Captive Portal: Effective Data Capture Scheme on WiFi Users

Although size doesn’t always matter, with regards to your email list, bigger can often mean better. Of course, this is only the case if the quality of your data isn’t compromised in your quest for a lengthy list.

Using the portal allows you to direct the users on your network to a specific web page before they are allowed to access the internet. The web page can be a simple page with instructions and terms of use or a page that requires a username and password for authentication.

Captive portals are most commonly used for wireless hotspots. If you’ve ever used the wireless network at a hotel or airport then you have most likely clicked through a portal before you were able to go online. They can also be used on wired connections for business centers, internet Cafés, or your home!

Once the portal has been enabled any computer that points to the pfSense router as the gateway will be automatically redirected to the portal landing page.

Using Authentication
Another popular reason for using captive portals is to provide a system for authenticating users before they are granted access to the internet.

Users that do not have a valid username and password will not be granted access to the network.

Local Database vs Radius

The simplest way to set up authentication is to use the local user database on pfSense. If you have a lot of users to manage I would recommend using radius authentication since it is much more flexible.

You can configure the captive portal to point to a remote radius server or you could install the FreeRadius package directly on pfSense. Radius integrates well with existing authentication systems such as active directory, etc.

Initial Setup

To get started to follow the steps in the previous section above to enable the captive portal and select an interface.

Modifying the HTML

In order for this to work, you will need to use a slightly different HTML landing page that has username and password fields. You can check out my sample HTML page and modify it to suit your needs. Follow the instructions in step 4 of the previous section to upload the page.

For these examples, I’m demonstrating pretty basic landing pages but I’ll show you how to customize them later.

Enabling Authentication

To enable authentication select either local or radius authentication on the main captive portal settings page. Click on the save button to activate the changes. When authentication is enabled users must enter a username and password to access the network.


Creating Local Users
If you selected a local user manager as your method of authentication then you’ll need to create some users. If you plan on setting up a large number of users I would recommend using radius, LDAP, or active directory instead of the local database.

If you don’t expect to set up many accounts then this option works well because it’s so simple. In some cases, you might want to let users share a common username and password, and that’s a perfectly valid option too.

To create users in pfSense open the user manager which is found under the system menu. Then simply click on the plus symbol to create a new user.


Select either local or RADIUS as an authentication type.


The pfSense user manager can be used to create local accounts for the captive portal.
Configuring the User Account

To create a simple user you only need to enter a username and password. There are a few other useful options worth checking out though.

Expiration Date – This option allows you to define a date that the account will automatically expire. So if you know the account is temporary this will save you the trouble of having to manually disable the account. If you leave this field blank the account will always be active.

Group Membership – Groups are handy for organizing your users. Groups can be assigned access to administrate certain parts of the pfSense web GUI. For the purposes of the portal groups really aren’t that useful. Setting up users is pretty straightforward. You need a username and a password, that’s it!


Customizing the Portal Page
If you want to make the portal landing page look a bit nicer you can add your own images and custom PHP code.

To upload an image click on the file manager tab in the captive portal settings. In order for files to be used by the portal, they must have a prefix of “captive portal-” in the filename.

You can then reference the files using standard HTML image tags. To see an example download the HTML page with an image link I created below.


The portal landing page can be customized with images and PHP.
Other settings and Performance Hints
On the main captive portal page, there are a number of other settings you can adjust to customize how the portal functions. Below are the descriptions for some of the settings I think are useful.

Idle timeout – If a user is idle for a certain number of minutes they will be automatically disconnected. I recommend setting an idle timeout to keep resources from getting tied up on your pfSense system. You don’t want to set the timeout to be too low or your users will be frustrated, even setting it to something like 8 hours will help.

Redirection URL – By default users will continue to the web page they originally requested after passing through the portal. This setting allows you to force clients to be directed to a page of your choice after connecting. Users can then enter a new URL and browse the web normally.

Concurrent user logins – Enabling this setting will allow only one connection to the portal per user. This will prevent users from making multiple connections using the same username and password.

Improving Performance

If you are running a captive portal system then you are most likely sharing a single internet connection with multiple users. If so then I recommend configuring pfSense to act as a transparent proxy server to conserve internet bandwidth.

You might also want to consider setting up traffic shaping to further improve the performance of your shared connection. Traffic shaping can prevent users downloading files from abusing the bandwidth.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s