HomeJoin InArticles and Reference Pagesm0n0wall captive portal project

m0n0wall Captive Portal Design

Many thanks to the Personal Telco CaptivePortal page which formed the genesis of this page.

User Usage Flow:


  1. a new user gets physical connectivity to the network

  2. they issue a DHCP request and are assigned an IP address (all
    un-authenticated IP's are firewalled so they can only talk on the local
    segment)

  3. As soon as they open their browser they will be forced a local web page
    (see below)

  4. this web page will have a "Continue" button which must be pressed by
    the user to continue

  5. after they continue their IP is granted access through the
    firewall

Another approach to this (as done by NoCat?) is to hand out very short leases (15 secs) in another range until the user 'Continue's, and then give them a lease that lets them outside. Maybe this would be easier given the questions that Manuel raises.

Open questions:


  1. once the user does 'continue' do they have access until their lease
    expires?  (Or when?)

  2. do we need to create a separate tracking mechanism or can we piggyback on
    the IP lease mechanism? (which implies, possibly, that static IPs, or
    preassigned-by-MAC DHCP IPs are exempt?)

Admin Tools


  1. per development criteria, the captive portal page will be stored in
    config.xml and edited directly in the GUI. I propose a simple page where
    admins can specify all text on the admin page (to allow for localization).
    Note that there is no provision for a graphic due to the config.xml
    restriction


    • page heading

    • preface text

    • legal wording

    • continue button text

    Another approach would be to allow the user to supply xhtml for the whole page - but that requires them to know what code to use for the button, etc. It seems less error prone to assemble the page from seperate pieces.
  2. there should be a way to disconnect a given IP which means that

  3. there should be a way to view all IPs in use

  4. if we decide on a timeout separate from dhcp lease timeout, then we'll
    need to prompt and gather that info

Future Features

We won't try and do everything in this release. Here are some things we can
do next:


  1. automatically add throttle rules for each new IP based on a global
    default

‹ m0n0wall captive portal projectupm0n0wall Captive Portal Development Constraints ›

Back to top