pfsense Summary pfsense is a distribution of FreeBSD that has been tailored for user as a firewall/router. It offers many features that would be useful for public wifi. It is a free, open source application that can be used as a wireless gateway to provide your public wifi network with a customizable captive portal, and stat collection capabilities that will satisfy state collection requirements. System requirements The minimum system requirements for a gateway with less than 10Mbps of throughput are: CPU 100MHz RAM 128MB CD-ROM Drive for initial install 1GB hard drive Hardware specs should be scaled up to manage higher throughput loads. But generally speaking, any PC built within the last five years should be more than adequate. Web interface Everything configurable in pfsense can be done from the web interface. After an initial setup wizard you will be sent to a dashboard page that can be customized with various widgets that show different kinds of various information. Some of the more useful include traffic graphs, firewall logs, and the captive portal status. A number of the configuration pages deal with lists of items, list of firewall rules, aliases, schedules, routes, etc. and they generally have the same icon set for manipulating these lists. adds a new item, deletes an item, and edits an item. Most of the buttons in the web interface can be hovered over for a brief explanation. Console interface
Low level operations can be done from the console interface. Console access via secure shell can be enabled in the System > Advanced page of the web interface to allow remote access to the command console. Shell commands can be run through the Diagnostics > command prompt page on the web interface, but this functionality is still experimental, and SSH is generally more convenient. Log in via SSH as root with the admin password set for the web console. Network Configuration Internet Firewall/Router WAN Interface PfSense PC LAN interface Public Network switch or VLAN Access Point(s) Access Point(s) Wireless netowrk Systems running pfsense should have at least two NICs, and can replace the existing gateway for your wireless network. The pfsense PC will act as the primary DHCP and DNS servers to wifi clients, and the WAN interface will connect to your greater network. An initial setup wizard is available to guide users through new installations. Assuming there is an existing wireless network on site that is structured similarly to the diagram above, replacing the existing wireless gateway with a pfsense system should only require a minimal working knowledge of computer networks, DHCP, and DNS. Firewall rules Like most other firewalls, pfsense s rules are applied per-interface. Packets matching a rule can be allowed, blocked or dropped. Basic match criteria include: Protocol, the source and destination address these can be scaled to include a single host or entire network source and destination port range.
Advanced firewall rule features Source OS match rules based on Operating system TCP flags match based on flags TCP flags that are set or cleared Schedule Match rule to a time schedule, (can be used to set hours) Gateway if multiple WAN interfaces exist, this option will send packets matching the rule to a specific gateway. In/out Sets a limiter to use for inbound and outbound traffic. Ackqueue/queue Used to place matched packets into traffic shaping queues. Layer7 performs deep packet inspection for matching rule Floating rules Normally, firewall rules are set to a specific interface. Floating rules can apply to any interface, going in any direction. These are primarily used to put packets in the appropriate shaping queues.
Schedules Schedules can be used to define a set of times in which a firewall rule should be active. Each schedule consists of one or more time ranges which can be set to specific days or a weekly recurrence. To make a schedule click the new button, then set the days of the week or the calendar date you want the schedule to be in effect using the calendar in the month section, then a time. Then, select a time range using the start and stop time fields. Click add time to save the time rage to the schedule. Add as many time ranges as are needed to the schedule and click save. These schedules can be easily used to limit wireless access to hours when the library is open and to keep wireless inaccessible during scheduled closures. Since the firewall rules are evaluated on a first match basis, a rule blocking for closed days, should be placed above a rule setting weekly hours.
Traffic Shaping The pfsense traffic shaper comes with a handful of wizards for configuring traffic shaping. The wizard will allow you to set link bandwidth, select a queue scheduling algorithm, and prioritize common protocols. The wizard will generate a set of queues and ACKqueues for each interface, as well as a set of floating firewall rules for each protocol prioritized. Limiters Limiters are used to simulate lower bandwidth or lower quality connections over an interface. In most cases simply setting the bandwidth limits are sufficient, but you can also set a delay for the connection, and simulate a certain percentage of packet loss. Traffic is assigned to a limiter using the in/out option in the firewall rules editor. Layer 7 Layer 7 uses deep packet inspection to adjust the behavior of the firewall. A layer 7 rule group can be set to block traffic, place it in a shaping queue, or place it through a limiter. Captive portal The captive portal allows you to set up an authenticated or unauthenticated splash screen. The captive portal will need to be configured in order to track usage statistics with pfsense. Captive portal settings
Max concurrent connections sets the number of users that can load the captive portal page at the same time. This can probably be left alone. Idle timeout sets the amount of time a session can be inactive before it is logged off. Hard timeout sets maximum time limit on sessions Logout popup opens a popup window with a logout button, useful for ending sessions. Pre-authentication redirect sets a redirect variable that can be used on the captive portal page, or on error pages. After authentication redirect URL Landing page, if nothing is set users will land on whatever page they were trying to access before authenticating on the captive portal page. Per-user bandwidth limit the maximum upstream or downstream bandwidth that can be used by an individual. This is equivalent to setting up a limiter for each host that authenticates through the captive portal. Authentication set authentication method o No authentication o Local user manager o RADIUS HTTPS use the https fields to load a certificate, and key if you wish the captive portal to use SSL. Portal page contents use this setting to upload the html for the splash page. Logout page contents used to customize the logout popup, if enabled. Pass-through MAC this section allows you to add MAC addresses that can bypass the captive portal altogether. Allowed IP addresses adding addresses to this list will allows that address to be accessible to unauthenticated wireless users. Allowed hostnames the same as allowed IPs, but for DNS names Vouchers For captive portals using authentication, the voucher system generates codes that can be used to grant time limited access through the captive portal without an username and password. File manager use this section to upload any images, or other resources that will be used in the captive portal page. Only files uploaded through this system will be accessible from the captive portal. The uploaded version will have the prefix captiveportal- ( logo.jpg will become captiveportal-logo.jpg ) Captive portal status
The captive portal status window shows the currently active sessions on the wireless network. All sessions will have a username of unauthenticated when the portal is not using authentication. Session can be terminated using the delete button on the right of the list. Traffic Graphs The traffic graph offers a real-time look at upstream and downstream traffic. RRD Graphs RRD graphs provide more long term statistics of not only bandwidth usage bandwidth usage, but many other system statistics as well. RRD graphs are average shorter time samples into larger ones, allowing it to keep statistics going back years. In addition to recording network bandwidth usage, the RRD graphs also track CPU and memory usage, state table statistic, and captive portal utilization. The captive portal graphs show both the currently logged in users, and the total number of currently logged in users, and the total number of users that have logged in for a given time period. This can be very helpful in tracking overall usage trends, however the averaging on the longer term graphs may lead to results that aren t quite what the State is asking for.
Stat collection The features for recording long term usage statistics are not quite ideal given the requirements set out by the state. Recording the number of sessions that the captive portal authenticates is possible out of the box. There are two places where this session data can be located, status > Captive portal. This show the current active sessions. Secondly, captive portal activity is located logged in status > system logs > portal auth. This log file is rotated frequently, so if you re planning to pull statistics form it, it would be best to set up a syslog server. pfsense s syslog setting are set in status > system logs > settings. The collection methods in this document focus on using the session table. Collecting session stats Assuming your timeouts are set long enough so that sessions form the beginning of the day will not timeout before closing, the captive portal db should contain every session started that day. The number of daily users can then be recorded form the captive portal status page. The drawbacks to using the captive portal status page as a data source are that it would have to be done manually, late in the day. Also any changes to the portal configuration while it s up will clear the current session DB, spoiling your data collection for that day. Automated stat collection This section contains scripts and sections of code that are designed to work with pfsense version 2.0.3, later version may require modification. It is possible to automate the recording of the total number of sessions. This snippet of php code will return the number of active sessions on the captive portal <?php require("captiveportal.inc"); if (file_exists("{$g['vardb_path']}/captiveportal.db")) { $captiveportallck = lock('captiveportaldb'); $cpcontents = file("/var/db/captiveportal.db", FILE_IGNORE_NEW_LINES FILE_SKIP_EMPTY_LINES); unlock($captiveportallck); } else $cpcontents = array(); $concurrent = count($cpcontents); echo $concurrent;?> Save this to a php file in /usr/local/www and it should be accessible remotely. This method still won t be able to count captive portal sessions that were cleared due to a restart or change in the captive portal s settings. Automated Stat reporting A convenient method for collecting these daily session statistics is to store them in a database. A table with three fields is necessary; an ID, a timestamp field which defaults to the current time, and an integer field that will record the quantity of sessions. Schedule the recording server to run the following php script after closing; <?php $con = mysql_connect("dbhost","dbuser","dbpassword");
if (!$con){die('could not connect: '. mysql_error());} mysql_select_db("statdatabase", $con); $wificount = @mysql_real_escape_string(trim(file_get_contents('http://pfsense.host/statout putmethod.php'))); mysql_query("insert INTO `sessioncounttable` (`quantity`) VALUES ('$wificount')"); mysql_close($con); echo 'It worked!';?> Packages A number of packages exist that can be installed to enhance the functionality of pfsense. They are located in System > Packages. I haven t tried any of them in production and are marked as being in alpha or beta status, so use at your own risk. Some of the more interesting ones include: Mailreport Sends more detailed mail notifications. NRPE v2 Nagios monitoring plugin, useful if Nagios is used to monitor systems on your network. Open-VM-Tools Vmware tools for FreeBSD. pfflowd converts packet filter status messages to cisco netflow datagrams. Could be useful in finding hosts that consume high levels of bandwidth. Darkstat offers per-host network monitoring. Anyterm web based terminal access.