Tech: pfSense as a captive portal with FreeRADIUS & MySQL

Note: this is a very, very old post that was mothballed since Sep 2010! Yes, I do have a few drafts that have been sitting in the attic.

So.

What is a captive portal? Imagine you’re running an internet cafe with wireless internet access. You want your users to be redirected to a login page and enter the right credentials on their browsers before being allowed internet access. That sound like what you need? Have a look at pfSense then.

Another interesting feature would be traffic shaping. Coupled with FreeRADIUS on a MySQL backend, you can actually define constraints on the authenticated user’s upload and download speeds, which comes in handy if you have a payment system integrated. For example, pay $5 and get a 256kbps wifi connection, pay $8 to get 512kbps and so on.

Note: attributes used for per user traffic shaping only available in 1.2.3RC1 and onwards. Recommended that you use the daily snapshots at snapshots.pfsense.org

Implementation notes
1. Create a username/password pair in the radcheck table, self-explanatory.


2. Specify a group that will contain the user.
Sample below shows a group GroupA that gives 512kbps downstream and 128kbps upstream.

radgroupreply table
+-----------+--------------------------+----+-------+
| Groupname | Attribute                | op | Value |
+-----------+--------------------------+----+-------+
| GroupA    | WISPr-Bandwidth-Max-Down | == |  512  |
+-----------+--------------------------+----+-------+
| GroupA    | WISPr-Bandwidth-Max-Up   | == |  128  |
+-----------+--------------------------+----+-------+


3. Add the user to the required group.
Sample shows adding userA to GroupA.

usergroup table
+ ---------+-----------+
| UserName | GroupName |
+ ---------+-----------+
| userA    | GroupA    |
+ ---------+-----------+


4. Make sure the pfSense uses the correct setting. Under Services – Captive portal:

  • Checkbox Enable per-user bandwidth restriction should be ticked
  • Radio button RADIUS authentication should be selected
  • Your RADIUS server’s IP address, port (if not default) and shared secret should be entered.

5. Make sure the pfSense is allowed access to your RADIUS server.
The shared secret and WAN IP address of the NAS (or Network Access Server, in this case the pfSense box) should be configured inside clients.conf on the RADIUS server. Make sure the RADIUS server is reachable from the NAS. If the WAN is a private IP address, enter the public IP address if your RADIUS server is on a public subnet.

Sample below shows client.conf configuration for a pfSense box on WAN IP address 124.23.202.111, using the shared secret $rG%3dD1V&41FS32D2D. The shortname value will appear in the server RADIUS logs, showing the name of the NAS (Network Access Server) that forwarded the authentication request.

#Last updated by K 11-Nov-2011
client 124.23.202.111 {
secret = $rG%3dD1V&41FS32D2D
shortname = CaptivePortal
}

Restart the FreeRADIUS service after making the necessary changes, and you are home free!

I believe I have covered all the stuff required but comments are welcome on missed notes. And of course, I hope this helps someone else out there on the internet. Thanks for reading!

Advertisements

Keinian ideals – Email discipline

Everyone knows how the email client holds emails:

  • You have the Inbox where all your received mails are,
  • The Outbox holding emails unsent,
  • Sent Items holding emails already sent, and
  • Drafts for half-written emails.

This has been a long-standing and accepted structure, and there is nothing wrong with it. What is usually not noticed right off, is the fact that this structure is insufficient for organisation and quick retrieval of emails. Most people however, do not bother with further customisation, and that is where things start going wrong.

I believe emails provides a critical channel of communication in today’s lifestyle, be it personal or at work. More especially at the workplace; if you do not organise your email storage it only results in emails being “lost”. I refer to this phenomenon as an email being “blackholed”, the black hole in this instance being your cluttered and disorganised sea of emails inside the inbox. Information, is useful only if you can find it. If you can’t find what you need, it’s as good as not being there.

What happens then? You get flustered, you start asking around for a resend of the same information. Other people waste their time, and more importantly you waste your time.

Discipline must be applied to the way you handle emails. For starters:
Step 1: Doing it. (This is very important):
You read an email, you decide what to do with it. Never look at the email and leave it there, thinking “ah heck, I’ll deal with it later”. You are basically procrastinating, and this leads to a mountain of chaos.

Step 2, React:

  • Do you reply to it with what was requested, or
  • Do you forward it to someone else who should be reading it?

Step 3: After:

  • Do you delete it, or
  • Do you mark it for follow up later, or
  • Do you archive it in a folder for reference?

Again, do not leave it in the inbox without any reason other than procrastination! I cannot emphasize this enough.

Organising email storage is another artform in itself.
Folders: while not the ideal answer, folders (especially in Outlook) provide a hierarchical and tree-like approach to organising your emails. I leave emails that I need followed up flagged in the inbox for follow up; completed tasks are slotted into sub-folders. Believe me when I say I’m really organised in that aspect; my work inbox folders are extensive and detailed for almost every and any issue.

For example, an email about an ongoing migration (project Alpha) of a single Ethernet service (ID: Yankee) provided by upstream Bravo will be in folder “Upstream Bravo” inside sub-folder “Migration Alpha”, sub-sub-folder “Service Yankee”. This allows for a granular level of indexing that grants me almost instant access to any email I want, as long as I remember the category.

Another example would be an email about a recent hardware purchase (brand Charlie, model ACW-11) from supplier Delta. I would be archiving it inside “Suppliers” inside sub-folder “Charlie”, sub-sub-folder “Delta”.

Tagging: tagging is preferred over folders, because of the flexibility of organisation it allows. Folders traditionally have a 1:1 and exclusive concept; one email in one folder, one email to one owner, period. Tags allow for an email to belong to multiple “folders”, which is a paradigm shift and vastly broadens the ways one could apply organisation on a single email.

For example, I could tag an email for hardware purchase under the supplier it belongs to, and tag it under the project the hardware is being used for as well. Very useful, and helps a ton when you are looking for information.

That’s all I have for now; comments are welcome and I hope this helps you to get a step up on being organised.

PS3: Alas, Assassin’s Creed: Revelations.

I have to say, the latest release of the Assassin’s Creed franchise looked pretty good in the trailers. As good as the Brotherhood at least. The reality however, failed to deliver somewhat.

List of rants:

  • Den defense (or contested den): Imagine Tower Defense in an Assassin’s Creed theme. Singularly pointless, insufficient fights to practice on, and so dang difficult. Getting swarmed by a horde of Templars (a la Zerg rush style) was no walk in the park, I simply could not multitask quickly enough to use up my morale for reinforcements. For anyone who’s landed on this post looking for a answer to that battering ram/flamethrower thing in the contested den fight? Sorry guys I got my ass whooped too, badly at that. That nasty mofo simply mowed me down and proceeded to flame the den until I lost. As far as I know, you have three cannon shots to get that bugger killed and that’s it.
    Also, losing a den means you get the dubious honour of slaying the local Templar captain yet again, read section on Coward Templar Captains.

    Solution: Having all your districts patrolled by Master Assassins will neutralise the possibility of den defense. Unfortunately.. that takes a lot of time, training and Master Assassin missions. The idea is to keep your Templar alert status clean – read section on Templar alert.

  • Coward Templar Captains: Slaying captains who are Cowards (with a capital C at that) proved to be a real PITA because those sneaky buggers are quite good at running off at the first whiff of danger. And once they’re gone, you have to wait another day to try your luck on them.

    Solution: Pass your time while waiting for the Captain to return by clearing the area of all other annoying Templars. Familiarise yourself with the layout of the den; once you get a feel of where he is going to run, get him right between the eyes with a crossbow the next time he tries to escape. Or summon an apprentice to take him down.
    Tip: Eagle Sense helps to reveal the route the Templar Captain usually takes.

  • Templar Alert Status: used to be known as Notoriety in Brotherhood, and there were always plenty of posters to tear off. I could go on and on about this subject. The annoying thing? Once it hits 100% it stays red until you clear it to 0%, returning you to the welcome veil of anonymity. If you decide to do something unlawful while holding a full red alert status, congratulation! Here comes a den fight (refer to earlier section).

    Now, almost anything fun triggers an increase in that funky red bar:

    • Renovate buildings? 25%. This, is ridiculous because there are a lot of buildings!
    • Using Arrow Storm? 25%. OK, Ubisoft doesn’t like you to show off too much.
    • Killing a tax collector? 25%. The satisfaction from a kill just went down somewhat.
    • Taking over a Templar den? 100%, which extinguishes that victorious feeling you get upon stabbing that captain in multiple undesirable spots and leaving him in his dying throes. Now you have to worry about getting your ass safe.

    Ways to reduce Alert status? Two ways, bribing a herald (25%) and killing an official (50%).

    Solution: I was constantly running around bribing heralds just so I could carry on renovating the bloody buildings, colossal waste of time IMO.

  • Desmond’s Journey: It feels like an FPS a la Wolfenstein 3D without the gun, while desperately navigating around the area with Tetris blocks and trying to jump without quite knowing how far you are going to land. I am quite sure I would have started screaming with frustration if there were more than five memories for this part; this mini-game has no relation to main plot other than Desmond’s rambling monologue; immensely annoying.

    Solution: Gritted my teeth and bore it out.

Ubisoft should really take a page from Naughty Dog and look at the way they paced Uncharted 3; now that is a well-made game with nothing to gripe on about, an excellent 11/10 and definitely the best in the franchise to date. Excellent dialogue, great actors and a rollercoaster of a game, as is the tradition with all Uncharted releases.

I’m not saying I hated Revelations, it’s just so frustrating that some parts of the game slowed the entire experience down so much. The graphics were awesome as always. Fighting against multiple enemies is much more challenging (especially against Janissaries) and requires more skill which is good. I thoroughly enjoyed myself playing Altair once again, many years after the first AC. I didn’t really like grinding (aka renovating the buildings) but it’s tolerable. I really disliked the “guard towers” (riflemen in closed chambers near Templar dens, only present in PS3 and PC it seems, checked with a friend on XBox 360 and they seem to be non-existent) but having a crossbow and gun gives you a good edge on reloading time so it was a minor annoyance at best. The ending could’ve covered more loose ends, but I appreciated the way they closed Altair and Ezio out of the story.

A 7/10 for this, I’ll look forward to the next release in the Assassin’s Creed series! Always will be an AC supporter for the captivating story if nothing else. And the AC:R encyclopedia looks really good, I’m quite keen on getting a copy when it’s out.

For now, I’ll have to catch up on my sleep for a bit; I was really burning the candle at both ends with Assassin’s Creed: Revelations and exhaustion is catching up fast. Skyrim to come next, but not soon.

Baby steps: one month to go!

So.

Reading the title gives you an idea of what’s coming. V’s gained an incredible amount of weight on the pregnancy path, carrying her went from “bah, easy” to being only able to make guttural grunts of effort. The daughter’s well on her way to the outside world; 2.6kg on the last measure, her head is a tad larger than average according to the obstetrician and we have about a month left before delivery. The last ultrasound scan was pretty funny, we could only see half a face as the baby’s quite squashed up in the tummy, so the photograph the ultrasound specialist printed for us was a solid view of her foot. Very pretty looking little foot but oh well.

For me, the excitement/enthusiasm hasn’t quite kicked in yet. It still feels kind of distant at this point but I expect things to change really soon. The main thing to keep in mind as far as I’m concerned, is to keep an open frame of mind and be ready to adapt to any changes. Problems become ridiculously inflated when you hold a narrow set of expectations and fail to adapt accordingly, so this is quite important.

All this aside, I expect it would feel a little scary, what with all the questions in the head and no good answers in sight. So yes, once more unto the breach dear friends! Naught to do but to forge ahead with courage in the hearts, and hope in our minds.

Other observations made in the course of the past months would be stuff like:

  • The gazillion or so products there are on the baby range. I suspect half or better are largely exorbitant money suckers and belong to the parent ego-pandering category i.e. you feel good buying it for your kid.
    What I think: get it only if I need it. Just like the time when we got Cookie, there was an overpowering and irrational urge to get everything on the shelf. “Oh this looks important! Damn do we need that one?” And so on. Be practical and stay rational, get only what is absolutely necessary.
  • The ton of and-me-downs and gifts from my friend-parent circle. I really really appreciate everything that they’ve very kindly shared. It sort of seems like an exclusive fraternity or something once you become a parent.
    What I think: pass the gifts on soon as I don’t need them. Baby clothes, limited usage window and still look brand new. No point buying new ones, period. Baby markets and hand-me-downs FTW.
  • Reading up on childbirth experiences, especially hearing it first-hand from friend-mothers.
    What I think: Good to know, but knowing too much can be bad. It’s better to go in with a fresh slate and take things as they come. Everyone’s delivery is different, just keep in mind the worst circumstance and you probably will be pleased as punch if anything better than that happens.
  • Handling the wife. I have been really blessed so far, V’s always been an independent sort. Add the fact that she’s only had evening sickness for a bit in the earlier months and these days it’s more fatigue from the additional weight more than anything else. Another good thing, the baby doesn’t act like a drunk at a fight throwing roundhouse punches and kicks inside V, so my life has been considerably easier than some of the other wilder tales that go around.
    What I think: As usual, YMMV so if you could make her life a little easier by making little changes, do it. I’m not exactly model husband material in this aspect, but still did some little things here and there (refer to earlier post)

And yes, her name was chosen months ahead. I like thinking up names; be it company names, product names and of course my daughter’s name is the biggest job to date. Naming a kid wrongly could have irreparable consequences for the next twenty years if they really hate it. It took about a week’s worth of debating but I reckon I did a good job – how does 蔡诗婷 sound? It’s been a solid 100% approval from everyone (friends and family alike) to date so that counts for something. The English first name is going to be Ellein, an amalgam of Ell??? and Kein – a direct influence from Pernese literature in my earlier days, but I like the thought of my kid having both our names. It’s pronounced as El-ain, taking the pronounciation of -ein from my name.

Fingers crossed for the days ahead, and let’s hope she doesn’t hate her name too much!

Basketball: The final season game!

So.

After two weeks of inactivity I finally got my ass up for basketball on Sunday, as a warmup to tonight’s game. Feeling was mostly good but I concluded that my shooting’s gone off the deep end. One good thing about the two week “break” (if you can call being sick a break) – it seems like my right thumb’s starting to interfere less with the shot. One big milestone there if you ask me.

The game itself, plenty of things to talk about if there’s a need to. I’ll just talk about how we rushed the fast break pace too much at times and had a lot of turnovers. It’s just a little disheartening to see the progress we made in reducing turnovers all vanish with all the bad passes being made.

Rebounding was much improved thanks to the presence of Anthony and Jason, as was the offensive spacing. Defense, I think we did a fair job. I made sure I was went out all the way to challenge their three attempts, which was usually something I didn’t bother with. But there’s still a lack of talking on defense, which has been a season-long problem. And the lousy ref calls didn’t help much with all those touch fouls or worse, phantom fouls.

I ran my ass off in those minutes played, it’s probably the game I’ve run the most to date, to the extent of feeling near cramps in my thighs; sucks. Had five shot attempts at least, made one short-range jumper. Missed two baskets in the paint which I shouldn’t have, but what can you do when you put it up and it rolls out. More practice!

That’s all for tonight, still got work tomorrow so it’s an attempt to sleep and recover for tomorrow’s work on overhauling the 100mbps trunk I setup today into a 1gbps trunk, with the help of the SFP module I got today. Hopefuly everything goes smoothly tomorrow, and not like the chaotic troubleshooting I got today.