first and choose the template you like to use for your guests.
This example will be for our “Royal Hotel”.
Step 8 - Add Voucher Server¶
To add a Voucher Server go to: System ‣ Access ‣ Servers and click onAdd server in the top right corner of the screen.
Fill in:
Descriptive name | Vouchers | The name for your voucher server |
Type | Voucher |
Click on Save.
Step 9 - Create Vouchers¶
Go back to the Captive portal and select Vouchers (Services ‣ Captive Portal ‣ Vouchers).Click on Create Vouchers in the lower right corner of the form.
Let’s create 1-day vouchers for our guests:
Enter the Validity (1 day), the number of Vouchers and a Groupname (Wi-Fi day pass, for example).For the example we create 10 vouchers. Click on Generate.
A file will be generated called Wi-Fi day pass.csv.The content of this file looks like this:
username,password,vouchergroup,validity"IgJw@Pqf","MLi+Sb7Ak#","Wi-Fi day pass","86400""++?f[@i[","!m*)e(@;F,","Wi-Fi day pass","86400""bbtK9mBk","f/jCDL3:)b","Wi-Fi day pass","86400""iD%L[jLJ","I#FoZ#g!AY","Wi-Fi day pass","86400""+4bA\E[I","CNavt@0ck+","Wi-Fi day pass","86400""+,fg/\Sv","#22iIL-iQA","Wi-Fi day pass","86400"":;Pc\N#s","Y\HuG9vAN$","Wi-Fi day pass","86400""00nLb=0Q","0*C_\_Nb_x","Wi-Fi day pass","86400""PA$J0YHF","kp!q%9;m)g","Wi-Fi day pass","86400""a,mCxbya","LcnCb#g/di","Wi-Fi day pass","86400"
The content are:
username | Username the guest needs to login with |
password | Password the guest needs to login with |
vouchergroup | The name of the group you created |
validity | The time the voucher will be valid in seconds |
Warning
For security reasons the plain text passwords for the vouchers are NOT storedon the firewall.
This file can be used for creating nice guest vouchers (on paper) by just mergingthe CSV data with Microsoft Word, LibreOffice or any other DTP/text editor.
Create something like this:
You can select a database to and remove it entirely. This way you cancreate a voucher database for the arrival date of guest per guest group(week, midweek, weekend, etc.) and delete the full database when the guests haveleft.
Note
When a voucher is activated the time will be used regardless of the user beinglogged in or out. For a “used time” solution use a Radius server look atSetup FreeRADIUS for accounting
Step 10 - Voucher Authentication¶
Enable the voucher authentication by changing the zone settings.Go to the tab Zones and select the Guest Network by clicking on the pencil iconright next to it.
Change Authenticate using from an empty field to Vouchers.
When done click Save changes and the Apply to apply the new settings.
Now users will see the login form as part of your template:
Check Sessions¶
To check the active sessions go to Services ‣ Captive Portal ‣ SessionsOur current session looks like this:
You can drop an active session by clicking on the trashcan.
Note
Notice the selection box at the upper right corner, with this you can selectthe right zone when you have configured more than one.
Check Voucher Status¶
You can check the validity and active status of a voucher by going to the voucherpage of the captive portal (Services ‣ Captive Portal ‣ Vouchers) and selectthe correct database (Wi-Fi day pass in our example).
Note
The state valid means it is activated but still valid.
Advanced - Session popup¶
Let’s create a Session Popup so users can see some details about their session andLogout. For this feature we will use OPNsense’s built-in API calls.
In particular we will use the following API call (for zone id 0):
/api/captiveportal/access/status/0/
The response on this API call looks like this (for an active session):
{"userName":"IgJw@Pqf","macAddress":"10:dd:b1:bc:75:46","acc_session_timeout":14095,"authenticated_via":"Vouchers","packets_out":2834,"bytes_in":512869,"last_accessed":1457527526,"zoneid":0,"sessionId":"npd5bd6SIVQeMfIbWBdong==","startTime":1457526930.1719,"bytes_out":1322351,"ipAddress":"192.168.200.100","packets_in":3181,"clientState":"AUTHORIZED"}
It would go a bit to far to explain standard HTML and JavaScript used forour simple popup, but a full demo template can be downloaded:
Download the example Template (with popup)
The demo includes a new file called session_popup.html with all the logic toshow the time left on the voucher and a logout button. As well as a simple updateto our index.html page to call the popup on a successful login. The latter lookslike this (shown with a bit of context):
// redirect on successful loginif (data['clientState'] == 'AUTHORIZED') { window.open("session_popup.html","Session Status & Logout","width=400, height=400");
Advanced - CLI Session Status¶
OPNsense has a very powerful CLI that is particularly useful for debugging purposes.For this example we will use the cli to list the status off all active sessions.
Type the following on the cli prompt to do so (for zone id 0):
configctl captiveportal list_clients 0
The output will be something similar to this:
