Skip to main content

How to Configure Captive Portal on OPNsense?

The captive portal is a network security solution that automates the control and management of user access to public and private networks. Captive portals are commonly used for guest access management in open access networks, which are found in hotels, hospitals, airports, restaurants, and corporate networks. When the captive portal is enabled, access to the Internet is restricted unless the user provides personal information such as e-mail, name, and Social Security number, or authentication via a voucher via a web-based registration form completed in a web browser.

OPNsense is a HardenedBSD-based firewall and routing platform. It is open source, easy to use, and easy to build. Most of the capabilities in pricey commercial firewalls are provided by OPNsense, plus many more. It provides a vast range of commercial products with the advantages of open and reliable sources. One of the benefits of the OPNsense is that it allows network administrators to configure a Captive Portal easily for providing Internet access to their clients in a secure way. OPNsense not only allows you to deploy a Captive Portal to provide free Internet access to your guests or employees, but it also protects them from cyber attacks with the help of the Sensei (ZENARMOR) plugin's next generation firewall capabilities.

We will cover the following topics briefly in this Captive Portal Configuration on OPNsense tutorial.

  • Captive Portal Setup on OPNsense
  • Captive Portal Configuration on OPNsense
  • Using Custom Template for OPNsense Captive Portal
  • Limiting Internet Bandwidth Usage on Guest Network
  • Managing the Voucher System
  • Viewing Captive Portal Sessions on OPNsense
  • What are the Benefits of Configuring the OPNSense Captive Portal?
  • How Does Captive Portal Work in OPNSense?

Captive Portal Setup on OPNsense#

As a best practice, to provide your organization's guest free Internet access you should implement network segmentation in your infrastructure by isolating the guest network from private LAN. And then, you can deploy a captive portal to let the guests access the Internet.

In this tutorial, we will enable and configure a captive portal for a guest network on OPNsense 21.7.2 with at least three network interfaces/zones:

You may set up the Captive Portal on your OPNsense firewall by following the 4 steps easily.

Step 1 - Interface Configuration#

You can create a new interface for the Guest Network by following the instructions given below.

  • Navigate to Interfaces → Assignments on OPNsense Web UI
  • Enter a descriptive name for the interface, such as GUESTNET, in the Description field
  • Press the + button to add a new interface.

Interface assignment for GuestNetwork on OPNsense

Figure 1. Interface assignment for GuestNetwork on OPNsense

  • Click Save. The new interface will be called GUESTNET.

Saving newly created interfaces on OPNsense

Figure 2. Saving newly created interfaces on OPNsense

  • Click on GUESTNET in the interfaces list to change its settings.
  • Select Enable Interface.
  • You may select the Block bogon networks option.
  • Select Static IPv4 as IPv4 Configuration Type

Enabling GuestNet interface on OPNsense

Figure 3. Enabling GuestNet interface on OPNsense

  • Set Static IPv4 address such as 172.16.10.1 with netmask 24.
  • Select Auto detect forIPv4 Upstream Gateway

Setting IP address on GuestNet interface on OPNsense

Figure 4. Setting IP address on GuestNet interface on OPNsense

  • Click Save and then Apply changes.

 Applying changes

Figure 5. Applying changes

Step 2 - DHCP Server Configuration#

You can configure a DHCP server for the Guest Network by following the instructions given below.

  • Navigate to Services →DHCPv4 → [GUESTNET].
  • Enable the DHCP server on the GUESTNET interface
  • Set DHCP pool range, such as from 172.16.10.100 to 172.16.10.200.
  • You may set DNS server.
  • Set Gateway IP address, such as 172.16.10.1 (OPNsense GuestNet interface IP)
  • You may leave other options as default.
  • Click Save

DCHP configuration on OPNsense

Figure 6. DHCP configuration on OPNsense

Step 3 - Defining the Firewall Rules#

You should define the following rules in the given order after navigating Firewall → Rules

Allow Accessing DNS Service#

Define a rule to Allow the internal DNS server(s), by following the instructions below.

OptionValue
ActionPass
InterfaceGUESTNET
ProtocolTCP/UDP
SourceGUESTNET net
Source Portany
DestinationGUESTNET address
Destination PortDNS (53)
CategoryGuestNet Rules
DescriptionAllow DNS

Allow DNS Rule-1

Figure 7. Allow DNS Rule-1

  • Select Pass for the allowed rule.

  • Select TCP/UDP for the Protocol.

  • Select the Interface as GUESTNET.

  • Select the source as GUESTNET net. This captures all traffic on the GUESTNET interface bound for the specified destination.

  • Select the destination as GUESTNET address.

  • Select DNS predefined port alias for the destination port.

  • Set GuestNet Rules for Category.

  • Set Allow DNS for Description.

  • Click Save

Allow DNS Rule-2

Figure 8. Allow DNS Rule-2

Allow Captive Portal Login#

Define a rule to allow the guest to access the Captive Portal, by following the instructions below.

OptionValue
ActionPass
InterfaceGUESTNET
ProtocolTCP
SourceGUESTNET net
Source Portany
DestinationGUESTNET address
Destination Port8000/10000
CategoryGuestNet Rules
DescriptionAllow Captive Portal Login

Allow Captive Portal firewall rule on OPNsense-1

Figure 9. Allow Captive Portal firewall rule on OPNsense-1

  • Select Pass for the allowed rule.

  • Select TCP for the Protocol.

  • Select the Interface GUESTNET.

  • Select the source GUESTNET net. This captures all traffic on the GUESTNET interface bound for the specified destination.

  • Select the destination as GUESTNET address.

  • Select Other and set from:8000 and to:10000 for the destination port range.

  • Set GuestNet Rules for Category.

  • Set Allow Captive Portal Login for Description

  • Click Save

Allow Captive Portal firewall rule on OPNsense-2

Figure 10. Allow Captive Portal firewall rule on OPNsense-2

Block LAN Access#

Define a rule to block the guest to access the corporate LAN, by following the instructions below.

OptionValue
ActionBlock
InterfaceGUESTNET
Protocolany
SourceGUESTNET net
Source Portany
DestinationLAN net
CategoryGuestNet Rules
DescriptionBlock LAN Access

Blocking LAN access from GuestNet on OPNsense-1

Figure 11. Blocking LAN access from GuestNet on OPNsense-1

  • Select Block for the deny rule.

  • Select any for the Protocol.

  • Select the Interface GUESTNET.

  • Select the source GUESTNET net.

  • Select the destination as LAN net.

  • Set GuestNet Rules for Category.

  • Set Block LAN Access for Description

  • Click Save

Blocking LAN access from GuestNet on OPNsense-2

Figure 12. Blocking LAN access from GuestNet on OPNsense-2

Block Firewall Access#

Define a rule to block the guest to access the Firewall, by following the instructions below.

OptionValue
ActionBlock
InterfaceGUESTNET
Protocolany
SourceGUESTNET net
Source Portany
DestinationGUESTNET address
CategoryGuestNet Rules
DescriptionBlock LAN Access

Blocking Firewall access from GuestNet on OPNsense-1

Figure 13. Blocking Firewall access from GuestNet on OPNsense-1

  • Select Block for the deny rule.

  • Select any for the Protocol.

  • Select the Interface GUESTNET.

  • Select the source GUESTNET net.

  • Select the destination as GUESTNET address.

  • Set GuestNet Rules for Category.

  • Set Block Firewall Access for Description

  • Click Save

Blocking Firewall access from GuestNet on OPNsense-2

Figure 14. Blocking Firewall access from GuestNet on OPNsense-2

Allow Guest Access#

Define a rule to allow the guests to access the Internet, by following the instructions below.

OptionValue
ActionPass
InterfaceGUESTNET
Protocolany
SourceGUESTNET net
Source Portany
Destinationany
Destination port rangeany
CategoryGuestNet Rules
DescriptionAllow Guest Network

Allow Guest Network to access Internet on OPNsense-1

Figure 15. Allow Guest Network to access the Internet on OPNsense-1

  • Select Pass for the allow rule.

  • Select any for the Protocol.

  • Select the Interface GUESTNET.

  • Select the source GUESTNET net.

  • Select the source port any.

  • Select the destination as any.

  • Select the destination port range as any.

  • Set GuestNet Rules for Category.

  • Set Allow Guest Network for Description

  • Click Save

Allow Guest Network to access Internet on OPNsense-2

Figure 16. Allow Guest Network to access the Internet on OPNsense-2

You may need to reorder the newly created firewall rules for the GUESTNET interface. The rule list should be similar to the figure given below. Then, you must click Apply changes to activate the rules.

Firewall rules for GuestNet on OPNsense

Figure 17. Firewall rules for GuestNet on OPNsense

Step 4 - Captive Portal Creation#

You can create a Captive Portal for the Guest Network by following the instructions given below.

  • Navigate to Services → Captive Portal → Administration.

Creating Captive Portal on OPNsense

Figure 18. Creating Captive Portal on OPNsense

  • Press the + in the lower right corner of the form to add a new Zone.

Setting Zone for Captive Portal on OPNsense-1

Figure 19. Setting Zone for Captive Portal on OPNsense-1

  • Enable the zone.
  • Set Interfaces as GUESTNET. (Unselect the LAN)
  • You may Set Authenticate using as blank for no authentication needed.. (Remove any default setting)
  • Set Idle timeout to 0.
  • Set Hard timeout to 0.
  • UncheckConcurrent user logins so that a user may only login once.
  • You may select Web GUI TLS certificate for HTTPS or leave SSL certificate as none to use plain HTTP.
  • You may leave Custom template as none to use the default template.
  • Enter a description of the zone such as Guest Network in the Description field.
  • You may leave other options as default.
  • Click Save.
  • Click Apply.

Setting Zone for Captive Portal on OPNsense-2

Figure 20. Setting Zone for Captive Portal on OPNsense-2

Captive Portal installation on OPNsense is completed and ready to use.

Guest Network Captive Portal is created on OPNsense Firewall

Figure 21. Guest Network Captive Portal is created on OPNsense Firewall

Accessing the Internet From the Guest Network#

When you connect your device to the guest network and open your favorite browser, you will be redirected to the captive portal splash page similar to figure below. Since we did not configure any authentication method in our example above, you can start to surf by clicking on the Sign in button without any authentication.

OPNsense Captive Portal default  Splash Page without any authentication

Figure 22. OPNsense Captive Portal default Splash Page without any authentication

info

OPNsense Captive Portal supports a variety of authentication methods, such as local, LDAP. Radius, Vouchers, or multiple of them. It is strongly recommended to use at least one of the authentication methods on Captive Portal. In this tutorial, you can find information about configuring the OPNsense Voucher system in the following section.

Verification of the Captive Portal Firewall Rules#

If you can access the Internet from the guest network, it means that related firewall rules which allow the GUESTNET to access the Internet and DNS server are working. You may test the blocking rules which deny access to the firewall and LAN from the GUESTNET. To verify these Captive Portal firewall rules, you can run the following command from a device connected to the guest network. If your ping requests are timeout for both firewall and LAN access, your firewall rules are correct and work properly.

  • Try to ping to the firewall GuestNet address
ping 172.16.10.1
Pinging 172.16.10.1 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.
  • Try to ping to a device on LAN or the firewall LAN address
ping 10.10.10.1
Pinging 10.10.10.1 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.

Captive Portal Configuration on OPNsense#

You may also optionally configure the Captive Portal by following the instructions given below.

Using Custom Template for OPNsense Captive Portal#

One of the most powerful features of OPNsense's Captive Portal solution is the template feature, which is also very simple to use.

To make a custom landing page, you may follow the steps given below.

  • Navigate to the Services → Captive Portal→ Templates tab.
  • Click on the download icon in the lower right corner to download the default template.

Downloading Captive Portal default template on OPNsense

Figure 23. Downloading Captive Portal default template on OPNsense

  • Unzip the downloaded template file.

Unzip default template file

Figure 24. Unzip default template file

  • Open the index.html file with your favorite editor.
  • Change the default logo(default-logo.png) to your logo file name such as company-logo.png
  • Remove the navigation bar on the top
  • Remove the height and width from the < img > tag
  • Include a welcome message.
  • Include a link to your company's website.
  • Find the following snippet

<header class="page-head">
<nav class="navbar navbar-default" >
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="#">
<img class="brand-logo" src="images/default-logo.png" height="30" width="150">
</a>
</div>
</div>
</nav>
</header>
  • change the above snippet to the similar snippet given below. Don't forget to replace the related fields with your own

<header  class="page-head">
<div  align="center">
<a  href="#">
<img  class="brand-logo"  src="images/company-logo.png">
</a>
<h1>Welcome to Sunny Valley Networks Guest Network.</h1>
<h2>Please feel free to use the guest network for professional purposes.</h2>
<h3>See our website for more details: <a  href="https://www.sunnyvalley.io">Sunny Valley Networks</a></h3>
</div>
</header>
  
  • Copy the company logo(company-logo.png) to the image(images) directory.
  • zip the template directory.
  • upload the newly created template zip file by pressing the + on the Template tab.
  • Enter a Template Name, for example, MyCompany.
  • Click the Upload icon.

Uploading new Captive Portal template on OPNsense

Figure 25. Uploading new Captive Portal template on OPNsense

  • To enable the new Captive Portal template on the GUESTNET interface just click on Apply.

Applying new template on Captive Portal

Figure 26. Applying new template on Captive Portal

To enable the newly uploaded template you can follow the next steps given below.

  • Navigate to the Services → Captive Portal→ Zones tab.
  • Select the Guest Network by clicking on the pencil icon right next to it.

Editing Guest Network Captive Portal

Figure 27. Editing Guest Network Captive Portal

  • Change Custom template field from noneto MyCompany.

Setting captive portal template on OPNsense

Figure 28. Setting captive portal template on OPNsense

  • Click Save and then Apply to apply the new settings.

Now you can test your new captive portal template by opening a browser. Splash page should look similar to the page given below.

Customized captive portal login page on OPNsense

Figure 29. Customized captive portal login page on OPNsense

Limiting Internet Bandwidth Usage on Guest Network#

Captive portal can be used in conjunction with the traffic shaper to fully utilize its shaping capabilities.

You can limit the Internet bandwidth usage on the guest network by following the steps given below. For this example, we will allow maximum 10 Mbps download and 1 Mbps upload bandwidth for the visitors Internet access. This bandwidth will be shared among all connected guests.

Creating Pipes for Download and Upload Bandwidth Limitations#

You may add pipes for Download and Upload Bandwidth Limitations by following the next steps given below.

  • Navigate to Firewall → Shaper → Pipes.

Creating Traffic Shaper Pipe on OPNsense

Figure 30. Creating Traffic Shaper Pipe on OPNsense

  • Click the + in the lower right corner of the form to create a pipe for the Download
  • Enable it by clicking the checkbox.
  • Set bandwidth to 10.
  • Set bandwidth Metric to Mbit/s
  • Set mask to Destination to let each client use 10 Mbps download bandwidth.
  • Enter a description such as 10Mbps_download
  • Click Save.

Figure 31. Creating a pipe for 10 Mbps download bandwidth limitation

  • Click the + in the lower right corner of the form to add another pipe for the upload traffic.
  • Enable it by clicking the checkbox.
  • Set bandwidth to 1.
  • Set bandwidth Metric to Mbit/s
  • Set mask to Destination
  • Enter a description such as 1Mbps_upload
  • Click Save.

Creating a pipe for 1 Mbps upload bandwidth limitation

Figure 32. Creating a pipe for 1 Mbps upload bandwidth limitation

  • Click Apply to apply the changes.

Creating the Traffic Shaper Rules for Download and Upload Bandwidth Limitations#

You may follow the instructions given below to create the traffic shaper rules for Download and Upload Bandwidth Limitations on the guest network.

  • Click on the tab Rules to Create the traffic shaper rules.

Creating the traffic shaper rules on OPNsense

Figure 33. Creating the traffic shaper rules on OPNsense

Creating traffic shaper rule for download-1

Figure 34. Creating traffic shaper rule for download-1

  • Click the + icon.
  • Toggle the advanced mode on the upper left corner of the form.
  • Set interface to WAN
  • Set interface 2 to GUESTNET
  • Set direction to in
  • Set target to 10Mbps_download
  • Set description to Limit Guests download to 10 Mbps.
  • Leave other settings as defaults.
  • Click Save.

Creating traffic shaper rule for download-2

Figure 35. Creating traffic shaper rule for download-2

Creating traffic shaper rule for upload-1

Figure 36. Creating traffic shaper rule for upload-1

  • Click the + icon.
  • Toggle the advanced mode on the upper left corner of the form.
  • Set interface to WAN
  • Set interface 2 to GUESTNET
  • Set direction to out
  • Set target to 1Mbps_upload
  • Set description to Limit Guests upload to 1 Mbps
  • Leave other settings as defaults.
  • Click Save.

Creating traffic shaper rule for upload-2

Figure 37. Creating traffic shaper rule for upload-2

  • Click on Apply to apply the changes.

Applying traffic shaper rules on OPNsense

Figure 38. Applying traffic shaper rules on OPNsense

Verifying the Bandwidth Limit on Guest Network#

To test the traffic shaping policies to limit the bandwidth on Guest Network, follow the instructions given below.

  • Connect your device to the Guest Network
  • Open your favorite browser.
  • Enter an address to browse to and you will be presented with the Login form.
  • Click on Sign in.
  • Go to a speed test site such as https://www.speedtest.net to test your traffic shaper. After the test is completed, your results should be similar to this:

Bandwidth limitation test results after applying traffic shaping on guest network

Figure 39. Bandwidth limitation test results after applying traffic shaping on guest network

You may also compare bandwidth speed test results before applying the traffic shaping.

 Comparison of speed test results for download(before and after traffic shaping)

Figure 40. Comparison of speed test results for download(before and after traffic shaping)

Comparison of speed test results for upload(before and after traffic shaping)

Figure 41. Comparison of speed test results for upload(before and after traffic shaping)

Managing the Voucher System#

OPNsense's Captive Portal provides a simple voucher creation system that is especially useful for Hotel Networks. You may manage your voucher system on the OPNsense firewall by following the steps below.

Adding a Voucher Server#

To add a Voucher Server you can follow the next steps.

  • Navigate to System → Access → Servers

Adding access server on OPNsense

Figure 42. Adding access server on OPNsense

  • Click on + button in the top right corner of the screen to add a server.
  • Enter Descriptive name, such as Vouchers name of the voucher server
  • Set Type to Voucher.
  • You may leave other options as default or set as you wish.
  • Click on Save.

Adding a Voucher Server on OPNsense

Figure 43. Adding a Voucher Server on OPNsense

Creating Vouchers#

To create vouchers for your guest network you can follow the next steps.

  • Navigate to Services → Captive Portal → Vouchers.
  • Click on Create Vouchers in the lower right corner of the form.

Creating vouchers for captive portal on OPNsense

Figure 44. Creating vouchers for the captive portal on OPNsense

  • Select the Validity duration such as 1 day.

Setting Vouchers Validity duration on OPNsense

Figure 45. Setting Vouchers Validity duration on OPNsense

  • Select the Expiration time as you wish.

Setting voucher expiration on OPNsense

Figure 46. Setting voucher expiration on OPNsense

  • Select the number of Vouchers to generate, such as 10.

 Setting the number of vouchers to generate on OPNsense

Figure 47. Setting the number of vouchers to generate on OPNsense

  • Set a Groupname such as Wi-Fi daily pass.

Setting the name of vouchers group to generate on OPNsense

Figure 48. Setting the name of vouchers group to generate on OPNsense

  • Click on Generate.

Vouchers csv file generation

Figure 49. Vouchers CSV file generation

A file will be generated called Wi-Fi daily pass.csv.

note

Vouchers' passwords are not kept on the OPNsense firewall for security reasons.

The content is:

FieldDescription
usernameThe username that the guest must use to log in
passwordThe password that the guest must use to log in
vouchergroupThe name of the group
validityThe time the voucher will be valid in seconds

Enabling Voucher Authentication#

To enable the voucher authentication on the OPNsense firewall, you may follow the next steps given below.

  • Navigate to the Services → Captive Portal→ Zones tab.
  • Select the Guest Network by clicking on the pencil icon right next to it.

Editing Guest Network Captive Portal

Figure 50. Editing Guest Network Captive Portal

  • Change Authenticate using from an empty field to Vouchers.

Setting captive portal authentication using Vouchers

Figure 51. Setting captive portal authentication using Vouchers

  • Click Save changes and Applyto apply the new settings.

Checking the Voucher Status#

To check the validity and active status of a voucher, navigate to Services → Captive Portal → Vouchers. And select the correct database, such as Wi-Fi daily pass in our example.

Viewing the Vouchers Status on OPNsense

Figure 52. Viewing the Vouchers Status on OPNsense

Viewing Captive Portal Sessions on OPNsense#

To check the active sessions navigate to Services → Captive Portal → Sessions on OPNsense Web UI. And then, select the proper zone from the selection box at the upper right corner.

Current session looks like this:

 Checking the active captive portal sessions on OPNsense

Figure 53. Checking the active captive portal sessions on OPNsense

tip

To drop an active session you may click on the trash icon.

Dropping an active Captive Portal session on OPNsense

Figure 54. Dropping an active Captive Portal session on OPNsense

OPNsense provides a very powerful CLI that is especially useful for debugging. And, you may also use the CLI to get a list of all active sessions' statuses.

Type the following command on the OPNsense command line to see the active sessions on zone id 0:


[email protected]:~ # configctl captiveportal list_clients 0
sessionid username ip_address mac_address total_bytes idletime totaltime acc_session_timeout
ivN8tfSozem614bkXzeZXQ== Q$)49ZHm 172.16.10.100 8c:16:45:6d:76:28 2086815 2 240 86400 

What are the Benefits of Configuring the OPNSense Captive Portal?#

The main advantages of the OPNsense Captive Portal are explained below.

Security#

The implementation of a captive portal can help you keep your business in accordance with regulatory standards and good practices in providing Internet access to users via hotspots.

A captive portal typically displays terms of service to the user, which they must accept before using the company's Wi-Fi hotspot. Administrators often do this to ensure that their own users take responsibility for their acts and that they are not held legally liable. Property owners can protect themselves from legal liability by requiring their users to agree to a Terms of Service (ToS) page before getting access to the network via a Captive Portal. The Captive Portal operates by "redirecting" any Web request to a specific page until the user clicks I Agree to the Terms of Service. As a result, regardless of what URL your browser asks, the Captive Portal page will appear first when you start a Web browser. The captive portal may, in some situations, need a password. This type of safeguard protects you from legal liability in the event of illegal or otherwise harmful online behavior, while similar security features safeguard company assets.

Bandwidth Management#

Some users always misuse Internet services, for instance by remaining online many hours a day, accessing multiple times a day, or even connecting to them over several terminals. And depending on the sort of activity performed on your connection, it might also occupy a bandwidth.

The Captive Portal provides a number of measures for ensuring sufficient access to all users: connection time can be controlled, the number of terminals per user, bandwidth use.

You can regulate your bandwidth using a captive portal and create configurable time limitations as far as each user can stay connected to your network.

User-based Web Filtering and Application Control#

Sensei (ZENARMOR) allows you to define user-based policies for content filtering and application control. Therefore, you can not only provide your clients free Internet access but also protect them against cyberthreats, such as malwares, phishing, etc.

Marketing#

In commercial terms, captive portals offer an ideal chance for seamless marketing�that makes it possible for users to become involved during their internet experience at a vital time and is a powerful medium for a wide variety of business demands. To fill in a survey, watch a sponsored ad or highlight current promotions, you may use a captive portal.

This means that the provider of this service can display or send ads to people connecting to the Wi-Fi connection. This type of service is frequently called "social WiFi" because it can prompt you to log in to a social network account. These social wireless Internet portals have been prevalent over the last several years with several companies offering marketing focusing on Wi-Fi data collection.

How Does Captive Portal Work in OPNSense?#

OPNsense provides a Captive Portal to force clients who request network access to authenticate or redirect them to a click-through page. This solution is generally used on hotspot networks, but it is also broadly used in enterprise networks to provide an extra layer of security for Internet or wireless access.

OPNsense Captive Portal has the following features.

  1. Category-based Web Filtering: By combining the Captive Portal and the caching proxy, you may use category web filtering and block specific content for users, as well as reduce Internet bandwidth usage and improve response times by enabling the cache.
  2. User-based NGFW Policy Management: Sensei (ZENARMOR) OPNsense next-generation firewall plugin supports the integration with OPNsense Captive Portal. This feature allows you to define user-based policies for web content filtering and application control.
  3. Timeouts & Welcome Back: Connections can be terminated after a set amount of time (idle timeout) and/or forced to disconnect after a set number of minutes, even if the user is still active (hard timeout). If a user reconnects within the idle and/or hard timeouts, no login is required, and the user's active session can be resumed.
  4. Bandwidth Management: OPNsense firewall has a traffic-shaping feature. Its built-in traffic shaper can be used to do the following:
  • Priority can be given to protocol port numbers and/or IP addresses.
  • Distribute bandwidth evenly.
  1. Portal Bypass: You can use the whitelisting option to allow some IP addresses or MAC addresses to bypass the portal.
  2. Template Management: The unique template manager in OPNsense makes creating your own login page effortless. At the same time, it provides additional features such as:
  • Option for creating your own Pop-up
  • URL redirection: After authenticating or clicking through the captive portal, users can be forcibly redirected to the specified URL.
  • Start page customization
  1. Zone Management: Different zones may be configured on each interface, or multiple interfaces may share a single zone configuration. Each zone can use its own unique Captive Portal Template or share one with another.
  2. Authentication: OPNsense Captive Portal provides HTTPS-secured authentication or a splash-only portal with URL redirection to a specific page. To authenticate a user in a zone, the following sources can be used:
  • Local user manager
  • Vouchers / Tickets
  • Radius
  • LDAP [Microsoft Active Directory]
  • No authentication (Splash Page Only)
  • Multiple (a combination of the preceding)
  1. Voucher Manager: OPNsense's Captive Portal includes a simple voucher creation system that exports vouchers to a `CSV file for use with your preferred application. The export allows you to print vouchers by combining them with your LibreOffice or Microsoft Word template, resulting in a professional-looking handout that includes your company logo and style.
  2. Platform Integration: The captive portal application can be integrated with other services using the integrated REST API.
  3. Real-Time Reporting: OPNsense Captive Portal has basic real-time reporting capabilities, such as:
  • Active Sessions
  • Time left on Vouchers
  • Top IP Bandwidth usage(Live Graph)

Why Need a Captive Portal in OPNSense?#

It is becoming increasingly popular for public and private locations to provide users with free Internet access, delivering convenience, connecting organizations and people, and serving a variety of objectives. However, certain formalities must be observed for providing an Internet connection. Free Internet access should be provided in public and private spaces following a variety of safety standards to minimize the usage of harmful people for illegal activities. Captive Portal is one of the most common security solutions for this problem.

Typical applications of Captive Portal on OPNsense are listed below.

  • Camping & Hotel Wi-Fi
  • Bring Your Own Device (BYOD)
  • Guest Network
  • Wifi Internet access in public areas, such as cafes

Companies generally offer their visitors internet access and show them a landing page with a welcome message and some guidelines and network access policies. At the same time, it is critical to ensure that visitors cannot access the private LAN and exhaust the Internet bandwidth.

Hotels and RV parks typically use a captive portal to provide guests with limited Internet access. Guests must log in using a voucher that can be purchased or obtained for free at the reception desk. OPNsense includes voucher support and can quickly generate them on the fly.

Hackers today steals information in one of the easiest ways by acting as a lawful wireless network. When one of your clients logs into the fake network, the hacker has a simple way to gather their information. If your company is a coffee shop or a hospital that provides your clients or patients with free Wi-Fi in the waiting area, your network should thus be identified correctly with your end customers so that they do not log in to any potential falsification. OPNsense captive portal is one of the best solutions to protect your customers from being a victim of a cybercrime.