B-Tech Report Tchinda Feze Cedrick Vanel
B-Tech Report Tchinda Feze Cedrick Vanel
B-Tech Report Tchinda Feze Cedrick Vanel
2
ANANG GLAMICK CHE
DECLARATION
I Mr ANANG GLAMICK Che hereby declared that I am the sole author of this work. I authorise
others THE UNIVERSITY INSTITUTE OF ON THE TROPICS to lend this work to others
institutions or individuals for the purpose of scholarly research.
I understand the nature of plagiarism and I am aware of institute’s policy on this.
I certify that this internship report was original done by me during my university studies expect for
the Paragraph, Sentences, Titles, Sub-titles or Relative References (see references or bibliography on
this work).
Date……………………………….
Signature…………………………………
3
ANANG GLAMICK CHE
CERTIFICATION
I hereby certify that this work entitled “DESIGN AND IMPLEMENTATION OF A CAPTIVE
PORTAL SYSTEM USING PFSENSE” is written and presented by ANANG GLAMICK CHE.
This report is to be submitted to the department of Computer Engineering, this is to meet the
requirements and regulations governing the award of BACHELOR OF TECHNOLOGY
(BTECH) at IUGET (UNIVERSITY INSTITUTE OF THE TROPICS) DOUALA.
THE COORDINATOR
Mr TSAKOU KOUMETIO Billy Cedrique
Signature………………………….
Date….……………………
ACADEMIC SUPERVISOR
Mr EPO Jean Daniel
Signature………………………….
Date….……………………
DEDICATION
4
ANANG GLAMICK CHE
TO THE ANANG FAMILY
5
ANANG GLAMICK CHE
ACKNOWLEDGEMENTS
The work we have done could not have been completed without the immense support of a
number of people. For this reason, we would like to thank them and show them our deepest
gratitude.
❖ A big hand goes to my parents KEMMOGNE FEZE Jules Samuel and MAGOUM
TCHINDA Edith, who made me saw that I had supporters and they kept on giving in
what they have to see me succeed.
❖ A special thanks to MEGOUO TATEUKAM Ariane Divine, for her encouragement
❖ In addition, a big hand goes to my classmate’s promotion, for their familiar climate
that their created and maintain during the academy school.
❖ Above all, I would like to thank the Almighty for allowing me to attain the success of
my internship and the unfailing strength he gave me until date.
2
ANANG GLAMICK CHE
TABLE OF CONTENT
DECLARATION ............................................................................................................ 2
CERTIFICATION ......................................................................................................... 3
DEDICATION ............................................................................................................... 4
ACKNOWLEDGEMENTS ........................................................................................... 2
TABLE OF CONTENT .................................................................................................. 3
LIST OF TABLES .......................................................................................................... 5
LIST OF FIGURES ........................................................................................................ 6
LIST OF ABBREVIATIONS......................................................................................... 7
ABSTRACT.................................................................................................................... 8
RESUME ........................................................................................................................ 9
CHAPTER ONE: DESIGN AND IMPLEMENTATION OF A CAPTIVE PORTAL
SYSTEM USING PFSENSE ........................................................................................ 10 1
GENERAL INTRODUCTION ................................................................................. 10
1.1 INTRODUCTION TO THE STUDY ..................................................................... 10
1.2 BACKGROUND OF THE STUDY ........................................................................ 10
1.3 PROBLEM STATEMENT ..................................................................................... 11
1.4 OBJECTIVES OF THE STUDY ............................................................................ 12
1.4.1 GENERAL OBJECTIVES .................................................................................. 12
1.4.2 SPECIFIC OBJECTIVES ................................................................................... 12
1.5 SIGNIFICANCE AND JUSTIFICATION OF THE STUDY ................................ 12
1.6 SCOPE OF STUDY ................................................................................................ 13
CHAPTER TWO: LITERATURE REVIEW ............................................................. 14
2.1 INTRODUCTION .................................................................................................. 14
2.2.3 FIREWALL ......................................................................................................... 15
2.3 CONCEPTS ON THE CAPTIVE PORTAL .......................................................... 16
2.3.1 DEFINITION ...................................................................................................... 16
2.3.2 GENERAL OPERATION OF A CAPTIVE PORTAL....................................... 16
2.3.3 OVERVIEW OF THE MAIN CAPTIVE PORTALS ......................................... 17
PFSENSE .................................................................................................................. 18
ALCASAR ................................................................................................................ 18
ZEROSHELL ............................................................................................................ 18
CHILLISPOT ............................................................................................................ 18
3
ANANG GLAMICK CHE
2.3.4 COMPARISION OF CAPTIVE PORTALS ....................................................... 19
2.3.5 CHOOSING A CAPTIVE PORTAL SOLUTION ............................................. 21
2.4 SECURING WIRELESS NETWORK USING PFSENSE CAPTIVE PORTAL
WITH RADIUS AUTHENTICATION ........................................................................ 21
2.5 BUILDING A SECURE WIRELESS ACCESS POINT BASED ON
CERTIFICATE AUTHENTICATION AND FIREWALL CAPTIVE PORTAL ...... 22
2.6 DNS BASED CAPTIVE PORTAL WITH INTEGRATED TRANSPARENT
PROXY ......................................................................................................................... 23
2.7 DESIGN AND CONFIGURATION OF APP SUPPORTIVE INDIRECT
INTERNET ACCESS USING A TRANSPARENT PROXY SERVER ...................... 24
2.8 TWO FACTOR AUTHENTIFICATION USING SMARTPHONE TO
GENERATE ONE TIME PASSWORD ...................................................................... 24
CHAPTER THREE: METHODOLOGY AND DESIGN ........................................... 25
3.1 INTRODUCTION .................................................................................................. 25
3.2 FLOWCHART ....................................................................................................... 25
3.3 FRAMEWORK ...................................................................................................... 27
3.4 ALGORITHM ........................................................................................................ 28
3.5 OVERVIEW OF THE PROJECT AND RESEARCH .......................................... 29
SUMMARY .................................................................................................................. 31
4.1 INTRODUCTION .................................................................................................. 33
4.2 IMPLEMENTATION ............................................................................................ 33
4.2.1 INSTALLATION AND CONFIGURATION ..................................................... 34
4.2.2 INSTALLATION OF PFSENSE ......................................................................... 35
4.2.3CONFIGURATION OF PFSENSE ..................................................................... 38
4.2.3.2 CONFIGURATION OF INTERFACES .......................................................... 40
A- WAN INTERFACE ..................................................................................................... 40
B- LAN INTERFACE....................................................................................................... 41
4.2.3.3 CONFIGURATION OF THE DHCP SERVER ............................................... 42
4.2.3.4DEFINITION OF FIREWALL RULES ........................................................... 43
4.2.4 CREATION OF THE CAPTIVE PORTAL ....................................................... 44
4.3 RESULTS ............................................................................................................... 47
5.1 SUMMARY OF FINDINGS ................................................................................... 48
5.2 RECOMMENDATIONS ........................................................................................ 49
5.3 CONCLUSION ....................................................................................................... 49
REFERENCES ............................................................................................................. 50
4
ANANG GLAMICK CHE
LIST OF TABLES
Table 1 Comparision of captive portals ...................................................................................
20
Table 2: Overview of the project and research ........................................................................
29
LIST OF FIGURES
5
ANANG GLAMICK CHE
Figure 9: End of installation..............................................................................................................
Figure 10: Configuration menu.........................................................................................................
Figure 11: Portal connection of pfsense............................................................................................
Figure 12: pfsense general menu.......................................................................................................
Figure 13: Configuration of the WAN interface...............................................................................
Figure 14: Configuration of the LAN interface.................................................................................
Figure 15: Configuration of the DHCP server..................................................................................
Figure 16: Rules on the WAN interface............................................................................................
Figure 17: Activation of the captive portal........................................................................................
Figure 18: Captive portal page..........................................................................................................
LIST OF ABBREVIATIONS
Admin: Administrator
CD: Compact Disk
6
ANANG GLAMICK CHE
NPS: Network Policy Server
Pfsense: Packet Filter Sense
ABSTRACT
7
ANANG GLAMICK CHE
RESUME
De nos jours, la technologie des réseaux se développe, tout comme le nombre d'utilisateurs.
Chaque utilisateur peut communiquer pour transférer des informations via un réseau.
Cependant, lorsque le réseau continue à se développer, l'administrateur réseau doit surveiller
le flux de trafic ou la bande passante qui traverse les réseaux. Certains utilisateurs qui
accèdent à l'Internet sans but précis peuvent causer un problème comme un goulot
d'étranglement. L'objectif principal est de concevoir une simulation qui puisse surveiller le
réseau et optimiser son utilisation, tout en limitant la bande passante et le temps. L'importance
de la résolution de ce problème réside dans l'amélioration des performances du trafic réseau.
Ensuite, l'algorithme du mot de passe à usage unique est utilisé comme une technique qui
s'applique au portail captif. Le portail captif est une page web qui contrôle l'accès à Internet
de tout navigateur Hyper Text Transfer Protocol (HTTP). Un utilisateur qui veut accéder à
Internet est redirigé vers une page Web pour s'authentifier. L'administrateur réseau peut ainsi
facilement surveiller et gérer le trafic réseau. En outre, pfsense est une distribution de
logiciels informatiques à code source ouvert basée sur FreeBSD. Elle peut être installée sur
un ordinateur physique ou sur une machine virtuelle afin de créer un routeur dédié à un
réseau. L'activité du réseau est facile à surveiller lorsque l'utilisateur accède à l'Internet en
temps réel. Comme résultat attendu de ce projet, la performance du réseau sera bien régulée
car la simulation peut limiter la bande passante et minimiser les utilisateurs qui veulent
accéder à Internet en même temps.
8
ANANG GLAMICK CHE
CHAPTER ONE : DESIGN AND IMPLEMENTATION OF A CAPTIVE
PORTAL SYSTEM USING PFSENSE
1 GENERAL INTRODUCTION
Nowadays, IT systems in companies are becoming increasingly important but also complex.
The need to maintain and manage these systems has quickly become a priority. Several
network monitoring and supervision software have been developed to check the network
status in real time and to be informed of any network incident. Thanks to this software,
intervention times are greatly reduced and anomalies can be dealt with immediately without
the users of the network in question being affected or noticing any errors.
In view of all this, we can see and say that the causes of the installation and configuration of
authentication and network access management systems are diverse. However, we were faced
with a problem: how to optimize the network security policy? In this perspective, we plan to
set up a network administration console. This console will allow to supervise and control the
network as well as the state of the computer equipment. Thus, we worked on the theme:
"IMPLEMENTATION OF A CAPTIVE PORTAL SYSTEM WITH PFSENSE".
This report presents all the steps followed for the development of this application; it contains
four chapters organized as follows: in chapter one, we will talk about the backgrounds of the
study. In chapter two, we will talk about literature review; In chapter three, we will talk about
the generalities on the captive portal with the objective of presenting the concepts on the
captive portal and also to highlight the theoretical study of the monitoring solution adopted
for this work, its architecture and its operating principle. In chapter four, we will talk about
the presentation and analysis of data. Finally, in chapter five, we will implement the solution,
which presents the working environment as well as the criticisms and suggestions related to
our work in view of the realization of our project.
9
ANANG GLAMICK CHE
1.2 BACKGROUND OF THE STUDY
In an era of globalization, access Internet has become a part of life and it is compulsory
activity in everyday especially students. Besides, the Internet acts as medium communication
between one person to another person in the world. The Internet can also become a resource
for education which is teaching and learning. It is often connected by using wired but today,
many places have connected the Internet using wireless as simply called as Wi-Fi at home or
building such as university and company. Based on that statement, network usage will
increase from time to time with an application that user can use for access. This problem can
be worse if it is not managed efficiently.
Next, Internet can be defined as a massive network of networks. A network is a collection of
computers and other devices that can send data to and receive data from one another, more or
less in real time (Elliotte Rusty Harold,2013). Development of network may lead data access
to become exceed. So, a network administrator should monitor the network using pfsense. In
current research, pfsense is an essential software that use for easy monitor the network.
pfsense is an open-source software distribution based on FreeBSD. pfsense is commonly used
as a router, perimeter firewall, DHCP server, wireless access point and DNS server.
Moreover, pfsense also support installation of third-party packages like Snort as intrusion
detection and prevention (IDS/IPS). In order to overcome network problem, pfsense must be
configured as DHCP server. Switch is use to make two device such as computer connected.
Switch act as bridge. Switch is better performance in average time compared with hub
(Christopher Udeagha, R. Maye, D. Patrick, D. Humphery, D. Escoffery and E. Campbell,
2016). It can send and receive information at same time and faster than hub. Many peoples
use switch in forwarding a message to specific host. Authentication is an importance process
used to validate access from authorized user before he or she has given access to the resource.
One Time Password is one form of authentication that mostly use with other forms of
authentication. In other word, One Time Password algorithm is one of the simplest and most
popular forms of two-factor authentication today (Nilesh Khankari and Geetanjali Kale,
2014).
10
ANANG GLAMICK CHE
1.3 PROBLEM STATEMENT
Some of the problems are common causes of this project is developed. The problem is:
i. Lack of captive portal system will lead to congestion in network hence, will limit
communication between client (user) and server so a situation that stops a process or activity
from progressing may occur. ii. Users are consuming a lot of bandwidth at one time when
iii. Unexpected scalability and performance problem appear as number of network’s user
increase at one time.
The goal of this undertaking project is to plan and design a web page that the user of a publicaccess
network is will view and interact with before access to the internet is granted.
The main objective of our project seeks to achieve the following objectives.
i. Study existing LAN infrastructure.
iii. Implement the simulation that optimize network usage as well as limiting
Bandwidth and time in pfsense.
11
ANANG GLAMICK CHE
The need for this project is driven by various challenges faced by small organizations
due to unauthorized access to the network, inappropriate use of existing bandwidth and
absence of bandwidth management strategies. That has promoted bandwidth wastage on
unwanted traffic such as music and movie download by some users.
This project is designed to make sure that the available Internet facility is effectively
and optimally used to support the core business of an organization that is, maximizing profit
while minimizing expenditure.
12
ANANG GLAMICK CHE
CHAPTER TWO: LITERATURE REVIEW
2.1 INTRODUCTION
This chapter is about selected literature review that need to describe and explain which
are relate to a simulation will be developed. The literature review is a text of a trusted paper
such as journal, article and book that include current knowledge about theoretical and
methodological contribution. Main purpose of the literature review is to identify research
methods and strategies that should be applying in this project. It is important to know and
understand about all information from previous research and takes a consideration before
develop this project. A few previous research or existing system will also be discussed in this
chapter. Therefore, the literature review is carried out to be used as references in developing
the proposed simulation.
According to Data Communication and Networking Fifth Edition book, a network is the
interconnection of a set devices capable of communication (Behrouz A. Forouzan,2012). In this
definition, a device can be connecting device or host which connects the network to other
networks and transmission data will be occur. These devices are connected by using wired and
wireless transmission media. Wired use copper wires or fiber optic cable to send data and receive
data. Instead of wireless transmission, the data signal will travel on electromagnetic waves. In this
case, we use switch act as a bridge to make client and server are connected. For information, two
type of network that involve in this simulation which are Local Area Network (LAN) and Wide
Area Network (WAN). LAN is a privately own and connects some hosts in single office, building
or campus but it also depends on organization needs. Most LAN are design to allow resources to
be shared between hosts. Normally, LAN is limited size of area while WAN is wider size of area.
Rate of transmission that transmit between can be measured in kilobyte, megabyte or gigabyte per
second.
13
ANANG GLAMICK CHE
2.2.2 BANDWIDTH USAGE
2.2.3 FIREWALL
A firewall is a network security device that monitors and filters incoming and outgoing
network traffic based on an organization’s previously established security policies. A firewall
is essentially the barrier that sits between a private internal network and the public internet. A
firewall’s main purpose is to allow non-threatening traffic in and keep dangerous traffic out.
Firewalls have existed since the late 1980’s and started out as packet filters, which were
network set up to examine packets, or bytes transferred between computers. Though packet
filtering firewalls are still on use today, firewalls have come along way as technology has
developed throughout the decades.
2.3 CONCEPTS ON THE CAPTIVE PORTAL
2.3.1 DEFINITION
14
ANANG GLAMICK CHE
A captive portal is a security system that manages the authentication of users on a local
network who wish to access an external network (usually the Internet). It requires users on the
local network to authenticate themselves before accessing the external network. When a user
seeks to access the Internet for the first time, the portal captures his connection request
through routing and offers him to identify himself in order to receive his Wi-Fi access and be
offered Internet access. In addition to authentication, captive portals make it possible to offer
different classes of services and associated charges for Internet access (e.g., free Wi-Fi, paid
wired). This is achieved by intercepting all packets regardless of their destination until the
user opens their web browser and tries to connect to the internet. When the connection is
established, no security is active. This security will not be active when the connected
computer tries to access the internet with its web browser. The captive portal will on the first
HTTP request redirect the web browser to authenticate the user, otherwise no request will
pass through the captive server. Once the user is authenticated, the firewall rules are modified
and the user is allowed to use the Internet for a period of time set by the administrator. At the
end of the set time, the user will request their login credentials again in order to open a new
session.
This system offers security for the available network, it allows the company's web
filtering policy to be respected thanks to a proxy module and also allows access to the desired
protocols to be prohibited thanks to an integrated firewall.
The client connects to the network via a wired connection or to the wireless access point.
Then the access point provides him with an IP address and the network configuration
parameters. At this point, the client only has access to the network between itself and the
gateway, with the gateway preventing access to the rest of the network for the time being.
When the client makes its first web request in HTTP or HTTPS, the gateway redirects it to an
authentication web page that allows it to authenticate itself with a login and password. This
page is encrypted using the SSL protocol to secure the transfer of the login and password.
The authentication system will then contact a database containing the list of users authorized
to access the network. Finally, the authentication system indicates more or less directly,
depending on the captive portals, to the gateway that the client's MAC/IP pair is authenticated
on the network. Finally, the client is redirected to the web page he initially requested; the
network behind the gateway is now accessible to him. The captive portal, through various
15
ANANG GLAMICK CHE
mechanisms such as a pop-up window on the client refreshed at regular intervals or ping
requests to the client, is able to find out if the user is still connected to the network. After a
period of absence from the network, the captive portal will cut off access to that user.
All the solutions we have studied are free and open source, which allows us to
considerably reduce the cost of their implementation.
• Pfsense
It is easily installed via a dedicated distribution and all configuration can be done
either via SSH command line or via the HTTPS web interface. Configuration backup and
restore is available through the web interface and allows to generate a simple file of a
reasonable size. The portal ensures a constant evolution thanks to regular updates whose
installation is managed automatically in a part of the administration panel. This solution
allows secure authentication via the HTTPS protocol and a user/password pair.
16
ANANG GLAMICK CHE
• Alcasar
It is a French project essentially dedicated to captive portal functions. This application
is installed via a script and is supported by the Mandriva Linux distribution, the
configurations are done via the secure management interface (HTTPS) or in command
line directly on the Mandriva server. A backup of the configuration is taken care of by
creating a system ghost (system file) in the administration panel, which still generates a
file of a certain size. Regular updates ensure that the solution is future-proof. The
authentication to the captive portal is secured by HTTPS and a user/password pair. Like
pfsense, ALCASAR is compatible with many platforms, user page customization and
ease of use are present.
• Zeroshell
It is a Linux distribution designed to implement global security within a network
(firewall, VPN, captive portal, etc.). Its installation is simple via a dedicated distribution.
It has an easy-to-use web management interface that allows, among other things, to save
the captive portal configuration or to customize the connection and disconnection pages
in an integrated HTML editor. Like the other two solutions, the authentication page is
secure and the connection is made via a user/password pair. Its use remains identical to
the other solutions presented.
• Chillispot
17
ANANG GLAMICK CHE
In the comparative study of the solutions, we have highlighted several important criteria
that the different solutions must take into account:
• Easy to use: to allow all visitors to connect to the wired or wireless network.
Solutions
Documentation ✓ ✓ o o
18
ANANG GLAMICK CHE
Supported All All All All
Platforms
Personalization ✓ ✓ o o
Ease of use ✓ o o o
Save/restore ✓ ✓ ✓ •
configurations
✓ Highly available o
Moderately available
• Less available
Although we did not put all these solutions into practice to compare them, the
theoretical study allows us to retain the first two solutions, namely pfsense and
ALCASAR, because they both meet our needs: free solutions, can be installed on a
server as well as on a workstation, user authentication by login and password,
19
ANANG GLAMICK CHE
bandwidth control, ease of administration, installation and configuration, ease of use,
very detailed and available documentation, availability of updates, etc. Both solutions
fit the case under study, but ALCASAR is only installed via a Mandriva distribution.
Also, ALCASAR is installed via an automated script, whereas pfsense is installed via
a dedicated distribution, which makes the choice of pfsense imperative. In addition,
pfsense has a more user-friendly interface and a main dashboard page where all
essential information can be found and modified as required. This product also has a
higher level of assurance as the user community is very active. In conclusion, in the
rest of our study, we will use the pfsense captive portal solution.
This paper discusses the authentication method to avoid unauthorized users to access.
Effective ways of achieving a secure wireless network authentication are by using a Captive
Portal with Radius authentication method. Wireless network allows users easy making
connection although within local coverage of network. However, some problem about
wireless network is security. The improvement security of WLAN is by using secure
mechanism called Captive Portal. The advantages of that mechanism are users will direct to
login page when they open web browser for accessing the internet and users does not need to
install access controller software on their mobile device. Windows 7 and Windows 8 are
setup as a client while Windows Server 2012 has Active Directory (AD) and Network Policy
Service (NPS) acts as local RADIUS server. AD is responsible about user’s credential for
authentication. NPS is responsible for allowing network administrator create network policies
to authenticate and authorize connections from wireless access points and authenticating
switches.
In this project, pfsense can be function as a perimeter firewall, router, Proxy server and
DHCP server. However, pfsense prefer act as a firewall in this case. Captive Portal setting up
with RADIUS so combination both of them will be more secured.
The main disadvantage in this project is that it is difficult for large organization within over
2000 user login credential to be registered in the AD. (Aryeh, Asante,2016).
20
ANANG GLAMICK CHE
CERTIFICATE AUTHENTICATION AND FIREWALL CAPTIVE
PORTAL
According to this paper, discuss about securing wireless local area network used WPA2
Enterprise based PEAP MS-CHAP and Captive Portal. Protected Extensible Authentication
Protocol (PEAP) is a member of family of Extensible Authentication Protocol (EAP)
protocols. It is use in Transport Layer Security to create encrypted channel between
authenticating PEAP client. Moreover, PEAP does not specify an authentication method but
provide additional security for other EAP authentication protocol. PEAP MS-CHAP will
utilize Active Directory Certificate Service to generate digital certificate that install on NPS.
Authentication process occurs in two phases. Firstly, use protocol EAP for opening channel
TLS. Second, authentication mechanism of username and password that connect WLAN
through SSID Internal by using protocol EAP. Proposed method in this research that have
two level security which are firewall with pfsense Captive Portal and WPA2 Enterprise. On
the other hand, this paper focus on two SSID which is SSID for guest and internal user. Next,
advantage of this paper is use strong authentication to protect data transmission.
This paper present about DNS-based captive portal. Name server receive Domain Name
System (DNS) request and queries login database. Then, name server responds to DNS
request with Internet Protocol (IP) address of web server as resolve IP address of specified
domain name when user device is logged in. Web server acts as transparent proxy between
user device and non-local target Uniform Resource Locator (URL). Captive portal involves a
DNS server resolving all domain names for unlogged in user devices to the IP address of a
login portal. Advantage from this paper is about good in security. This is because when the
21
ANANG GLAMICK CHE
user wants to access a website, he needs to be logged in portal first before that website
successful appear. Second advantage is making organization easy for managing users because
possible instruct users to manually navigate URL or IP address by placing instructional card
at specific place. Instead, they expect all process are automatically. Disadvantage of DNS-
based captive portal is only work if user initially attempt to browse to URL with domain
name address. Next, perform DNS poisoning for unlogged in user device. The user device
may cache IP address of login portal even after they are logged in. Solution to that problem is
configuration DNS server of captive portal to provide low time-to-live (TTL). TTL will
resolve domain name to IP address of login portal for unauthorized user device. TTL should
complete prevent user device from cache an incorrect IP address. However, no guarantee user
device will respect TTL. (Peter S. Warrick and David T. Ong, 2014)
A Company or an institute need to perform many tasks such as web filtering, caching
and user monitoring but only allow access Internet after authentication by using explicit
proxy. According that statement, this paper has been proposed transparent proxy and
captive portal to get application work with it. pfsense use as firewall which has both proxy
server and captive portal services integrated on single platform. User cannot be challenged
for credential by proxy server itself since transparent proxy is use. So, user have to
authenticate by using captive portal. Transparent proxy has been proposed for fulfill filtering,
caching and monitoring requirement. Advantage from this approach is proxy server will be
allowing the client computer to make indirect network connection to other network services.
Transparent proxy also does not require any configuration on client’s end and makes use of
efficient forwarding mechanism. More importantly, ideal choice for web accelerator and web
22
ANANG GLAMICK CHE
filtering gateway. Disadvantage of transparent proxy deployment, web browser is unaware
that it is communicate with a proxy. Captive portal technique is also used in this research for
preventing user from access network until authentication occur.
This way may protect confidential information. (Pranjal Sharma and T. Benith, 2014)
This paper proposes a system that involves generating and delivering a One Time Password to
mobile phone. The authors also explain about method of two factor authentication (2FA)
implemented using One Time Password (OTP) generate by Smartphone. Smartphone use as
token for creating OTP. OTP is valid for short period of time only and it is generated and
verified using Secured Cryptographic Algorithm. High security is the main advantage of
using OTP. Security is the major concern in all sector. So, OTP can solve a problem about
password because it is valid in one session only. However, this system also has disadvantage.
More than one two-factor authentication system require multiple tokens. From user’s point of
view, token gives drawback which include cost of purchasing, issuing and managing the
token as well. (Sagar Archarya, Apoorva Polawar and P.Y.Pawar, 201
3.1 INTRODUCTION
Methodology is a systematic way that solve the research problem by applying technique,
algorithm or method. It comprises theoretical analysis of methods and principles associated
with a branch of knowledge. Methodology is also defined to as principles, rules or procedure
that use for developing a project or system. According to the project, methodology that shows
in this chapter are flowchart and framework. In order to overcome problem stated in 1.2, this
methodology builds referring to the three main objectives stated in 1.3. First, to study existing
LAN infrastructure, second to design the simulation and lastly, to implement the simulation.
This project will be focused on network monitoring.
23
ANANG GLAMICK CHE
3.2 FLOWCHART
Figure 2: Flowchart
Figure 2 shows a flowchart for user authentication of simulation in this project. This
simulation has involved user and administrator. According to the project, two computers are
needed to use as requirement for testing. One computer represents as DHCP server while
another computer act as client’s computer or user’s computer. Moreover, pfsense is installed
in virtual box of computer that acting as DHCP Server.
24
ANANG GLAMICK CHE
Users must be authenticated by captive portal before get access the Internet. So, users
should enter username and password for verifying and identifying by administrator . Once
users cannot pass in authentication, users cannot access the Internet although user try
hundreds of times to enter browser or access the Internet. When users enter a correct
Next, the administrator has to monitor the network usage of users. The administrator
will enter the total amount of bandwidth and time consume by users for limiting or maximize
usage of network in configuration of pfsense. pfsense will record the IP address or mac
address of each computer that access the network.
3.3 FRAMEWORK
This part will be discussed and focused on simulation of framework. Simulation is imitation
of operation that will be applied as real-world process or system over a time. This simulation
is requiring a model has develop and that model represents the key characteristics or
functions of selected system. This simulation of framework defines a process has need for
operationalization of model that show design of network system will develop in the future.
According to the project, it is explained that the design of network system which involve
device such as computer and switch for making connection between them. Furthermore, this
framework helps to understand concept of monitor network usage in Local Area Network by
administrator.
Figure 3: Framework
25
ANANG GLAMICK CHE
Figure 3 shows a simulation model of network for user’s computer that gets Internet
access after connecting with DHCP Server. The switch in this case acts as bridge making both
computers to be connected. A computer with pfsense installed is configured as DHCP
Server for monitoring network usage of the user. DHCP Server and user’s computer are
connected by switch and forms an intranet. Actually, an intranet is a private network that
contain within an enterprise. Intranet is involved in connection through one or more gateway
computers to the outside Internet. In this case, the intranet is used for sharing data access or
Internet from DHCP Server. The user’s computer should go through the captive portal first
before the user can access network.
3.4 ALGORITHM
Figure 4 shows a proposed algorithm that applies into the captive portal. This algorithm is called
One Time Password algorithm.
Start
User can register username, phone number and email address
Administrator sent OTP code to phone or email address which is entered during registration
User enters OTP code and user can access network else is username is FALSE User can
else
End
26
ANANG GLAMICK CHE
used. In other word, One Time Password is a randomly generated password and need sending
to users by using email or mobile phone services. As an administrator, when users want to
enter a captive portal, administrator need to send one time password code to the users after
they are making pre-register. Users will be allowed into the network after they are successful
authenticate by captive portal. Password usually for secure need consist of 8 characters with
at least one digit, one capital letter and one small letter. Advantage of One Time Password is
not vulnerable to replay attack. This means intruder who want to attack the system cannot
easily enter that system because intruder need to break the password first.
Peter S. DNS-based Captive Integrated - Captive portal - Good in security Only work i
Warrick and Portal with transparent involves a DNS - Make initially attempt
David T. Ong integrated proxy server resolve all organization easy browse to U
(2014) transparent proxy to domain names for for managing domain name ad
protect against user unlogged in user
devices to IP
device caching
27
ANANG GLAMICK CHE
incorrect IP address address of a login
portal - Solution
of problem is
configuration
DNS server of
captive portal to
provide low time-
to-live
(TTL)
Harsh Mittal, Monitoring Local Remote - Control and monitor - Use Vast functionalities
Manoj Jain Area Network Method network of Local wireless network regarding its
and Latha using Remote Invocation Area Network by so can get Internet performance
Banda Method Invocation using Remote Protocol address
(2013) Method Invocation - of client and keep
Allow java object pinging every
execute on one time for checking
machine to invoke latest status LAN
method of a Java - Instant of
object that execute on client’s machine
another machine image saved to
- database when
server shutdown
client’s machine
28
ANANG GLAMICK CHE
Carvalho and monitoring system agents monitoring system achieve slow and delay at a
Nielet using mobile agents that follow confidentiality certain time
Dmello decentralized and integrity -
(2013) approach for Reduce network
overcome problem of bandwidth
existing system - To
reduce network
bandwidth by using
mobile agent
Aditya Android based Android - Develop system - High throughput - Security model and
Bhosale, network monitor that user not - Scalability algorithms of GPRS
Kalyani available at the actual - Availability develop in secrecy
Thigale, site can monitor the - Reliability and never publish -
Sayali Dodke network - - Transparency System does not
and Tanmay Administrator is
support duplex
Bargal authenticate using
communication
(2014) Secure hash
algorithm and gain between client and
right to monitor server
network - Two ways
of control network
are enter a command
through mobile
device and control
29
ANANG GLAMICK CHE
network directly
through server
Sagar Two factor One Time - System that High security Cost of purchasing,
Archarya, authentication Password involves generating issuing and
Apoorva using smartphone and delivering a managing the token
Polawar and generate one time One Time Password
P.Y.Pawar password to mobile phone -
OTP is valid for
(2013)
short period of time
only
SUMMARY
This chapter is discussing about the methodology used to complete this project. In this
chapter, the methodology shows the flowchart, framework and algorithm. These elements are
important to make this project more systematic. Because of that, methodology must be
followed during simulation development in order to complete and make the project
successful. One Time Password algorithm is a technique that is applied in this project.
Overview about captive portal and pfsense which is important to be discussed in this chapter.
30
ANANG GLAMICK CHE
CHAPTER FOUR : IMPLEMENTATION AND RESULTS OF THE
SOLUTION
4.1 INTRODUCTION
This chapter constitutes the heart of the development process of our software
and aims at implementing each module described in the preceding chapter. We have
presented the stages of analysis and design in the preceding chapter and in this
chapter, we will present the phases of the implementation and the results. Thus, we
will be presenting the various pages or views of our application using the print screen
option with some short notes for brief explanation.
4.2 IMPLEMENTATION
In this section we will describe the main snapshots of our developed system. Our
system is made up of two actors, the captive portal administrator and users, so we
are going to describe the snapshots of each of these actors.
31
ANANG GLAMICK CHE
4.2.1 INSTALLATION AND CONFIGURATION
32
ANANG GLAMICK CHE
4.2.2 INSTALLATION OF PFSENSE
For a practical implementation, we have described step by step the different steps of the
installation. Indeed, the software can be used in two ways: install directly on the hard disk or
use the software via a live CD without installing it.
The last option is very fast and efficient, the loading is done automatically as well as the
configuration. But it has some disadvantages such as long loading time, unreliability and the
impossibility to add packages or software because you cannot touch the structure of the CD.
Since we do not have a CD for the network implementation, we will install it via the live CD.
First, let's check that the computer has the required characteristics and then create a new
machine in the virtual machine after installing Virtual box. Name of the virtual machine
pfsense, type BSD with the operating system FreeBSD. The RAM is 1024Mb; then we go to
configuration to activate the two network cards: the first card is access by bridge and the
second network card is host private. Once we access the boot, let's insert the disk; this then
takes us to the FreeBSD boot screen.
33
ANANG GLAMICK CHE
Figure 6: FreeBSD boot screen
You must now confirm the installation on the hard disk by clicking on accept.
Once the installation is launched, we have different installation procedures and here we
opt for the quick installation and confirm
34
ANANG GLAMICK CHE
Figure 8: Confirmation of the installation
Once the partitions have been created and set up, it is necessary to restart the computer for the
changes to take effect.
35
ANANG GLAMICK CHE
Figure 10: Configuration menu
First of all, it is advisable to change the LAN IP address of pfsense for simplicity later
on; its default LAN IP address is 192.168.1.1. It will then be modified to be in our local
network. To do this, in the configuration menu we will type 2 "set LAN IP address" and
change the IP address of pfsense.
Now that the installation is complete, we can start configuring either in console mode
or from the web interface. Here we have chosen the web interface as it is more
convenient.
4.2.3CONFIGURATION OF PFSENSE
For configuration via the web interface, you need to connect a PC to the
pfsense LAN interface. Start by opening a web browser and enter the LAN IP address
of the machine (pfsense) in the address bar. In our case, we will do http://192.168.1.2
to access the login interface where we are asked to enter a username and password.
Then enter the default username(admin) and password(pfsense) to log in as
administrator.
36
ANANG GLAMICK CHE
Figure 11: Portal connection of pfsense
37
ANANG GLAMICK CHE
Figure 12: pfsense general menu
Then go to the service tab and then the DNS forwarder section, to check the enable DNS
forwarder option. This option will allow pfsense to forward and transmit DNS requests for
clients.
In the interfaces tab, select WAN and then enable it by checking Enable interface;
then select the static or DHCP addressing type for dynamic. Here, we have assigned a static
address. Then, specify its MAC address in the indicated format, its public IP address and its
gateway in the boxes provided for this purpose. Then leave the other parameters by default.
38
ANANG GLAMICK CHE
Figure 13: Configuration of the WAN interface
B- LAN Interface
It is now necessary to activate the LAN interface in the same way as we did
with the WAN, but this interface must necessarily be static for the type of addressing
because, being the one on which the DHCP server will be activated, its address must
be fixed. Then assign its MAC address in the format indicated, its IP address being
already defined above, its gateway is left by default, i.e., its own IP address, as this is
the gateway for clients.
39
ANANG GLAMICK CHE
Figure 14: Configuration of the LAN interface
All that remains is to configure the DHCP server for the LAN, in order to
simplify the connection of the clients. To do this, go to the service tab, then to the
DHCP server section; check the Enable DHCP server on LAN interface box. Then
enter the IP address range that will be assigned to the clients; before activating the
pfsense DHCP service, make sure that no other DHCP server is activated on the
network to avoid address conflicts.Then enter the IP address of the DNS server and
the domain name that will be assigned to the clients. Then enter the gateway address
for the clients; this will be the address of the captive portal. Then the other parameters
can be left as default.
40
ANANG GLAMICK CHE
Figure 15: Configuration of the DHCP server
41
ANANG GLAMICK CHE
To do this, in the Rules tab, then in the Floating sub-tab, click on the "e" symbol to
edit this rule.
Thus, pfsense is correctly configured but for the moment, it only serves as a firewall
and router. It remains to activate the listening of requests on the LAN interface and to force
the users to authenticate themselves to cross the firewall.
4.2.4 CREATION OF THE CAPTIVE PORTAL
To enable the captive portal on the pfsense LAN interface, go to the Service tab and
then to the Captive portal section; then check the Enable captive portal box, and choose the
interface on which the captive portal will listen. Here, we have chosen LAN since we want
the users of our local network to go through the captive portal to go on the internet.In the
following options, we must first define the number of clients requesting the authentication
page at a time, then the time after which the client will be automatically disconnected if it is
inactive and the time after which it will be disconnected regardless of its state and then be
asked for the authentication parameters again. Thus, Maximum concurrent connections
define the number of clients requesting the captive page at a time; Idle timeout defines the
time after which it will be disconnected regardless of its state.We have chosen to set 2 for the
number of simultaneous connections and 20 minutes for inactivity. It is then possible to
42
ANANG GLAMICK CHE
redirect an authenticated client to a specified URL.Otherwise, it is redirected to the page
initially requested. We have chosen to redirect the client to the following URL:
"http://www.google.com".
Once this configuration has been saved, the captive portal should be functional. The
home page of the captive portal can also be modified to suit the company's needs, as well as
the redirection page in the event of authentication failure, by importing HTML or PHP code
into the fields provided for this purpose. All this in order to make the captive page more
userfriendly. To this end, we will go to the service tab then captive portal to activate enable
to use a custom uploaded logo as shown in the figure below.
43
ANANG GLAMICK CHE
This will allow us to choose an image as the logo for the captive page. Then at the
bottom we also enable to use a custom uploaded background image which allows us to
choose an image as the background of the captive portal. Then we click on Save to save the
configuration. So now we have to create our users and group.
This page shows the different users that have been created in pfsense. To do this, go to
the system tab and then to user manager. Then, create user groups for each user; go to
system again then user manager and then enter group.
44
ANANG GLAMICK CHE
We can see the different users who can connect to our captive portal by going to the
status tab and then to captive portal; we obtain the following page:
4.3 RESULTS
Finally, you can open a new browser window and type in the address of the captive portal
(192.168.1.2). Hence the captive portal page
45
ANANG GLAMICK CHE
Figure 18: Captive portal page
46
ANANG GLAMICK CHE
5.1 SUMMARY OF FINDINGS
5.2 RECOMMENDATIONS
We cannot afford to end our work without making one or two recommendations concerning
this project. As the Methodology used in this project is the prototyping, the researcher
recommends that this simulation will be better if all requirement for this project can be fulfilled.
So, this project of simulation can widely be used by everyone especially administrator to monitor
network performance in easy way.
47
ANANG GLAMICK CHE
5.3 CONCLUSION
The primary goal of our research was to design and implement a captive portal system with
pfsense. This project proposal will help any organization or company administrator to easily
monitor network performance. Regarding to the project, it will make reducing the cost or budget
in any organization. This project can minimize network usage by limiting bandwidth and time. A
lot of discussion has been made that describe about network monitoring in pfsense and also study
of literature review in research paper based on the previous related works. Last but not least, this
project hope can help many people especially administrator and users. According to the
statement, this project will be beneficial and useful to all organization and clients. On the other
hand, these limitations can monitor network usage through Captive Portal so users do not access
REFERENCES
Aditya Bhosale, Kalyani Thigale, Sayali Dodke and Tanmay Bargal. 2014.
Android Based network monitor. International Journal of Computer Science
and Information Technology & Security, Vol. 4, No.2, pp. 2249-9555.
Aryeh, F. L., Asante, M. and Danso, A. E. Y. 2016. Securing Wireless
Network using pfSense Captive Portal with RADIUS Authentication. Ghana
Journal of Technology, Vol. 1, pp. 40-45
B. Soewito and Hirzi. 2014. Building secure wireless access point based on certificate
authentication and firewall Captive Portal. EPJ Web of Conferences
68. doi:10.1051/epjconf/20146800029
Behrouz A. Forouzan. 2012. Data Communication and Networking Fifth
Edition. pp. 7-17.
48
ANANG GLAMICK CHE
Eduardo Ciliendo and Takechika Kunimasa. 2007. Linux Performance and
Tuning Guidelines First Edition. pp. 15.
Hussain A. Alhassan and Dr. Christian Bach. 2014. Operating System and Decision
Making. ASEE 2014 Zone I Conference, pp. 80-85.
Jorge L. Olenewa. 2012. Guide to Wireless Communication Third Edition. pp.
18-56.
Larkins Carvalho and Nielet Dmello. 2013. Secure network monitoring system
using mobile agents. International Journal of Modern Engineering Research, Vol.
3, Issue. 3, pp. 1850-1853.
Salim Istyaq. 2016. A New Technique for User Authentication Using Numeric
One Time Password Scheme. International Journal of Advanced Trends in Computer Science and
Engineering, Vol. 4, Issue 5, pp. 163-165.
Saranya S. Devan. 2013. Windows 8 V/S Linux Ubuntu 12.10 – Comparison Of
The Network Performance. International Journal of Research in
49
ANANG GLAMICK CHE