Captive Portal

https://wiki.ipfire.org/configuration/network/captive

Tartalomjegyzék
Initial Setup......................................................................................................................................2
Terms & Conditions....................................................................................................................2
Coupons......................................................................................................................................2
Exporting Coupons as PDF....................................................................................................3
Branding...........................................................................................................................................3
Examples.....................................................................................................................................4
Access Control.................................................................................................................................4
Revoking Access for a single client............................................................................................4
Using the BLUE zone for your Captive Portal................................................................................4
IPFire as a Wireless Access Point...............................................................................................5
3rd party Wireless Access Point..................................................................................................5
FAQ.............................................................................................................................................5
Can the Captive Portal be combined with the web proxy/URL filter?...................................5
Are there any legal obstacles?................................................................................................5
Security Considerations..............................................................................................................5
With the help of our Captive Portal all new or temporary network clients have no access to your
network but it is easy for you to manage the access to your network. If you regulate the access to
your guests' wifi with the captive portal you can renounce the encryption under certain
circumstances.

Initial Setup
There are two different ways to give a client access to the system. it is possible to change the
authorization method during operation without loosing access of the already authorized clients.
The Captive Portal can be activated for the green and blue zones.

Terms & Conditions

In this mode, the user only has to accept the terms and conditions. We recommend to use this in the
scenario of a cafe or similar place with a larger number of unknown users. To keep the list of
authorized clients short, you can set an expiry time after which access for that client is being cut off
and it needs to authorize again.

Coupons
If you choose coupons as your way of authorisation you are able to generate one or more coupons
with a lifetime from one hour to multiple months and unlimited, too. Every coupon can only used
once and coupons with different lifetimes can be created at once.
This is recommended to be used in a hotel or similar scenario with a smaller number of known
users.

Exporting Coupons as PDF

Using the “Export Coupons” button you can create a PDF file which contains the list of unused
coupons ready to print.

Branding
To customise the Captive Portal to your corporate design and make it recognised by your users, you
can set the highlight colour to your brand colour and upload a background image which can also
contain a logo.
You should also enter your company name so users know that they are connecting to the correct
network.
Examples

Access Control
Revoking Access for a single client
You can just remove the client from the list of authorized clients. Internet access is stopped
immediately.
Any clients that have been expired will automatically be purged once a day.

Using the BLUE zone for your Captive Portal

We recommend to use the Blue zone for your wireless network so you separate LAN from Wifi!
There are two ways to do so.
You will need to either use the internal IPFire DHCP server or can alternatively use an external one.

IPFire as a Wireless Access Point

In case you have configured your IPFire to work as a wireless access point, the captive portal can be
combined with it. Just configure the access point as usual without encryption and enable the Captive
Portal on BLUE.

3rd party Wireless Access Point

The IPFire Captive Portal is also compatible with other access points that are connected to the
IPFire system via Ethernet. Set up one or multiple access points as usual as an open network and
enable the IPFire Captive Portal.

FAQ
Can the Captive Portal be combined with the web proxy/URL filter?
Yes. Just configure the URL filter as usual and consider sending the proxy configuration via DHCP
to each client.

Are there any legal obstacles?

In some countries, using Captive Portals is not legal. In some others, they are required in order to
offer public WiFi. We cannot give you any legal advise here, so please check the law of your
country.

Security Considerations
Giving access to untrusted people can be dangerous. Please make sure that you do not configure any
firewall rules that allow access to parts of the network where those people should not have access.
They will however have full access to the network zone the captive portal is being operated in and
they will also have access to other clients on the network. This is because traffic from one client to
another one is not passing through the firewall.
The Captive Portal gives limited DNS access before the client has been authorized to use the
network. That is to allow network connections to come up and to let the web browser open a
website which will then be redirected to the Captive Portal's authentication page. We have a
bandwidth limiter in place that will throttle the number of DNS queries that can pass so that DNS
cannot be used to tunnel any other network traffic1).