Jump to content

Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME

From MediawikiCIT

Modern Guide: pfSense Captive Portal with FreeRADIUS & ACME

Based on the Lawrence Systems Methodology

Reference Videos:

This guide focuses on a "production-ready" setup that minimizes browser errors (SSL warnings) on modern devices by using proper Let's Encrypt certificates and Split DNS. It also covers per-user bandwidth limiting and strict content whitelisting.

Prerequisites

  • pfSense Firewall: Version 2.4/2.5 or higher.
  • Domain Name: You need a domain name (buy one or use DuckDNS).
  • Guest Network: A dedicated interface/VLAN (e.g., 192.168.2.1/24) for guests.
  • Packages: Install freeradius3 and acme.

Phase 1: WebGUI Configuration (Port Conflict Prevention)

  1. Navigate to System > Advanced > Admin Access.
  2. TCP Port: Change this to 5555.
  3. WebGUI Redirect: Ensure "Disable webConfigurator redirect rule" is unchecked.
  4. Click Save.

Phase 2: Free SSL Certificates (DuckDNS & Let's Encrypt)

The Problem: Modern browsers block "Self-Signed" certificates. The Fix: Use DuckDNS (free) to get a valid certificate.

Step A: Get a Free DuckDNS Domain

  1. Go to DuckDNS.org.
  2. Create a domain (e.g., mywifinetwork).
  3. Copy your Token.

Step B: Configure ACME on pfSense

  1. Install ACME: Go to System > Package Manager and install acme.
  2. Create Account Key: Services > ACME > Account Keys > Add.
    • Name: LetsEncryptKey
    • Server: Let's Encrypt Production
  3. Issue the Certificate:
    • Go to Services > ACME > Certificates.
    • Click Add.
    • Name: CaptivePortalCert
    • Domain name: mywifinetwork.duckdns.org
    • Method: DNS-DuckDNS
    • Token: Paste your token
    • Click Save then Issue/Renew.

Phase 3: Split DNS Configuration

Ensure users resolve the domain to the local IP.

  1. Navigate to Services > DNS Resolver.
  2. Go to Host Overrides > Add.
    • Host: mywifinetwork
    • Domain: duckdns.org
    • IP Address: 192.168.2.1 (Guest Interface IP)
  3. Click Save and Apply Changes.

Phase 4: Configure FreeRADIUS (Users & Bandwidth)

We will define three users with specific bandwidth limits.

1. Interfaces & Client

  • Services > FreeRADIUS > Interfaces: Add * for ports 1812 & 1813.
  • Services > FreeRADIUS > NAS / Clients: Add 127.0.0.1 with secret SecretPass123.

2. Create Users

User Username Password Bandwidth Down Bandwidth Up
Admin (Full Access) adminuser adminpass Unlimited (leave blank) Unlimited (leave blank)
Resident (0.1 Mbps) resident resident123 100 Kbps 100 Kbps
Guest (0.01 Mbps) guest guest123 10 Kbps 10 Kbps

Phase 5: Firewall Rules & Whitelisting

Step A: Define Admin Devices (Static IPs)

  1. Go to Services > DHCP Server > [Guest Interface].
  2. Scroll to Static Mappings.
  3. Add your Admin Device's MAC Address and assign a specific IP (e.g., 192.168.2.10).
  4. Repeat for all Admin devices.

Step B: Create Aliases (The Whitelist)

  1. Go to Firewall > Aliases.
  2. Create Admin Alias:
    • Name: Admin_IPs
    • Type: Host(s)
    • Content: 192.168.2.10 (and other admin IPs)
  3. Create Apps Alias:
    • Name: Allowed_Domains
    • Type: Host(s)
    • Content: grab.com, lalamove.com, api.grab.com, api.lalamove.com
  4. Create Messaging Ports Alias:
    • Name: Messaging_Ports
    • Type: Port(s)
    • Content: 3478 (WhatsApp/Messenger STUN), 5222 (WhatsApp/XMPP), 443 (HTTPS), 53 (DNS)

Step C: Apply Strict Rules

Go to Firewall > Rules > [Guest Interface]. Delete any existing "Allow All" rules. Create these rules in this exact order:

Rule # Action Source Destination Result
1 Pass Single Host or Alias → Admin_IPs Any Admins bypass all blocks.
2 Pass (UDP) Any Port 53 (DNS) Everyone needs DNS to function.
3 Pass (TCP/UDP) Any Allowed_Domains, Port 443 Allows traffic to Grab/Lalamove IPs.
4 Pass (TCP/UDP) Any Any, Port → Messaging_Ports Allows WhatsApp/Messenger calls.
5 Block Any Any Blocks YouTube, Social Media, general browsing for Residents/Guests.

Phase 6: Configure the Captive Portal

  1. Enable Portal:
    • Go to Services > Captive Portal.
    • Add Zone GuestZone, Enable it, select Guest Interface.
  2. Authentication:
    • Method: RADIUS Authentication
    • Primary Server: 127.0.0.1, Secret: SecretPass123
    • Re-authentication: Checked (Every minute)
    • RADIUS Options: Check Use RADIUS per-user bandwidth attributes
  3. HTTPS Login:
    • Enable HTTPS: Checked
    • Host Name: mywifinetwork.duckdns.org
    • Certificate: CaptivePortalCert
  4. Click Save.

Phase 7: Verification

Test Admin

  • Connect with an Admin device (ensure it gets Static IP 192.168.2.10).
  • Log in as adminuser.
  • Try YouTube. Result: Should work.

Test Resident

  • Connect with a random phone.
  • Log in as resident.
  • Try Fast.com. Result: Speed capped at 0.1 Mbps.
  • Try YouTube. Result: Blocked.
  • Try Grab App. Result: Should load.

Test Guest

  • Log in as guest.
  • Try Fast.com. Result: Speed capped at 0.01 Mbps (very slow).
Retrieved from "https://mediawiki.comfac.net/index.php?title=Modern_Guide:_pfSense_Captive_Portal_with_FreeRADIUS_%26_ACME&oldid=58"