Php, MySQL and PFSense - System that gives user access to internet

[Dark Light]

Hi, I am wanting to create a system for a local network where the user has to be logged into a system to have access to the internet. I know this is possible, but I am unsure on how to go about creating it.

What I want is, when someone connects to the network (via Ethernet) what ever website they try to go to will redirect them to my php site, where they will have to register and stay logged into in order to have access to the internet. So they will be forced to have a tab of my system open at all times.

The router software that I am using is PFSense.

Thanks in advance.

 

[Linkex]

Not familiar with PFSense so can't be too specific, but in general terms, it would work like this:
User connects to router and trys to connect
PFSense checks with your PHP/MySql site if the user is logged in
Your PHP/MySql checks if the user is logged in and has refreshed page in last 2 minutes (For example)
If they are, router allows access
If they are not, it redirects thier request to your PHP/MySql login page
They login and it sets up a page that automatically refreshes every 1 minute. Whenever it refreshes, the php site records it

That said, the normal way to do this would be to have the router check once, and then allow the user access for, say, 30 minutes, and then check again, rather than every time they access a webpage. If there's a specific reason you want them to have a tab open then fair enough, but if not, you may be better off having longer sessions.

 

[Dark Light]

Not familiar with PFSense so can't be too specific, but in general terms, it would work like this:
User connects to router and trys to connect
PFSense checks with your PHP/MySql site if the user is logged in
Your PHP/MySql checks if the user is logged in and has refreshed page in last 2 minutes (For example)
If they are, router allows access
If they are not, it redirects thier request to your PHP/MySql login page
They login and it sets up a page that automatically refreshes every 1 minute. Whenever it refreshes, the php site records it

That said, the normal way to do this would be to have the router check once, and then allow the user access for, say, 30 minutes, and then check again, rather than every time they access a webpage. If there's a specific reason you want them to have a tab open then fair enough, but if not, you may be better off having longer sessions.

Don't need to the user to have the site open all the time, I could have to the session time last like 30 minutes and the webpage automatically refresh every like 10 minutes. So while the user could close it down, it's a lot easier to just keep it open.

 

[Linkex]

Nothing wrong with that approach, but just as a suggestion, what you could do is use sessions/cookies on your php site, so that when a user is redirected, it automatically logs them on (If they already have a session with the php script) and then redirects them to where they were trying to go.

So basically, the user would try to visit a page, get redirected to the php script and (Assuming a valid user) immediately re-directed to where they wanted to go. Users without a session will get the login page. That way the user only needs to go to your PHP site and logon when their session is expired. Obviously you can control how long a session lasts for between forced log-ins. It depends if you want this to be seamless for the user. If you want them to have a "You have been logged on for x minutes" tab open somewhere for example, then your way is fine.

 

[Dark Light]

Nothing wrong with that approach, but just as a suggestion, what you could do is use sessions/cookies on your php site, so that when a user is redirected, it automatically logs them on (If they already have a session with the php script) and then redirects them to where they were trying to go.

So basically, the user would try to visit a page, get redirected to the php script and (Assuming a valid user) immediately re-directed to where they wanted to go. Users without a session will get the login page. That way the user only needs to go to your PHP site and logon when their session is expired. Obviously you can control how long a session lasts for between forced log-ins. It depends if you want this to be seamless for the user. If you want them to have a "You have been logged on for x minutes" tab open somewhere for example, then your way is fine.

Thanks for the advice, but I was hoping on more technical details on how to actually go about blocking, allowing and redirecting users.

 

[Deleted member 77746]

How many 'users' are we talking about here?

 

[peterwalkley]

I don't know pfsense, but the way I'd go about this would be via the MAC Address filtering in the router - only allow PC's with "registered" mac addresses access to the internet.

Via a web page you can discover the PC's MAC address on the server side by fetching its IP address from the HTTP header and then performing a DHCP lease query (also known as DHCP Option 82) to get the MAC address. Once you've got that, you need some means of adding it to PFSense's list of "registered" mac addresses.

I'd put in some kind of timeout logic rather than force them to stay on a web page e.g. expire every 'X' hours unless re-registered via the page.

 

[Dark Light]

How many 'users' are we talking about here?

Not that many, about 20 or so, it's for a Lan event.

I don't know pfsense, but the way I'd go about this would be via the MAC Address filtering in the router - only allow PC's with "registered" mac addresses access to the internet.

Via a web page you can discover the PC's MAC address on the server side by fetching its IP address from the HTTP header and then performing a DHCP lease query (also known as DHCP Option 82) to get the MAC address. Once you've got that, you need some means of adding it to PFSense's list of "registered" mac addresses.

I'd put in some kind of timeout logic rather than force them to stay on a web page e.g. expire every 'X' hours unless re-registered via the page.

The main purpose of allowing access to the internet via the system is the force all users to have the system open in a tab. It's for a Lan event, so it's not like an everyday thing.

But I do think the best way to do it would for the php system to refresh every now and again and for the server to get to ip address, find out the Mac and then to add it to an allow list with a timeout.

 

[Deleted member 77746]

20 users, wouldn't bother.

 

[Dark Light]

20 users, wouldn't bother.

The reason why I am wanting to do this is to force everyone to have my system open.

I have looked into pfSense a bit more, the first this that I have found out is that this is called a captive portal. Secondly, with very weak security this is potentially very easy. All I have to do is when a user is authorised, php sends a POST accept message to the pfSense captive portal, very easily hacked and while there isn't any real authorisation it gives the appearance of authorisation to the users.

 

[dfarrall]

Why do you need them to have your 'system' open?

There are a lot better ways to do this and without you telling us why you need this it's hard to give a real answer.

 

[Deleted member 77746]

Captive Portal

Captive portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access. For more information on captive portal technology in general, see the Wikipedia article on the topic. The following is a list of features in the pfSense Captive Portal.
Maximum concurrent connections - Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.
Idle timeout - Disconnect clients who are idle for more than the defined number of minutes.
Hard timeout - Force a disconnect of all clients after the defined number of minutes.
Logon pop up window - Option to pop up a window with a log off button.
URL Redirection - after authenticating or clicking through the captive portal, users can be forcefully redirected to the defined URL.
MAC filtering - by default, pfSense filters using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.
Authentication options - There are three authentication options available.
No authentication - This means the user just clicks through your portal page without entering credentials.
Local user manager - A local user database can be configured and used for authentication.
RADIUS authentication - This is the preferred authentication method for corporate environments and ISPs. It can be used to authenticate from Microsoft Active Directory and numerous other RADIUS servers.

RADIUS capabilities Forced re-authentication
Able to send Accounting updates
RADIUS MAC authentication allows captive portal to authenticate to a RADIUS server using the client's MAC address as the user name and password.
Allows configuration of redundant RADIUS servers.

HTTP or HTTPS - The portal page can be configured to use either HTTP or HTTPS.
Pass-through MAC and IP addresses - MAC and IP addresses can be white listed to bypass the portal. Any machines with NAT port forwards will need to be bypassed so the reply traffic does not hit the portal. You may wish to exclude some machines for other reasons.
File Manager - This allows you to upload images for use in your portal pages.

Limitations
"Reverse" portal, i.e. capturing traffic originating from the Internet and entering your network, is not possible.
Only entire IP and MAC addresses can be excluded from the portal, not individual protocols and ports

This is the info taken from the pfSense website. It does appear to support it.

 

[visibleman]

As already mentioned, Pfsense already supports captive portals with user logins (or codes/vouchers) - you can enable it under the Services tab.