How to Configure Captive Portal on OPNsense?

The captive portal is a network security solution that automates the control and management of user access to public and private networks. Captive portals are commonly used for guest access management in open access networks, which are found in hotels, hospitals, airports, restaurants, and corporate networks. When the captive portal is enabled, access to the Internet is restricted unless the user provides personal information such as e-mail, name, and Social Security number, or authentication via a voucher via a web-based registration form completed in a web browser.

OPNsense is a FreeBSD-based firewall and routing platform. It is open source, easy to use, and easy to build. Most of the capabilities in pricey commercial firewalls are provided by OPNsense, plus many more. It provides a vast range of commercial products with the advantages of open and reliable sources. One of the benefits of the OPNsense is that it allows network administrators to configure a Captive Portal easily for providing Internet access to their clients in a secure way.

OPNsense not only allows you to deploy a Captive Portal to provide free Internet access to your guests or employees, but it also protects them from cyber attacks with the help of the Zenarmor plugin's next generation firewall capabilities.

Zenarmor NGFW Plug-in for OPNsense is one of the most popular OPNsense plug-ins and allows you to easily upgrade your firewall to a Next Generation Firewall in seconds. NG Firewalls empower you to combat modern-day cyber attacks that are becoming more sophisticated every day.

Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.

Zenarmor Free Edition is available at no cost for all OPNsense users.

We will cover the following topics briefly in this Captive Portal Configuration on OPNsense tutorial.

Captive Portal Setup on OPNsense​

As a best practice, to provide your organization's guest free Internet access you should implement network segmentation in your infrastructure by isolating the guest network from private LAN. And then, you can deploy a captive portal to let the guests access the Internet.

In this tutorial, we will enable and configure a captive portal for a guest network on OPNsense 21.7.2 with at least three network interfaces/zones:

You may set up the Captive Portal on your OPNsense firewall by following the 4 steps easily.

Get Started with Zenarmor Today For Free

Step 1 - Interface Configuration​

You can create a new interface for the Guest Network by following the instructions given below.

  1. Navigate to Interfaces → Assignments on OPNsense Web UI
  2. Enter a descriptive name for the interface, such as GUESTNET, in the Description field
  3. Press the + button to add a new interface. Interface assignment for GuestNetwork on OPNsenseFigure 1.Interface assignment for GuestNetwork on OPNsense
  4. Click Save . The new interface will be called GUESTNET . Saving newly created interfaces on OPNsenseFigure 2.Saving newly created interfaces on OPNsense
  5. Click on GUESTNET in the interfaces list to change its settings.
  6. Select Enable Interface .
  7. You may select the Block bogon networks option.
  8. Select Static IPv4 as IPv4 Configuration Type Enabling GuestNet interface on OPNsenseFigure 3.Enabling GuestNet interface on OPNsense
  9. Set Static IPv4 address such as 172.16.10.1 with netmask 24 .
  10. Select Auto detect for IPv4 Upstream Gateway Setting IP address on GuestNet interface on OPNsenseFigure 4.Setting IP address on GuestNet interface on OPNsense
  11. Click Save and then Apply changes . Figure 5.Applying changes

Step 2 - DHCP Server Configuration​

You can configure a DHCP server for the Guest Network by following the instructions given below.

DCHP configuration on OPNsense

  1. Navigate to Services → DHCPv4 → [GUESTNET] .
  2. Enable the DHCP server on the GUESTNET interface
  3. Set DHCP pool range, such as from 172.16.10.100 to 172.16.10.200 .
  4. You may set DNS server .
  5. Set Gateway IP address , such as 172.16.10.1 (OPNsense GuestNet interface IP)
  6. You may leave other options as default .
  7. Click Save Figure 6.DHCP configuration on OPNsense

Step 3 - Defining the Firewall Rules​

You should define the following rules in the given order after navigating Firewall → Rules

3.1. Allow Accessing DNS Service​

Define a rule to Allow the internal DNS server(s), by following the instructions below.

OptionValue
ActionPass
InterfaceGUESTNET
ProtocolTCP/UDP
SourceGUESTNET net
Source Portany
DestinationGUESTNET address
Destination PortDNS (53)
CategoryGuestNet Rules
DescriptionAllow DNS

Allow DNS Rule-1

Figure 7. Allow DNS Rule-1

Allow DNS Rule-2

  1. Select Pass for the allowed rule.
  2. Select TCP/UDP for the Protocol .
  3. Select the Interface as GUESTNET .
  4. Select the source as GUESTNET net . This captures all traffic on the GUESTNET interface bound for the specified destination.
  5. Select the destination as GUESTNET address .
  6. Select DNS predefined port alias for the destination port .
  7. Set GuestNet Rules for Category .
  8. Set Allow DNS for Description .
  9. Click Save Figure 8.Allow DNS Rule-2

3.2. Allow Captive Portal Login​

Define a rule to allow the guest to access the Captive Portal, by following the instructions below.

OptionValue
ActionPass
InterfaceGUESTNET
ProtocolTCP
SourceGUESTNET net
Source Portany
DestinationGUESTNET address
Destination Port8000/10000
CategoryGuestNet Rules
DescriptionAllow Captive Portal Login

Allow Captive Portal firewall rule on OPNsense-1

Figure 9. Allow Captive Portal firewall rule on OPNsense-1

Allow Captive Portal firewall rule on OPNsense-2

  1. Select Pass for the allowed rule.
  2. Select TCP for the Protocol .
  3. Select the Interface GUESTNET .
  4. Select the source GUESTNET net . This captures all traffic on the GUESTNET interface bound for the specified destination.
  5. Select the destination as GUESTNET address .
  6. Select Other and set from: 8000 and to: 10000 for the destination port range.
  7. Set GuestNet Rules for Category.
  8. Set Allow Captive Portal Login for Description
  9. Click Save Figure 10.Allow Captive Portal firewall rule on OPNsense-2

3.3. Block LAN Access​

Define a rule to block the guest to access the corporate LAN, by following the instructions below.

OptionValue
ActionBlock
InterfaceGUESTNET
Protocolany
SourceGUESTNET net
Source Portany
DestinationLAN net
CategoryGuestNet Rules
DescriptionBlock LAN Access

Blocking LAN access from GuestNet on OPNsense-1

Figure 11. Blocking LAN access from GuestNet on OPNsense-1

Blocking LAN access from GuestNet on OPNsense-2

  1. Select Block for the deny rule.
  2. Select any for the Protocol .
  3. Select the Interface GUESTNET .
  4. Select the source GUESTNET net .
  5. Select the destination as LAN net .
  6. Set GuestNet Rules for Category.
  7. Set Block LAN Access for Description
  8. Click Save Figure 12.Blocking LAN access from GuestNet on OPNsense-2

3.4. Block Firewall Access​

Define a rule to block the guest to access the Firewall, by following the instructions below.

OptionValue
ActionBlock
InterfaceGUESTNET
Protocolany
SourceGUESTNET net
Source Portany
DestinationGUESTNET address
CategoryGuestNet Rules
DescriptionBlock LAN Access

Blocking Firewall access from GuestNet on OPNsense-1

Figure 13. Blocking Firewall access from GuestNet on OPNsense-1

Blocking Firewall access from GuestNet on OPNsense-2

  1. Select Block for the deny rule.
  2. Select any for the Protocol .
  3. Select the Interface GUESTNET .
  4. Select the source GUESTNET net .
  5. Select the destination as GUESTNET address .
  6. Set GuestNet Rules for Category.
  7. Set Block Firewall Access for Description
  8. Click Save Figure 14.Blocking Firewall access from GuestNet on OPNsense-2

3.5. Allow Guest Access​

Define a rule to allow the guests to access the Internet, by following the instructions below.

OptionValue
ActionPass
InterfaceGUESTNET
Protocolany
SourceGUESTNET net
Source Portany
Destinationany
Destination port rangeany
CategoryGuestNet Rules
DescriptionAllow Guest Network

Allow Guest Network to access Internet on OPNsense-1

Figure 15. Allow Guest Network to access the Internet on OPNsense-1

Allow Guest Network to access Internet on OPNsense-2

  1. Select Pass for the allow rule.
  2. Select any for the Protocol .
  3. Select the Interface GUESTNET .
  4. Select the source GUESTNET net .
  5. Select the source port any .
  6. Select the destination as any .
  7. Select the destination port range as any .
  8. Set GuestNet Rules for Category.
  9. Set Allow Guest Network for Description
  10. Click Save Figure 16.Allow Guest Network to access the Internet on OPNsense-2

You may need to reorder the newly created firewall rules for the GUESTNET interface. The rule list should be similar to the figure given below. Then, you must click Apply changes to activate the rules.

Firewall rules for GuestNet on OPNsense

Figure 17. Firewall rules for GuestNet on OPNsense

Step 4 - Captive Portal Creation​

You can create a Captive Portal for the Guest Network by following the instructions given below.

  1. Navigate to Services → Captive Portal → Administration . Creating Captive Portal on OPNsenseFigure 18.Creating Captive Portal on OPNsense
  2. Press the + in the lower right corner of the form to add a new Zone. Setting Zone for Captive Portal on OPNsense-1Figure 19.Setting Zone for Captive Portal on OPNsense-1
  3. Enable the zone.
  4. Set Interfaces as GUESTNET . (Unselect the LAN)
  5. You may Set Authenticate using as blank for no authentication needed.. (Remove any default setting)
  6. Set Idle timeout to 0.
  7. Set Hard timeout to 0.
  8. Uncheck Concurrent user logins so that a user may only login once.
  9. You may select Web GUI TLS certificate for HTTPS or leave SSL certificate as none to use plain HTTP.
  10. You may leave Custom template as none to use the default template.
  11. Enter a description of the zone such as Guest Network in the Description field.
  12. You may leave other options as default.
  13. Click Save .
  14. Click Apply . Setting Zone for Captive Portal on OPNsense-2Figure 20.Setting Zone for Captive Portal on OPNsense-2

Captive Portal installation on OPNsense is completed and ready to use.

Figure 21. Guest Network Captive Portal is created on OPNsense Firewall

Accessing the Internet From the Guest Network​

When you connect your device to the guest network and open your favorite browser, you will be redirected to the captive portal splash page similar to figure below. Since we did not configure any authentication method in our example above, you can start to surf by clicking on the Sign in button without any authentication.

Figure 22. OPNsense Captive Portal default Splash Page without any authentication

OPNsense Captive Portal supports a variety of authentication methods, such as local, LDAP. Radius, Vouchers, or multiple of them. It is strongly recommended to use at least one of the authentication methods on Captive Portal. In this tutorial, you can find information about configuring the OPNsense Voucher system in the following section.

Verification of the Captive Portal Firewall Rules​

If you can access the Internet from the guest network, it means that related firewall rules which allow the GUESTNET to access the Internet and DNS server are working. You may test the blocking rules which deny access to the firewall and LAN from the GUESTNET. To verify these Captive Portal firewall rules, you can run the following command from a device connected to the guest network. If your ping requests are timeout for both firewall and LAN access, your firewall rules are correct and work properly.

    Try to ping to the firewall GuestNet address

ping 172.16.10.1 Pinging 172.16.10.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. 
ping 10.10.10.1 Pinging 10.10.10.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out.

Captive Portal Configuration on OPNsense​

You may also optionally configure the Captive Portal by following the instructions given below.

After configuring captive portal on your OPNsense firewall, you can define user-based filtering on your Zenarmor NGFW to protect your network easily. Zenarmor next-generation firewall plugins enable you to create policies using captive portal usernames and groups. Zenarmor also supports the OPNsense voucher authentication system. And you may define user-defined filtering using vouchers on your OPNsense too.

1. Using Custom Template for OPNsense Captive Portal​

One of the most powerful features of OPNsense's Captive Portal solution is the template feature, which is also very simple to use.

To make a custom landing page, you may follow the steps given below.

  1. Navigate to the Services → Captive Portal → Templates tab.
  2. Click on the download icon in the lower right corner to download the default template. Downloading Captive Portal default template on OPNsenseFigure 23.Downloading Captive Portal default template on OPNsense
  3. Unzip the downloaded template file. Unzip default template fileFigure 24.Unzip default template file
  4. Open the index.html file with your favorite editor.
  5. Change the default logo(default-logo.png) to your logo file name such as company-logo.png
  6. Remove the navigation bar on the top
  7. Remove the height and width from the < img >tag
  8. Include a welcome message.
  9. Include a link to your company's website.
  10. Find the following snippet

Welcome to Sunny Valley Networks Guest Network.

Please feel free to use the guest network for professional purposes.

See our website for more details: Sunny Valley Networks

  • Copy the company logo(company-logo.png) to the image(images) directory.
  • zip the template directory.
  • upload the newly created template zip file by pressing the + on the Template tab.
  • Enter a Template Name , for example, MyCompany.
  • Click the Upload icon. Uploading new Captive Portal template on OPNsenseFigure 25.Uploading new Captive Portal template on OPNsense
  • To enable the new Captive Portal template on the GUESTNET interface just click on Apply . Applying new template on Captive PortalFigure 26.Applying new template on Captive Portal
  • To enable the newly uploaded template you can follow the next steps given below.
  • Navigate to the Services → Captive Portal → Zones tab.
  • Select the Guest Network by clicking on the pencil icon right next to it. Editing Guest Network Captive PortalFigure 27.Editing Guest Network Captive Portal
  • Change Custom template field from none to MyCompany . Figure 28.Setting captive portal template on OPNsense
  • Click Save and then Apply to apply the new settings.

    • Now you can test your new captive portal template by opening a browser. Splash page should look similar to the page given below.

    Customized captive portal login page on OPNsense

    Figure 29. Customized captive portal login page on OPNsense

    2. Limiting Internet Bandwidth Usage on Guest Network​

    Captive portal can be used in conjunction with the traffic shaper to fully utilize its shaping capabilities.

    You can limit the Internet bandwidth usage on the guest network by following the steps given below. For this example, we will allow maximum 10 Mbps download and 1 Mbps upload bandwidth for the visitors Internet access. This bandwidth will be shared among all connected guests.

    2.1. Creating Pipes for Download and Upload Bandwidth Limitations​

    You may add pipes for Download and Upload Bandwidth Limitations by following the next steps given below.

    1. Navigate to Firewall → Shaper → Pipes . Creating Traffic Shaper Pipe on OPNsenseFigure 30.Creating Traffic Shaper Pipe on OPNsense
    2. Click the + in the lower right corner of the form to create a pipe for the Download
    3. Enable it by clicking the checkbox.
    4. Set bandwidth to 10 .
    5. Set bandwidth Metric to Mbit/s
    6. Set mask to Destination to let each client use 10 Mbps download bandwidth.
    7. Enter a description such as 10Mbps_download
    8. Click Save . Creating a pipe for 10 Mbps download bandwidth limitationFigure 31.Creating a pipe for 10 Mbps download bandwidth limitation
    9. Click the + in the lower right corner of the form to add another pipe for the upload traffic.
    10. Enable it by clicking the checkbox.
    11. Set bandwidth to 1 .
    12. Set bandwidth Metric to Mbit/s
    13. Set mask to Destination
    14. Enter a description such as 1Mbps_upload
    15. Click Save . Creating a pipe for 1 Mbps upload bandwidth limitationFigure 32.Creating a pipe for 1 Mbps upload bandwidth limitation
    16. Click Apply to apply the changes.

    2.2. Creating the Traffic Shaper Rules for Download and Upload Bandwidth Limitations​

    You may follow the instructions given below to create the traffic shaper rules for Download and Upload Bandwidth Limitations on the guest network.

    1. Click on the tab Rules to Create the traffic shaper rules. Creating the traffic shaper rules on OPNsenseFigure 33.Creating the traffic shaper rules on OPNsenseCreating traffic shaper rule for download-1Figure 34.Creating traffic shaper rule for download-1
    2. Click the + icon.
    3. Toggle the advanced mode on the upper left corner of the form.
    4. Set interface to WAN
    5. Set interface 2 to GUESTNET
    6. Set direction to in
    7. Set target to 10Mbps_download
    8. Set description to Limit Guests download to 10 Mbps .
    9. Leave other settings as defaults.
    10. Click Save . Creating traffic shaper rule for download-2Figure 35.Creating traffic shaper rule for download-2Creating traffic shaper rule for upload-1Figure 36.Creating traffic shaper rule for upload-1
    11. Click the + icon.
    12. Toggle the advanced mode on the upper left corner of the form.
    13. Set interface to WAN
    14. Set interface 2 to GUESTNET
    15. Set direction to out
    16. Set target to 1Mbps_upload
    17. Set description to Limit Guests upload to 1 Mbps
    18. Leave other settings as defaults.
    19. Click Save . Creating traffic shaper rule for upload-2Figure 37.Creating traffic shaper rule for upload-2
    20. Click on Apply to apply the changes. Applying traffic shaper rules on OPNsenseFigure 38.Applying traffic shaper rules on OPNsense

    2.3. Verifying the Bandwidth Limit on Guest Network​

    To test the traffic shaping policies to limit the bandwidth on Guest Network, follow the instructions given below.

    1. Connect your device to the Guest Network
    2. Open your favorite browser.
    3. Enter an address to browse to and you will be presented with the Login form.
    4. Click on Sign in.
    5. Go to a speed test site such as https://www.speedtest.net to test your traffic shaper. After the test is completed, your results should be similar to this: Figure 39.Bandwidth limitation test results after applying traffic shaping on guest network

    You may also compare bandwidth speed test results before applying the traffic shaping.

    Comparison of speed test results for download(before and after traffic shaping)

    Figure 40. Comparison of speed test results for download(before and after traffic shaping)

    Comparison of speed test results for upload(before and after traffic shaping)

    Figure 41. Comparison of speed test results for upload(before and after traffic shaping)

    3. Managing the Voucher System​

    OPNsense's Captive Portal provides a simple voucher creation system that is especially useful for Hotel Networks. You may manage your voucher system on the OPNsense firewall by following the steps below.

    3.1. Adding a Voucher Server​

    To add a Voucher Server you can follow the next steps.

    1. Navigate to System → Access → Servers Adding access server on OPNsenseFigure 42.Adding access server on OPNsense
    2. Click on + button in the top right corner of the screen to add a server.
    3. Enter Descriptive name, such as Vouchers name of the voucher server
    4. Set Type to Voucher .
    5. You may leave other options as default or set as you wish.
    6. Click on Save . Adding a Voucher Server on OPNsenseFigure 43.Adding a Voucher Server on OPNsense

    3.2. Creating Vouchers​

    To create vouchers for your guest network you can follow the next steps.

    1. Navigate to Services → Captive Portal → Vouchers .
    2. Click on Create Vouchers in the lower right corner of the form. Creating vouchers for captive portal on OPNsenseFigure 44.Creating vouchers for the captive portal on OPNsense
    3. Select the Validity duration such as 1 day . Setting Vouchers Validity duration on OPNsenseFigure 45.Setting Vouchers Validity duration on OPNsense
    4. Select the Expiration time as you wish. Setting voucher expiration on OPNsenseFigure 46.Setting voucher expiration on OPNsense
    5. Select the number of Vouchers to generate, such as 10 . Figure 47.Setting the number of vouchers to generate on OPNsense
    6. Set a Groupname such as Wi-Fi daily pass . Figure 48.Setting the name of vouchers group to generate on OPNsense
    7. Click on Generate . Vouchers csv file generationFigure 49.Vouchers CSV file generation

    A file will be generated called Wi-Fi daily pass.csv .

    Vouchers' passwords are not kept on the OPNsense firewall for security reasons.

    FieldDescription
    usernameThe username that the guest must use to log in
    passwordThe password that the guest must use to log in
    vouchergroupThe name of the group
    validityThe time the voucher will be valid in seconds

    3.3. Enabling Voucher Authentication​

    To enable the voucher authentication on the OPNsense firewall, you may follow the next steps given below.

    1. Navigate to the Services → Captive Portal → Zones tab.
    2. Select the Guest Network by clicking on the pencil icon right next to it. Editing Guest Network Captive PortalFigure 50.Editing Guest Network Captive Portal
    3. Change Authenticate using from an empty field to Vouchers . Setting captive portal authentication using VouchersFigure 51. Setting captive portal authentication using Vouchers
    4. Click Save changes and Apply to apply the new settings.

    3.4. Checking the Voucher Status​

    To check the validity and active status of a voucher, navigate to Services → Captive Portal → Vouchers . And select the correct database, such as Wi-Fi daily pass in our example.

    Viewing the Vouchers Status on OPNsense

    Figure 52. Viewing the Vouchers Status on OPNsense

    4. Viewing Captive Portal Sessions on OPNsense​

    To check the active sessions navigate to Services → Captive Portal → Sessions on OPNsense Web UI. And then, select the proper zone from the selection box at the upper right corner.

    Current session looks like this:

    Checking the active captive portal sessions on OPNsense

    Figure 53. Checking the active captive portal sessions on OPNsense

    To drop an active session you may click on the trash icon.

    Dropping an active Captive Portal session on OPNsense

    Figure 54. Dropping an active Captive Portal session on OPNsense

    OPNsense provides a very powerful CLI that is especially useful for debugging. And, you may also use the CLI to get a list of all active sessions' statuses.

    Type the following command on the OPNsense command line to see the active sessions on zone id 0 :

     root@OPNsense:~ # configctl captiveportal list_clients 0 sessionid username ip_address mac_address total_bytes idletime totaltime acc_session_timeout ivN8tfSozem614bkXzeZXQ== Q$)49ZHm 172.16.10.100 8c:16:45:6d:76:28 2086815 2 240 86400

    What are the Benefits of Configuring the OPNSense Captive Portal?​

    The main advantages of the OPNsense Captive Portal are explained below.

    Security​

    The implementation of a captive portal can help you keep your business in accordance with regulatory standards and good practices in providing Internet access to users via hotspots.

    A captive portal typically displays terms of service to the user, which they must accept before using the company's Wi-Fi hotspot. Administrators often do this to ensure that their own users take responsibility for their acts and that they are not held legally liable. Property owners can protect themselves from legal liability by requiring their users to agree to a Terms of Service (ToS) page before getting access to the network via a Captive Portal. The Captive Portal operates by "redirecting" any Web request to a specific page until the user clicks I Agree to the Terms of Service. As a result, regardless of what URL your browser asks, the Captive Portal page will appear first when you start a Web browser. The captive portal may, in some situations, need a password. This type of safeguard protects you from legal liability in the event of illegal or otherwise harmful online behavior, while similar security features safeguard company assets.

    Bandwidth Management​

    Some users always misuse Internet services, for instance by remaining online many hours a day, accessing multiple times a day, or even connecting to them over several terminals. And depending on the sort of activity performed on your connection, it might also occupy a bandwidth.

    The Captive Portal provides a number of measures for ensuring sufficient access to all users: connection time can be controlled, the number of terminals per user, bandwidth use.

    You can regulate your bandwidth using a captive portal and create configurable time limitations as far as each user can stay connected to your network.

    User-based Web Filtering and Application Control​

    Zenarmor allows you to define user-based policies for content filtering and application control. Therefore, you can not only provide your clients free Internet access but also protect them against cyberthreats, such as malwares, phishing, etc.

    Marketing​

    In commercial terms, captive portals offer an ideal chance for seamless marketing that makes it possible for users to become involved during their internet experience at a vital time and is a powerful medium for a wide variety of business demands. To fill in a survey, watch a sponsored ad or highlight current promotions, you may use a captive portal.

    This means that the provider of this service can display or send ads to people connecting to the Wi-Fi connection. This type of service is frequently called "social WiFi" because it can prompt you to log in to a social network account. These social wireless Internet portals have been prevalent over the last several years with several companies offering marketing focusing on Wi-Fi data collection.

    How Does Captive Portal Work in OPNSense?​

    OPNsense provides a Captive Portal to force clients who request network access to authenticate or redirect them to a click-through page. This solution is generally used on hotspot networks, but it is also broadly used in enterprise networks to provide an extra layer of security for Internet or wireless access.

    OPNsense Captive Portal has the following features.

    1. Category-based Web Filtering: By combining the Captive Portal and the caching proxy, you may use category web filtering and block specific content for users, as well as reduce Internet bandwidth usage and improve response times by enabling the cache.
    2. User-based NGFW Policy Management: Zenarmor OPNsense next-generation firewall plugin supports the integration with OPNsense Captive Portal. This feature allows you to define user-based policies for web content filtering and application control.
    3. Timeouts & Welcome Back: Connections can be terminated after a set amount of time (idle timeout) and/or forced to disconnect after a set number of minutes, even if the user is still active (hard timeout). If a user reconnects within the idle and/or hard timeouts, no login is required, and the user's active session can be resumed.
    4. Bandwidth Management: OPNsense firewall has a traffic-shaping feature. Its built-in traffic shaper can be used to do the following:
      • Priority can be given to protocol port numbers and/or IP addresses.
      • Distribute bandwidth evenly.
    5. Portal Bypass: You can use the whitelisting option to allow some IP addresses or MAC addresses to bypass the portal.
    6. Template Management: The unique template manager in OPNsense makes creating your own login page effortless. At the same time, it provides additional features such as:
      • Option for creating your own Pop-up
      • URL redirection: After authenticating or clicking through the captive portal, users can be forcibly redirected to the specified URL.
      • Start page customization
    7. Zone Management: Different zones may be configured on each interface, or multiple interfaces may share a single zone configuration. Each zone can use its own unique Captive Portal Template or share one with another.
    8. Authentication: OPNsense Captive Portal provides HTTPS-secured authentication or a splash-only portal with URL redirection to a specific page. To authenticate a user in a zone, the following sources can be used:
      • Local user manager
      • Vouchers / Tickets
      • Radius
      • LDAP
      • No authentication (Splash Page Only)
      • Multiple (a combination of the preceding)
    9. Voucher Manager: OPNsense's Captive Portal includes a simple voucher creation system that exports vouchers to a `CSV file for use with your preferred application. The export allows you to print vouchers by combining them with your LibreOffice or Microsoft Word template, resulting in a professional-looking handout that includes your company logo and style.
    10. Platform Integration: The captive portal application can be integrated with other services using the integrated REST API.
    11. Real-Time Reporting: OPNsense Captive Portal has basic real-time reporting capabilities, such as:
    • Active Sessions
    • Time left on Vouchers
    • Top IP Bandwidth usage(Live Graph)

    Why Need a Captive Portal in OPNSense?​

    It is becoming increasingly popular for public and private locations to provide users with free Internet access, delivering convenience, connecting organizations and people, and serving a variety of objectives. However, certain formalities must be observed for providing an Internet connection. Free Internet access should be provided in public and private spaces following a variety of safety standards to minimize the usage of harmful people for illegal activities. Captive Portal is one of the most common security solutions for this problem.

    Typical applications of Captive Portal on OPNsense are listed below.

    • Camping & Hotel Wi-Fi
    • Bring Your Own Device (BYOD)
    • Guest Network
    • Wifi Internet access in public areas, such as cafes

    Companies generally offer their visitors internet access and show them a landing page with a welcome message and some guidelines and network access policies. At the same time, it is critical to ensure that visitors cannot access the private LAN and exhaust the Internet bandwidth.

    Hotels and RV parks typically use a captive portal to provide guests with limited Internet access. Guests must log in using a voucher that can be purchased or obtained for free at the reception desk. OPNsense includes voucher support and can quickly generate them on the fly.

    Hackers today steals information in one of the easiest ways by acting as a lawful wireless network. When one of your clients logs into the fake network, the hacker has a simple way to gather their information. If your company is a coffee shop or a hospital that provides your clients or patients with free Wi-Fi in the waiting area, your network should thus be identified correctly with your end customers so that they do not log in to any potential falsification. OPNsense captive portal is one of the best solutions to protect your customers from being a victim of a cybercrime.