How To: Using m0n0wall to create a Wireless Captive Portal



Security

Something you have to pay attention to when allowing unknown clients access to your networks and Internet connection is security. m0n0wall is relatively secure by default, however there are a few things to consider:

  1. Don't allow the portal subnet access to ANY in a firewall rule
    Using ANY will grant access to all networks connected to the firewall, including the network on your LAN interface and any other optional interfaces.
  2. Block direct access to your PORTAL interface IP address and your WAN interface IP address from your portal network
    This will prevent Portal clients from being able to access the m0n0wall administration GUI.
  3. Block access to SMTP (port 25) from the Portal network
    Since most people have access to web mail, this will prevent users from intentionally (Spammers) or unintentionally (those inadvertently infected with Viruses, Trojans and Worms) sending out bulk email from your Internet connection.
  4. Limit the bandwidth available to your portal network with Traffic Shaping
    If you are using your Internet connection for other purposes than the Captive Portal - providing Internet access to your LAN for example - limit the bandwidth available to your Portal network with m0n0wall's Traffic Shaping features. This will prevent clients on the portal network from using all available bandwidth.

Figure 9 shows the firewall rules I placed on the PORTAL interface that adequately protect my network while still allowing fairly free access to the Internet for the portal clients. The first three rules block all NetBIOS traffic - an essential practice on all Internet-facing connections. These are followed by a rule blocking all outbound SMTP (Port 25) connections. 

m0n0wall Firewall Rules on the PORTAL interface

Figure 9: m0n0wall Firewall Rules on the PORTAL interface
(click on the image for a larger view)

The fifth rule down blocks HTTP connections to the PORTAL interface itself (m0n0wall will allow Web Admin on all interfaces if firewall rules allow). This is followed by a similar rule that blocks HTTP connections to the small subnet between the WAN interface of the firewall and the inside interface of my DSL router, again stopping Web Admin access on both the m0n0wall and my DSL router.

Second to last is a rule that allows access to my LAN, but only for HTTP to a server (HOMER) that hosts the images for the portal page. The last rule allows any connection (if not previously blocked) to anywhere other than the LAN network.

Tip! Tip: Blocking SMTP on a Captive Portal has been the subject of discussion on the m0n0wall mailing lists in recent weeks. While some see it as protecting the network they are providing from being used for spamming, others see it as being at odds with providing free, unrestricted access to the Internet.

Dana Spiegel, director of the community-based organization NYCwireless, has stated: "NYCwireless has a totally unrestricted network where we've never seen a spammer send out millions of spam messages".

One approach suggested is to severely limit the bandwidth available for SMTP mail to discourage anyone from sending bulk email. In the end, it is the decision of whoever provides the Portal / HotSpot and what they are comfortable with.