Skip to main content

User-Based Filtering Using OPNsense Captive Portal

Today most organizations, such as cafe bars, restaurants, hotels, clinics, etc., provide their customers free Internet access. If a business in certain sectors does not offer its clients an internet service, it is considered to be a major deficiency. Also, small businesses or enterprises generally allow their guests or employees to access wireless internet services in their properties. Since guests, customers or employees connect these networks with their own devices, it has huge cyber security risks for both the clients and company IT infrastructure. To minimize the risks of providing free Internet access to the guests, administrators should take some precautions.

It is strongly recommended that these guest networks should be physically or logically isolated from the private internal networks where critical business data are kept by implementing network segmentation.

Another crucial issue to take into consideration is anonymous access to guest networks. Only after authenticating succeeds, clients should access the Internet.

Lastly, network security teams are not only responsible for protecting the corporate network from the guests but also preventing the guests from cyber threats.

Your company's guests or customers may request Internet access or you may need to force your employees to authentication to grant access the corporate network too.

OPNsense firewall provides easy to use and powerful Captive Portal solution. You may physically or logically separate your guest network from your corporate network using your OPNsense firewall easily. It also allows you to use a variety of authentication mechanisms, such as local, Vouchers, LDAP, or Radius for connecting users to the network. Most importantly, you can protect all clients in your networks against cyber threats such as phishing or malware, by enabling web content filtering and application control provided by ZENORMOR (Sensei) plugin developed by Sunny Valley Networks. Additionally, Zenarmor (Sensei), one of the best OPNsense plugins, allows you to define user-based filtering rules using the captive portal to protect your users.

For username resolution, Zenarmor supports Active Directory and OPNsense Captive Portal. If you have an Active Directory, you can integrate it with Zenarmor to obtain information about user logins and groups. Policies can be defined for AD groups and users. Please see the Active Directory Integration Guide for more information on how to integrate AD with Zenarmor.

If your OPNsense Captive portal is operational, Zenarmor can obtain username information from it as well.

note

To take advantage of user-based filtering, you must upgrade to one of the premium editions. You must also have a Business Edition if you want AD integration.

In this guide, we will explain how to configure user-based filtering using the OPNsense Captive Portal users on Zenarmor step by step. We assumed that you have already installed Zenarmor plugin and configured Captive Portal on your OPNsense.

note

For more information about configuring Captive Portal on OPNsense, please refer to the How to Configure Captive Portal on OPNsense tutorial. Also, you may learn more about Zenarmor plugin installation on official documentation.

tip

Zenarmor also supports the OPNsense voucher authentication system. And you may define user-defined filtering using vouchers on your OPNsense too.

Selecting the Interfaces To Protect by Zenarmor#

To protect the Guest network with the next-generation firewall capabilities of the Zenarmor, you may follow the next steps given below.

  • Navigate to the Zenarmor โ†’ Configuration โ†’ General tab โ†’ Interfaces Selection.

General configuration of Zenarmor

Figure 1. General configuration of Zenarmor

  • Move the interfaces that you wish to protect, such as GUESTNET under the Available Interfaces list to the Protected Interfaces by clicking on the double right arrow icon.

Selecting the Interfaces to protect

Figure 2. Selecting the Interfaces to protect by Zenarmor

  • Click theSave Changes button at the bottom of the page to apply the changes.

Creating Local Users and User Groups#

OPNsense allows you to use centralized authentication servers such as Radius or LDAP for user authentication. In this guide, we will configure OPNsense local database for user access control. To add a local user group and local user, you may follow the next steps below.

  • Navigate to the System โ†’ Access โ†’ `Groups to add au user group.
  • Click + icon at the upper right corner of the page.
  • Enter Group name, such as guests.
  • Enter a description of the group in the Description field.
  • You should not assign any privilege to the guest user group.
  • Click Save to activate the settings.

Adding a local user group on OPNsense

Figure 3. Adding a local user group on OPNsense

  • Navigate to the System โ†’ Access โ†’ Users to add a user.
  • Click + icon at the upper right corner of the page.
  • Set the User name, such as guest1.
  • Set the Password for the user.
  • Set the user group memberships by selecting the newly created guests group.
  • You may leave other settings as default or set as you wish.
  • Click Save and go back at the bottom of the page to activate the settings.

 Adding local user on OPNsense

Figure 4. Adding local users on OPNsense

User-Based Filtering Using OPNsense Captive Portal#

After you have assigned the guest network interface, in our case GUESTNET, to the Zenarmor protected interfaces, your guests will be protected from cyber threats in accordance with the Zenarmor policies that you have defined.

Let's assume that your boss's family is visiting him at his office today and they want Wifi Internet access using their own devices. Therefore, you need to create two accounts, such as boss_wife and boss_kids, on your OPNsense firewall to let them access the GUESTNET using the captive portal.

note

We're assuming you already have a Captive Portal set up with local database authentication enabled.

You have swiftly created user accounts following the instructions above and offered them Internet access. However, a few minutes later, your boss called to say that the kids couldn't view animation videos on Youtube and that his wife couldn't access the shopping sites, despite the fact that they were able to browse the rest of the internet without issue.

For troubleshooting purposes, you navigated to Zenarmor โ†’ Reports โ†’ Blocks and clicked on the Live Blocked Sessions Explorer. And you noticed that boss's family was being blocked by the Default policy of your Zenarmor engine. Boss wife was blocked because theOnline Shopping application category is not allowed in the company network. Also, since the Media Streaming application category is not allowed, kids couldn't watch the Youtube videos.

Online shopping category is not allowed by Zenarmor

Figure 5. Online shopping category is not allowed by Zenarmor policy

Media Streaming category is not allowed by Zenarmor

Figure 6. Media Streaming category is not allowed by Zenarmor policy

Now, you may solve the issue by defining a user-based policy on Zenarmor for the boss family without allowing other users to access the Media Streaming and Online Shooping categories.

To create a user-based policy you may follow the instructions given below.

  1. Navigate to the Zenarmor โ†’ Policies on OPNsense Web UI.

Adding new policy on Zenarmor

Figure 7. Adding new policy on Zenarmor

  1. Click the Add New Policy button. This will start the wizard.
  2. Enter the Policy Name, such as Boss_Family.
  3. Select the related interface, such as GUESTNET.
  4. Fill in the Users field with the related account name, such as boss_wife. And, click the + Add button.
  5. Fill in the Users field with the related account name, such as boss_kids. And, click + Add button.
tip

Zenarmor also allows you to define user-based policy using OPNsense local user groups. For this example, you may create a user group, such as family, for the boss's wife and kids accounts. And, instead of setting the Users field in steps 5-6 above, you may add the family to the Groups field.

  1. You may leave other options as default.
  2. You may create time schedule for the policy if you wish.

Defining user-based policy on Zenarmor

Figure 8. Defining user-based policy on Zenarmor

  1. Click Next: Security Rules at the bottom right of the page to proceed the wizard.
  2. You may enable all options available for Essential Security and Advanced Security on the Security Rules Configuration page.

Security Rules Configuration on Zenarmor

Figure 9. Security Rules Configuration on Zenarmor

  1. Click Next: Application Controls at the bottom right of the page to proceed with the wizard.
  2. On the Application Rules Configuration page you only need to allow Media Streaming and Online Shooping categories to solve issues your boss's family encountered. You may apply all other settings the same with the Default policy or the policy you defined before.

Application Control Configuration on Zenarmor

Figure 10. Application Control Configuration on Zenarmor

  1. Click Next: Web Controls at the bottom right of the page to proceed the wizard.
  2. On the Web Rules Configuration page you may set all settings same with the Default policy or the policy you defined before. For example, you may select High Control profile or define a custom profile.

Web Control Configuration on Zenarmor

Figure 11. Web Control Configuration on Zenarmor

  1. Click Next: Exclusions at the bottom right of the page to proceed with the wizard.
  2. For this example we do not need to define any exclusion, so click Save Changes & Finish at the bottom right of the page.

Zenarmor policy list

Figure 12. Zenarmor policy list

Configuration of the user-based filtering on Zenarmor is completed. You may test the Youtube and Online Shopping connections for the boss_wife and boss_kids accounts on your guest network.

Verification of the User-Based Filtering Configuration#

After completing the User-Based filtering configuration for the users boss_wife and boss_kids, you may request the boss' wife trying to connect to the online shopping site. For troubleshooting purposes, you may follow the next tasks given below.

To check the captive portal sessions, navigate to the Services โ†’ Captive Portal โ†’ Sessions. You should see that boss_wife is connected to the guest network similar to the figure below.

Checking the captive portal session status for the boss_wife user

Figure 13. Checking the captive portal session status for the boss_wife user

To view the active connections on the Zenarmor,

  • Navigate to the Zenarmor โ†’ Reports โ†’ Connections tab.
  • Click on the `Live Sessions Explorer.
  • Filter by App Category.
  • Enter Online Shopping in the search field.
  • Click Search.

This will display the live connections in the Online Shopping application category. You should be able to see that they are permitted by the Boss_Family policy, which is similar to this.

Viewing the live connections filtered by `Online Shopping` application category

Figure 14. Viewing the live connections filtered by Online Shopping application category

Now, you may request boss' kids trying to watch a video on the Youtube site. For troubleshooting purposes, you may follow the next tasks given below.

To check the captive portal sessions, navigate to the Services โ†’ Captive Portal โ†’ Sessions. You should see that boss_kids is connected to the guest network similar to the figure below.

Checking the captive portal session status for the boss_kids user

Figure 15. Checking the captive portal session status for the boss_kids user

To view the active connections on the Zenarmor,

  • Navigate to the Zenarmor โ†’ Reports โ†’ Connections tab.
  • Click on the `Live Sessions Explorer.
  • Filter by App Category.
  • Enter Media Streaming in the search field.
  • Click Search.

This will display the live connections in the Media Streaming application category. You should be able to see that they are permitted by the Boss_Family policy, which is similar to this.

Viewing the live connections filtered by `Media Streaming` application category

Figure 16. Viewing the live connections filtered by Media Streaming application category

tip

Although connections are blocked by application control in this example, they might also be blocked by the web control policy. In such cases, you must redefine your web control rules according to your requirements.

Lastly, you may check that whether other guest network users can access the online shopping sites and Youtube or not. To do this, you may connect the guest network with your own test account or request one of the guests to try to access the related websites.

For example, a voucher user, hMCGe2b9, is connected to the guest network and try access online shopping sites and Youtube.

Checking the active captive portal sessions

Figure 17. Checking the active captive portal sessions

Then, you may view the blocked connections by navigating to Zenarmor โ†’ Reports โ†’ Blocks. And, click on the Live Blocked Sessions Explorer.

You should see that both Media Streaming and Online Shopping application categories are blocked by the Default policy similar to the figures given below.

Online Shopping application category is blocked by the Default policy

Figure 18. Online Shopping application category is blocked by the Default policy

Media Streaming application category is blocked by the Default policy

Figure 19. Media Streaming application category is blocked by the Default policy