How To: Using m0n0wall to create a Wireless Captive Portal

Using a Captive Portal to access the Internet

For the purposes of this article, let's imagine a Community Cafe. In the Cafe, there are a number of open access PCs connected to an Ethernet network. The Cafe also provides a wireless network for customers visiting with laptop PCs and other wireless devices. 

I'm using the straightforward scenario of a Cafe, but this could just as easily be someone sharing broadband Internet with their immediate neighbours, or a school or other educational institution.

Figure 1 shows a diagram of my hypothetical Cafe network. The Internet connection is some sort of broadband, cable, xDSL etc. and the Cafe network is physically connected by a router on the WAN interface of a m0n0wall firewall (grey).

Community Cafe Network

Figure 1: Community Cafe Network
(click on the image for a larger view)

The m0n0wall firewall has two further interfaces: the LAN interface that connects PCs used in the administration and day-to-day running of the Cafe (green); and the PORTAL interface that connects to a wired Ethernet LAN (in green) and wireless LAN via an access point (in orange) to provide client devices managed access to the Internet.

In running this network for the Cafe we need to:

  • protect PCs used for running the Cafe (connected on the LAN interface) from both the Internet and clients on the PORTAL interface
  • protect clients connected on the PORTAL interface from the Internet
  • control the Internet ports and services clients connected on the PORTAL interface can use
  • ensure that clients using the Internet first agree to an Acceptable Use Policy before granting access

You'll see that m0n0wall provides all the necessary functionality to meet these requirements.

Connecting the Cafe Admin and Open Access PCs is relatively straightforward. All that's required is a couple of Ethernet hubs or switches - one is connected to the LAN interface of the m0n0wall firewall for the Cafe Admin PCs, the second to the PORTAL interface for the Cafe Open Access PCs and wireless access point.

Customers of the Cafe could then use one of the fixed Open Access PCs provided which would already be configured for using the Internet. Customers with their own notebooks would have to do some simple configuration so they can use the wireless hotspot:

  • Configure the wireless adapter to be a DHCP client (Obtain IP address automatically)
  • Select the Captive Portal's SSID to connect

Both groups of customers would find that initially, general access to the Internet would be blocked. To access the Internet, they would need to launch a web browser. When the browser attempts to connect to its Home Page, it will be redirected to the Portal's Terms and Conditions or Acceptable Use Policy on the Portal Page. Internet access will be granted by simply clicking on an "I Accept" or similar button on this page until the alloted connection time expires.

Tip! Tip: If we were only providing a wireless hot-spot for customers with laptop PCs etc, the wireless access point could be connected directly to the PORTAL interface of the m0n0wall using a CAT5 cross-over cable in place of a hub/switch and two normal CAT5 cables.

Tip! Tip: A managed switch supporting 802.1Q VLANs could be used in place of two unmanaged hubs/switches and separate LAN and PORTAL interfaces. m0n0wall would then only need two physical network interfaces, one for the WAN and another for both the 802.1Q LAN and PORTAL virtual interfaces. See this post from the m0n0wall mailing list for an example.