We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Guest Access with a Confirmation Page

  • Last updated on

When setting up a guest network, you can configure the firewall to use a confirmation page that prompts guests to agree to the Terms of Service before they can access the network. A confirmation page is typically used to grant network access to anonymous users. You can use Wi-Fi or a wired network for guest access.

Guest_access_conf.png

Before You Begin

  • Ensure that the firewall has one unused network interface (Wi-Fi, Ethernet, or virtual, e.g., ath3, p3, or p3.100).
  • Identify the guest network that you want to use (e.g., 192.168.225.0/24).

Step 1. Set Up the Guest Network Interface

Configure a static network interface or a Wi-Fi interface. For more information, see How to Configure Static Network Interfaces and Wi-Fi.

In the Static Interface Configuration section, ensure that you specify the following settings:

  • IP Address – The IP address of the guest network. E.g., 192.168.225.0/24
  • Classification – Select Trusted.

Step 2. Enable the DHCP Server for the Guest Network

To automatically assign IP addresses for guests, enable a DHCP server for the guest network.

  1. Go to NETWORK > DHCP Server.
  2. In the DHCP Server section, enable the DHCP server.
  3. Click Add DHCP Server Subnet. The Add DHCP Server Subnet window opens.
  4. Configure the DHCP subnet. Ensure that you specify the following settings:
    • Beginning IP Address and Ending IP Address – The range of IP addresses to be assigned to clients. For example, if your guest network is 192.168.225.0 with a netmask 255.255.255.0, the Beginning IP Address is 192.168.225.1 and the Ending IP Address is 192.168.225.254. The IP address assigned to the network interface must not be part of the management network.
    • DNS Servers – The IP addresses of the DNS servers.
  5. Click Save.

The guest network subnet appears in the DHCP Server Subnets section.

For more information on setting up a DHCP server, see How to Configure the DHCP Service.

Step 3. Set up the Guest Network

If you configured the guest network on a wired interface, specify that the network uses ticketing for guest access.

  1. Go to USERS > Guest Access.
  2. In the Guest Networks section, select your guest network from the Network column. E.g., 192.168.225.1/24
  3. From the Type column, select Confirmation Message.
  4. Click Add.
  5. Click Save.

The network appears in the second Network table.

confirmation_page.png

Step 4. (Optional) Configure the Confirmation Page

On the USERS > Guest Access page, you can configure the page that is displayed to guests when they log into the network.

In the Login Page Options section, edit the Welcome Message and upload a Welcome Image. The image can be up to 1 MB and must be in JPG, GIF, or PNG format. The suggested image size is 170 x 40 pixels.

Step 5. Create a PASS Access Rule for DNS Traffic

Create a network object for the gateway IP address of the guest access network, and then add an access rule to always allow DNS traffic from the guest network to the Internet.

Step 5.1 Create a Network Object
  1. Go to FIREWALL > Network Objects
  2. Click Add Network Object. The Add Network Object window opens.
  3. Enter a Name. E.g., GuestNetworkGW
  4. In the Include Entries section, enter the Network Address of the gateway IP address of the guest network. The guest network gateway IP address is the IP address that you assigned to the guest network interface in Step 1.gw_network_object_conf.png
  5. Click Save.
 Step 5.2 Add a Pass Access Rule
  1. Go to FIREWALL > Access Rules.
  2. Click Add Access Rule. The Add Access Rule window opens.
  3. Specify the following settings:
    • Action – Select Pass.
    • Name – Enter a name for the rule. E.g., GUEST-DNS-2-INTERNET
    • Connection – Select Dynamic NAT.
    • Adjust Bandwidth – Select Internet.
    • Source – Select the Network Object for the guest network gateway IP address. For example: GuestNetwork
    • Network Services – Select DNS.
    • Destination – Select Internet.
      GuestDNS-2-INTERNET_01.png

    To allow connections from the guest network to the Internet, the firewall must perform source-based NAT. The source IP address of outgoing packets is changed from that of the client residing in the network to the WAN IP address of the firewall, so the connection is established between the WAN IP address and the destination IP address. The destination address of reply packets belonging to this session is rewritten with the client's IP address.

  4. At the bottom of the rule editor window, click Save.

Step 6. Create a PASS Access Rule for Authenticated Users

Create an access rule to allow HTTP/S traffic from guest network users to the Internet.

  1. Go to FIREWALL > Access Rules.
  2. Click Add Access Rule. The Add Access Rule window opens.
  3. Specify the following settings:
    • Action – Select Pass.
    • Name – Enter a name for the rule. E.g., GUESTNET-2-INTERNET
    • Connection – Select Dynamic NAT.
    • Adjust Bandwidth – Select Internet.
    • Source – Select the Network Object for the guest network gateway IP address. For example: GuestNetwork
    • Network Services – Select HTTP+S.
    • Destination – Select Internet.
      GuestNET-2-INTERNET_01.png
  4. In the rule editor window, click the ADVANCED tab.
  5. In the Valid for Users section, select All Authenticated Users and click +.
    user_access.png
  6. At the bottom of the rule editor window, click Save.

Because rules are processed from top to bottom in the rule list, ensure that the rule to allow DNS traffic is placed above the rule to allow users, and that both rules are placed above the BLOCKALL rule; otherwise, the rules are blocked.

rules_order.png

After adjusting the order of the rules, click Save.

Last updated on