Data Control with Captive Portal & Firewall

In many businesses, providing internet access to guests, customers, or temporary users is necessary — but giving them unrestricted data can quickly lead to abuse, bandwidth congestion, and security issues.
Whether you’re running a café, coworking space, hotel, school, or corporate guest Wi-Fi, the simplest and safest approach is to use a captive portal combined with a firewall-based data limit.

A captive portal forces users to authenticate before accessing the internet, and your firewall enforces exactly how much data they can use. This ensures security, prevents network overloading, and gives you complete visibility into who uses your network and how much.

How to Configure Limited-Data Access Using Captive Portal + Firewall

1. Create a Guest Network / VLAN

• Create a Guest VLAN (ex: VLAN 100).
• Assign an IP (ex: 10.100.100.1/24).
• Enable DHCP on that VLAN.

2. Enable Captive Portal on the Guest Interface

• Go to your Firewall → User Authentication → Captive Portal.
• Choose the Guest VLAN interface.
• Add your custom login page/logo.
• Select authentication method:
  • Click-to-Accept
  • Vouchers
  • Email/SMS login
  • RADIUS login

3. Configure Walled Garden (Allowed Before Login)

• Add the domains that should work before login
  (example: company website, payment link, FAQ page).

4.Create a Guest User Group

• Create Guest-Limited user group.
• Assign the authentication method to this group.

5. Enable Firewall Policy (Post-Login Access)

• From Guest VLAN → WAN.
• Source: Guest-Limited / Authenticated Users.
• Enable NAT.
• Under Traffic Shaping, apply rate limits:
  • Example: 2 Mbps download / 1 Mbps upload.

6. Apply Data Quota (Main Limiting Feature)

Depending on your firewall model:

Firewalls with Built-in Quota (FortiGate / Sophos / SonicWall)

• Go to User → Quota
• Create Data Quota:
• Example: 500 MB per user per day
• Attach it to the Guest-Limited group.

Firewalls using RADIUS Accounting

• Enable RADIUS accounting
• Configure Interim Updates (default: 300 seconds)
• Enable CoA (Change of Authorization):
  • User exceeds quota → Firewall blocks/redirects automatically.

7. Configure Session Timeouts

• Session Timeout: 8 hours
• Idle Timeout: 10–15 minutes

8. Redirect Exhausted Users

Create redirect rule:

• If the user hits the quota → redirect to:
  • Quota Exhausted / Recharge Page
    (Configured inside Captive Portal → Redirect Settings)

9. Test Everything

• Connect a phone/laptop.
• Ensure captive portal pops up automatically.
• Browse until data limit is reached.
• Confirm internet stops & redirection works properly.

Final Notes and Best Practices

Configuring limited data access through a captive portal is one of the most effective ways to protect your bandwidth, reduce misuse, and maintain full control over guest Wi-Fi access. With this setup, every user gets a controlled amount of data, your network stays clean and secure, and your firewall handles all the heavy lifting in the background.

Always remember:

• Keep the guest VLAN isolated from internal networks.
• Monitor traffic usage regularly through your firewall logs.
• Update your captive portal page with clear instructions.
• Use strong authentication if you need accountability.

This configuration ensures a professional, secure, and stable internet experience — whether you’re offering free Wi-Fi or a paid access model.