At work our clients needed to be able to access the internet whilst in reception on 3 PC’s that I had spare and I also wanted them to have Wi-Fi access. Being a little paranoid, I didn’t want them to have access to the LAN, at all.
So, I started off by adding in another NIC into the PFSense box (I actually bought a quad port PCI network card) and then assigning the interface that, cleverly named “Clients”. I had a spare rack mount switch, so I used this for this new network. I setup the PFSense box to perform DHCP on this network and set it to use the OpenDNS servers. I set the firewall to block LAN access, and also various other protocols, including the use of any other DNS servers, other than the 2 OpenDNS ones that I specified, RDC was blocked, SMTP was blocked etc etc.
I had semi strict OpenDNS rules in place for my staff (see here), but needed much stricter rules for our clients, especially as most of them are young children. So I set the NAT on the PFSense box so that traffic from the “Clients” network would go out over a spate WAN IP, I could then tell OpenDNS that requests going out over this WAN IP should be treated differently and I then set the rules against that.
So far so good. I added a basic access point to this network and then decided I would protect it with a very basic WEP key. This key can easily be told to clients and can easily be changed, I try and change it every couple of weeks and just inform the receptionist when it has been updated.
I wasn’t really sure on the legal side of things here, but more often than not, when you use any sort of free wireless you have to agree to a disclaimer, you know, the one that no one reads. So for this I decided to use the captive portal functionality on PFSense and set it against the ‘Clients’ interface . This basically means that any machine accessing the WAN from this interface will be redirected to a page that you upload to the PFSense box, and only when a button is clicked can they then proceed and view the internet. You can if you wish add in Radius authentication here, which I have had in the past, but that beyond the scope of what I required here and so I just used a simple “Click to say you agree that you won’t do anything silly, and if you do, it’s not my fault” page.
It’s just a basic HTML page with the corporate logo on there and this form thrown in:
<form method=”post” action=”$PORTAL_ACTION$”>
<input name=”auth_user” type=”text”>
<input name=”auth_pass” type=”password”>
<input name=”redirurl” type=”hidden” value=”$PORTAL_REDIRURL$”>
<input name=”accept” type=”submit” value=”Continue”>
</form>
I then also added rules in via the traffic shaper on PFSense to stop anyone blitzing my bandwidth. Now, any laptops connecting were all secure, and so were the desktops, but the desktops were bog standard XP Pro machines and as they were not on the domain, I couldn’t lock them down via the Group Policy. I instead used Microsoft Windows SteadyState, available free from here.
The effectively lets me lock down the PC’s and pretty much deep freezes them. I have set computer restrictions to stop the users making any changes, I set it up with nice corporate wallpapers and screensavers etc too. I still have a password protected admin login which I can use if I need to make any permanent changes.
This current setup has been running fine for just over a year now and I very rarely have to touch it. Also, any visitors to the office can use this client connection too, keeping my main network nice and secure.