CONTACT:+39 06 710 72015 | contact@wifigem.com

Bridge and Captive Portal

  • L et's analyze what a Bridge is and what role it plays in a Captive Portal.

    Generally speaking, in IT systems bridging is the way to connect two different networks, otherwise separate, and make the devices connected to the first network communicate with those connected to the second one. These two networks must not have devices with the same IP addresses, so they must preferably be configured on different subnets. Now, to do the connection, you must install a hardware device with two network cards to bridge the two networks, the "bridge" precisely, and let them talk to each other. The bridge can also be configured to allow or deny certain devices to cross it, by configuring which devices of network A can connect to which devices of network B.

    Now, what is the relationship between a Captive Portal and a Bridge? In most of the scenarios where the installation of a Captive Portal is required, the local network is composed of one segment only, so there are no bridges to connect different networks and, to be honest, you don't feel the need to install one. So why do we talk about a bridge?
    Suppose you find yourself in the need to create a guest network for your customers/visitors. Would you dare to connect a WiFi access point to your corporate network and let unknown users connect to it? Here's what happens in this case: when a user wants to connect to your WiFi, the access point asks the DHCP server of your network (you must have one!) an IP address, and the DHCP server provides one in the same subnet as your corporate network. Now you are in big trouble, ... indeed double trouble.

    The first one is that you must provide a connection password to all the people who want to connect to your WiFi, password that you have to take care to change very often. And the only way to do this is to connect to the access point's web interface. Can you do it? Do you know the IP address of your access point? Good, but if you have more than one access point, it gets more complicated, because what you do on one, you have to do on all.

    The second one is a security issue, and therefore much more serious: when a device, be it laptop, tablet or smartphone, has been accepted on your corporate network and, through the access point, has been provided with an IP address, this device can "see" all other devices in the network, ALL of them, unless you have properly protected your network with a firewall. Now all your computers are exposed to the risk of unwanted access; all your shared resources, your intranet applications, your servers, all of them can be the target of intentional attacks or even unintentional access. Are you aware you're exposing your confidential information to this risk? What's the cost you are ready to afford to restore your data, once your network has been violated?

    If you are starting to be worried, if you are aware of being in such a risky situation, you are halfway to the solution. The good news is that the second half is already there: the Captive Portal, and the Bridge. Well, of course, it's enough to turn off the access points, but this can only be considered a temporary remedy, to be adopted while you are building a final solution which will also guarantee the current service levels. If you want to turn off your access points, do it right now. Then keep reading on how to fix this mess.

    So, to recap, you are a Company owner or a retailer, who already has (or has not, it makes no difference) its own local network, and already has (or has not, it makes no difference) a guest network for its customers. Typically: hotels, schools, resorts, cinemas, gyms, restaurants, cafes etc. To provide secure Internet access to your customers and without the issue of having to regularly change the password, the solution is to install a Captive Portal. When you do so, you automatically install a bridge, which instantly solves the problems described above.
    Why?

    The bridge contained in the Captive Portal creates a secondary network, on another subnet that extends your local network, and causes all your guests' connections to be established on the secondary network. As these are on a different subnet, your guests' devices won't be able to communicate with those of your corporate network, because the bridge, of course, won't allow it. The only traffic allowed to cross the bridge is that to the Captive Portal server and to the Internet. Here is the isolation that your network needs. All the security you need through an open WiFi network. Yes, because thanks to the Captive Portal and its bridge, you can let connect mobile devices without having to password-protect the WiFi network. And here is also solved the other problem, that of passwords, but this topic is covered by another article: The road to an open WiFi.

    But where is the bridge physically located?
    WifiGem offers several solutions, for every need, from the small business with a single WiFi access point to the large Company with multiple guest entry points, both WiFi and wired.
    For WiFi solutions, WifiGem offers proprietary access points, each of which contains a bridge. Therefore, every device connecting to the WifiGem access point receives an IP address, provided by the access point, which is not part of your corporate network. The Captive Portal works by simply connecting the WifiGem server and the access point to your ADSL modem/router.


    Internet
    |
    |
    -------------------
    |ADSL Modem/Router|
    | 192.168.1.1 |
    -------------------
    | |
    | |
    ----------------- -----------------
    | 192.168.1.12 | | WifiGem |
    | WifiGem Server| | Access Point |
    ----------------- -----------------
    | ) ) ) Guest
    | WiFi
    Guest LAN


    In addition, a bridge is also in the WifiGem server. Therefore the server itself is enough to create a wired guest network without WiFi access points. Simply connect the second network port of the WifiGem server to a network switch (not a router!) and the Captive Portal is ready. Downstream the switch, then, the network can be extended by installing, for example, non-WifiGem branded access points, which allow your guests to securely connect to the WiFi network thanks to the fact that the connection is established on the side of the bridge protected by the Captive Portal.


    (Example 2) (Example 1)

    Internet Internet
    | |
    | |
    ------------------ ------------------
    | ADSL Modem | | ADSL Modem |
    | 192.168.1.1 | | 192.168.1.1 |
    ------------------ ------------------
    | |
    | |
    ------------------ ------------------
    | 192.168.1.12 | | 192.168.1.12 |
    | WifiGem Server | | WifiGem Server |
    | in Bridge Mode | | in Bridge Mode |
    ------------------ ------------------
    | |
    | |
    ------------------ ------------------
    | Network Switch | | Access Point |
    |(Market product)| |(Market product)|
    ------------------ ------------------
    | | ) ) ) Guest
    | | WiFi
    Guest LAN Guest LAN


    Published on January 07, 2019

    No part of this document may be reproduced without prior written permission of WifiGem.
    Share on