Php, MySQL and PFSense - System that gives user access to internet

[Dark Light]

Hi, I am wanting to create a system for a local network where the user has to be logged into a system to have access to the internet. I know this is possible, but I am unsure on how to go about creating it.

What I want is, when someone connects to the network (via Ethernet) what ever website they try to go to will redirect them to my php site, where they will have to register and stay logged into in order to have access to the internet. So they will be forced to have a tab of my system open at all times.

The router software that I am using is PFSense.

Thanks in advance.

 

[Dark Light]

Not familiar with PFSense so can't be too specific, but in general terms, it would work like this:
User connects to router and trys to connect
PFSense checks with your PHP/MySql site if the user is logged in
Your PHP/MySql checks if the user is logged in and has refreshed page in last 2 minutes (For example)
If they are, router allows access
If they are not, it redirects thier request to your PHP/MySql login page
They login and it sets up a page that automatically refreshes every 1 minute. Whenever it refreshes, the php site records it

That said, the normal way to do this would be to have the router check once, and then allow the user access for, say, 30 minutes, and then check again, rather than every time they access a webpage. If there's a specific reason you want them to have a tab open then fair enough, but if not, you may be better off having longer sessions.

Don't need to the user to have the site open all the time, I could have to the session time last like 30 minutes and the webpage automatically refresh every like 10 minutes. So while the user could close it down, it's a lot easier to just keep it open.

 

[Dark Light]

Nothing wrong with that approach, but just as a suggestion, what you could do is use sessions/cookies on your php site, so that when a user is redirected, it automatically logs them on (If they already have a session with the php script) and then redirects them to where they were trying to go.

So basically, the user would try to visit a page, get redirected to the php script and (Assuming a valid user) immediately re-directed to where they wanted to go. Users without a session will get the login page. That way the user only needs to go to your PHP site and logon when their session is expired. Obviously you can control how long a session lasts for between forced log-ins. It depends if you want this to be seamless for the user. If you want them to have a "You have been logged on for x minutes" tab open somewhere for example, then your way is fine.

Thanks for the advice, but I was hoping on more technical details on how to actually go about blocking, allowing and redirecting users.

 

[Dark Light]

How many 'users' are we talking about here?

Not that many, about 20 or so, it's for a Lan event.

I don't know pfsense, but the way I'd go about this would be via the MAC Address filtering in the router - only allow PC's with "registered" mac addresses access to the internet.

Via a web page you can discover the PC's MAC address on the server side by fetching its IP address from the HTTP header and then performing a DHCP lease query (also known as DHCP Option 82) to get the MAC address. Once you've got that, you need some means of adding it to PFSense's list of "registered" mac addresses.

I'd put in some kind of timeout logic rather than force them to stay on a web page e.g. expire every 'X' hours unless re-registered via the page.

The main purpose of allowing access to the internet via the system is the force all users to have the system open in a tab. It's for a Lan event, so it's not like an everyday thing.

But I do think the best way to do it would for the php system to refresh every now and again and for the server to get to ip address, find out the Mac and then to add it to an allow list with a timeout.

 

[Dark Light]

20 users, wouldn't bother.

The reason why I am wanting to do this is to force everyone to have my system open.

I have looked into pfSense a bit more, the first this that I have found out is that this is called a captive portal. Secondly, with very weak security this is potentially very easy. All I have to do is when a user is authorised, php sends a POST accept message to the pfSense captive portal, very easily hacked and while there isn't any real authorisation it gives the appearance of authorisation to the users.