Hello,
Currently have a PFSENSE Edge router for my HFC Docsis Network.
Would like to implement a Captive Portal page for customers who have not paid so when they try to use internet, the Portal will pop up.
Any help or guidance?
Is this done at Edge Router level? CMTS? DHCP
Thanks!
I have done something similar in the past.
Unless you will be using some L2VPN you can't do it without a special config file. If you're doing it via L2VPN than you can do it on the EDGE router. My steps were with special config file:
1. With IP filters in config file you need to allow access only to a captive portal web page and DNS.
2. You need to setup DNS server which always resolves the same web page. This web page is your captive portal.
3. when the customer is authorized to use the internet again, you need to reboot the CM and provide it with regular CM config file.
Probably there are better ways to do it. But this worked for me.
BR,
Janko
I'm looking to set this up for our Cable modem customers, can you share your docsis config which does the redirect/firewalling on the CPE device? We want to setup a redirect, without using L2TP, or a second bundle interface, just putting a noservice config on the customer which redirects to our billing portal.
You can setup what you request but you need to know that you will need a separate DNS server, better say proxy, which will redirect any DNS request to your walled garden IP. So the customers that will be "walled" will need to have a different DNS server (CPE) configured in the DHCP server.
Then you just need to make sure in config file that CPE can access only port 53 on this particular DNS and also port 80 and 443 on captive portal. If you need help contact me: jobacare@gmail.com
Here is a part of CM config (this is a working example that will allow you only to access 8.8.8.8 (DNS,HTTP(s)):
SnmpMibObject docsDevFilterIpDefault.0 Integer 2; /* accept */
/* Permit DHCP Client */
SnmpMibObject docsDevFilterIpControl.1 Integer 1;
SnmpMibObject docsDevFilterIpIfIndex.1 Integer 1;
SnmpMibObject docsDevFiltSnmpMibObject erIpDirection.1 Integer 2;
SnmpMibObject docsDevFilterIpBroadcast.1 Integer 2;
SnmpMibObject docsDevFilterIpSaddr.1 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpSmask.1 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpDaddr.1 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpDmask.1 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpProtocol.1 Integer 17;
SnmpMibObject docsDevFilterIpDestPortLow.1 Integer 67;
SnmpMibObject docsDevFilterIpDestPortHigh.1 Integer 67;
SnmpMibObject docsDevFilterIpSourcePortLow.1 Integer 0;
SnmpMibObject docsDevFilterIpSourcePortHigh.1 Integer 65535;
SnmpMibObject docsDevFilterIpStatus.1 Integer 4;
SnmpMibObject docsDevFilterIpControl.2 Integer 2;
SnmpMibObject docsDevFilterIpIfIndex.2 Integer 1;
SnmpMibObject docsDevFilterIpDirection.2 Integer 1;
SnmpMibObject docsDevFilterIpBroadcast.2 Integer 2;
SnmpMibObject docsDevFilterIpSaddr.2 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpSmask.2 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpDaddr.2 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpDmask.2 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpProtocol.2 Integer 17;
SnmpMibObject docsDevFilterIpSourcePortLow.2 Integer 68;
SnmpMibObject docsDevFilterIpSourcePortHigh.2 Integer 68;
SnmpMibObject docsDevFilterIpDestPortLow.2 Integer 67;
SnmpMibObject docsDevFilterIpDestPortHigh.2 Integer 67;
SnmpMibObject docsDevFilterIpStatus.2 Integer 4;
SnmpMibObject docsDevFilterIpControl.3 Integer 2;
SnmpMibObject docsDevFilterIpIfIndex.3 Integer 1;
SnmpMibObject docsDevFilterIpDirection.3 Integer 2;
SnmpMibObject docsDevFilterIpBroadcast.3 Integer 2;
SnmpMibObject docsDevFilterIpSaddr.3 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpSmask.3 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpDaddr.3 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpDmask.3 IpAddress 0.0.0.0;
SnmpMibObject docsDevFilterIpProtocol.3 Integer 17;
SnmpMibObject docsDevFilterIpSourcePortLow.3 Integer 67;
SnmpMibObject docsDevFilterIpSourcePortHigh.3 Integer 67;
SnmpMibObject docsDevFilterIpDestPortLow.3 Integer 68;
SnmpMibObject docsDevFilterIpDestPortHigh.3 Integer 68;
SnmpMibObject docsDevFilterIpStatus.3 Integer 4;
/* DHCP END */
/* Permit DNS (8.8.8.8) change it to your dns proxy */
docsDevFilterIpControl.4 Integer 2;
docsDevFilterIpIfIndex.4 Integer 1;
docsDevFilterIpDirection.4 Integer 1;
docsDevFilterIpBroadcast.4 Integer 2;
docsDevFilterIpSaddr.4 IpAddress 0.0.0.0;
docsDevFilterIpSmask.4 IpAddress 0.0.0.0;
docsDevFilterIpDaddr.4 IpAddress 8.8.8.8;
docsDevFilterIpDmask.4 IpAddress 255.255.255.255;
docsDevFilterIpProtocol.4 Integer 256;
docsDevFilterIpSourcePortLow.4 Integer 0;
docsDevFilterIpSourcePortHigh.4 Integer 65535;
docsDevFilterIpDestPortLow.4 Integer 53;
docsDevFilterIpDestPortHigh.4 Integer 53;
docsDevFilterIpStatus.4 Integer 4;
docsDevFilterIpControl.5 Integer 2;
docsDevFilterIpIfIndex.5 Integer 1;
docsDevFilterIpDirection.5 Integer 2;
docsDevFilterIpBroadcast.5 Integer 2;
docsDevFilterIpSaddr.5 IpAddress 8.8.8.8;
docsDevFilterIpSmask.5 IpAddress 255.255.255.255;
docsDevFilterIpDaddr.5 IpAddress 0.0.0.0;
docsDevFilterIpDmask.5 IpAddress 0.0.0.0;
docsDevFilterIpProtocol.5 Integer 256;
docsDevFilterIpSourcePortLow.5 Integer 0;
docsDevFilterIpSourcePortHigh.5 Integer 65535;
docsDevFilterIpDestPortLow.5 Integer 0;
docsDevFilterIpDestPortHigh.5 Integer 65535;
docsDevFilterIpStatus.5 Integer 4
/* Block all other DNS */
docsDevFilterIpControl.6 Integer 1;
docsDevFilterIpIfIndex.6 Integer 1;
docsDevFilterIpDirection.6 Integer 1;
docsDevFilterIpBroadcast.6 Integer 2;
docsDevFilterIpSaddr.6 IpAddress 0.0.0.0;
docsDevFilterIpSmask.6 IpAddress 0.0.0.0;
docsDevFilterIpDaddr.6 IpAddress 0.0.0.0;
docsDevFilterIpDmask.6 IpAddress 0.0.0.0;
docsDevFilterIpProtocol.6 Integer 256;
docsDevFilterIpSourcePortLow.6 Integer 0;
docsDevFilterIpSourcePortHigh.6 Integer 65535;
docsDevFilterIpDestPortLow.6 Integer 53;
docsDevFilterIpDestPortHigh.6 Integer 53;
docsDevFilterIpStatus.6 Integer 4
/* DNS END */
/* Permit port HTTP(s) to 8.8.8.8 (you will need to change this to captive portal address) */
docsDevFilterIpControl.7 Integer 2;
docsDevFilterIpIfIndex.7 Integer 1;
docsDevFilterIpDirection.7 Integer 1;
docsDevFilterIpBroadcast.7 Integer 2;
docsDevFilterIpSaddr.7 IpAddress 0.0.0.0;
docsDevFilterIpSmask.7 IpAddress 0.0.0.0;
docsDevFilterIpDaddr.7 IpAddress 8.8.8.8;
docsDevFilterIpDmask.7 IpAddress 255.255.255.255;
docsDevFilterIpProtocol.7 Integer 6;
docsDevFilterIpSourcePortLow.7 Integer 0;
docsDevFilterIpSourcePortHigh.7 Integer 65535;
docsDevFilterIpDestPortLow.7 Integer 80;
docsDevFilterIpDestPortHigh.7 Integer 80;
docsDevFilterIpStatus.7 Integer 4
docsDevFilterIpControl.8 Integer 2;
docsDevFilterIpIfIndex.8 Integer 1;
docsDevFilterIpDirection.8 Integer 1;
docsDevFilterIpBroadcast.8 Integer 2;
docsDevFilterIpSaddr.8 IpAddress 0.0.0.0;
docsDevFilterIpSmask.8 IpAddress 0.0.0.0;
docsDevFilterIpDaddr.8 IpAddress 8.8.8.8;
docsDevFilterIpDmask.8 IpAddress 255.255.255.255;
docsDevFilterIpProtocol.8 Integer 6;
docsDevFilterIpSourcePortLow.8 Integer 0;
docsDevFilterIpSourcePortHigh.8 Integer 65535;
docsDevFilterIpDestPortLow.8 Integer 443;
docsDevFilterIpDestPortHigh.8 Integer 443;
docsDevFilterIpStatus.8 Integer 4
/* HTTP end */
/* BLOCK ALL TRAFFIC */
docsDevFilterIpControl.9 Integer 1;
docsDevFilterIpIfIndex.9 Integer 1;
docsDevFilterIpDirection.9 Integer 1;
docsDevFilterIpBroadcast.9 Integer 2;
docsDevFilterIpSaddr.9 IpAddress 0.0.0.0;
docsDevFilterIpSmask.9 IpAddress 0.0.0.0;
docsDevFilterIpDaddr.9 IpAddress 0.0.0.0;
docsDevFilterIpDmask.9 IpAddress 0.0.0.0;
docsDevFilterIpProtocol.9 Integer 256;
docsDevFilterIpSourcePortLow.9 Integer 0;
docsDevFilterIpSourcePortHigh.9 Integer 65535;
docsDevFilterIpDestPortLow.9 Integer 0;
docsDevFilterIpDestPortHigh.9 Integer 65535;
docsDevFilterIpStatus.9 Integer 4
/* END */
How do you handle the DNS assignment? I get the rest, but I don't see how this filter intercepts port 53 request and redirects to my dummy DNS server (which resolves all request). My DHCP server doesn't really know that this is enabled when it passes out the management ip, let alone the CPE IP that I want to redirect to my portal.
Not sure how to get the Dummy DNS to the CPE behind the cable modem, I believe if I set the 10. management interface ip to the dummy DNS that will only impact the CM Management portion, not the CPE behind it? Haven't tested yet, but I think that is an issue.
Could you explain to us how you made the provisioning configuration to cmts with PFsense,
I would greatly appreciate it