mgrotke/linuxrouter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
linuxrouter/GUIDE.md
Matthew Grotke 64f83d683e Development
2026-06-07 23:32:06 -04:00

13 KiB
Raw Blame History

Routlin Configuration Guide

This guide covers practical network setup scenarios using Routlin's RADIUS and Captive Portal features. It is intended as a reference when configuring Routlin for a specific deployment type.

Background: RADIUS vs. Captive Portal

These two features solve different problems and can be used independently or together.

RADIUS controls which VLAN a device is placed on when it connects to the network. Your managed switch or wireless access point consults Routlin's built-in FreeRADIUS server at the moment a device associates with a port or SSID. RADIUS responds with a VLAN assignment. The device never sees or interacts with this process - it happens at the infrastructure level.

Captive Portal controls whether a device already on a VLAN can reach the internet. Routlin intercepts all HTTP traffic from unauthenticated devices on designated VLANs and redirects them to a portal page. The user must accept terms or enter credentials before outbound traffic is allowed through nftables.

A key relationship: RADIUS places devices onto VLANs. Captive Portal gates internet access for specific VLANs. In many deployments both run simultaneously - RADIUS handles employee placement, and Captive Portal gates the guest VLAN that RADIUS assigned unknown devices to.

Use Case 1: Typical Home Network

Scenario: A household with a managed switch and wireless access points, all on a single SSID. Trusted devices (laptops, phones) go on the main network. IoT devices (smart bulbs, cameras, thermostats) are isolated. When a guest connects to the same WiFi, they land on a restricted guest VLAN automatically - no separate guest SSID needed, no action required from anyone. RADIUS silently sorts devices by MAC address.

Network topology:

  • VLAN 10 - Trusted (family devices)
  • VLAN 20 - IoT (smart home devices, optionally restricted from internet)
  • VLAN 30 - Guest (RADIUS default VLAN for any unrecognized device)

What RADIUS does here: Every device is either known (has a DHCP reservation) or unknown. Known devices are assigned their designated VLAN. Unknown devices - a guest's phone, a friend's laptop - land on VLAN 30 automatically. The guest connects to the same WiFi password as everyone else and ends up isolated on the guest VLAN without knowing or doing anything differently.

No Captive Portal is used. Guests connect and get internet access immediately on VLAN 30 without any portal page.

Configuration Steps

1. Network Layout page

  • Add VLAN 10 (Trusted), VLAN 20 (IoT), VLAN 30 (Guest)
  • Set VLAN 30 as the RADIUS Default VLAN. This is the fallback for any device without a reservation.
  • Optionally set VLAN 20 as Restricted VLAN type: Quarantined if you want IoT devices to have no internet access.

2. DHCP Reservations page

  • Add a reservation for each known device (laptop, phone, TV, etc.) with its MAC address.
  • Set the VLAN field on each reservation to the appropriate VLAN (10 for trusted, 20 for IoT).
  • Mark your managed switch and/or wireless access point as a RADIUS Client.

3. RADIUS page

  • Authentication Mode: MAC Authentication Bypass (MAB)
  • Default VLAN: Guest (VLAN 30)
  • Set MAC address format to match what your switch/AP sends (check your equipment documentation).
  • Copy the shared secret and enter it in your switch/AP RADIUS configuration, pointing to this router's IP.

4. Apply

  • Go to Actions and apply the pending configuration.

Result: Family devices connect to their designated VLANs automatically. Smart home devices land on VLAN 20. Any unrecognized device - a guest's phone, a neighbor's laptop - lands on VLAN 30 and gets internet access with no interaction required from anyone. There is only one SSID and one WiFi password; RADIUS handles the sorting invisibly.

Use Case 2: Hotel

Scenario: A hotel with staff who need reliable, authenticated network access and guests who need simple internet access after accepting terms. Staff should not be able to accidentally or intentionally join the guest network, and guests should not be able to reach staff systems.

Network topology:

  • VLAN 10 - Staff (front desk, back office, POS systems)
  • VLAN 20 - Guests (hotel room WiFi, lobby) - Captive Portal VLAN
  • VLAN 30 - Management (switches, APs, printers) - optional

What RADIUS does: Staff devices are pre-registered with reservations and land on VLAN 10. Any unknown device lands on VLAN 20. MAB and 802.1X can run simultaneously using the "Try MAB first" option - known staff devices with registered MAC addresses are admitted immediately, while devices with randomized MACs (common on modern phones) fall through to 802.1X and authenticate with a username and password instead. Guests who neither have a registered MAC nor valid credentials land on the default VLAN.

What Captive Portal does: Any device that lands on VLAN 20 is intercepted and shown the hotel portal page. The guest clicks to accept terms and is then allowed internet access for the duration of the session. No username or password required.

Configuration Steps

1. Network Layout page

  • Add VLAN 10 (Staff) and VLAN 20 (Guests).
  • Set VLAN 20 as Restricted VLAN type: Captive Portal.
  • Set VLAN 20 as the RADIUS Default VLAN.

2. DHCP Reservations page

  • Add reservations for all staff devices and POS terminals, assigned to VLAN 10.
  • Mark switches and APs as RADIUS Clients.

3. RADIUS page

  • Authentication Mode: MAC Authentication Bypass (MAB) for simplicity, or 802.1X Client Username/Password if staff have devices with randomized MACs.
  • If using 802.1X: enable "Try MAB first" so that staff devices with registered MAC addresses are admitted immediately without prompting for credentials. Devices with unrecognized MACs fall through to the 802.1X credential prompt.
  • If using 802.1X: recommend setting Default Session Duration to over 8 hours (a work shift) or 1 day.
  • Default VLAN: Guests (VLAN 20).

4. Captive Portal page

  • The guest VLAN should appear in the portal table automatically.
  • Click Edit on the guest VLAN row.
  • Set Title: e.g. "Welcome to [Hotel Name]"
  • Set Splash Text: e.g. "Complimentary guest WiFi. Please accept our terms to connect."
  • Add one term: "I agree to the acceptable use policy."
  • Require username and password: unchecked (splash/terms only).
  • Set Default Session Duration as appropriate (e.g. 24 hours for a typical stay).

5. Client Credentials page (only if using 802.1X for staff)

  • Add a credential for each staff member: User Type = 802.1X Supplicant, assign to VLAN 10.

6. Apply

Result: Staff connect and land on VLAN 10 automatically. Hotel guests connect to the guest SSID, are shown a portal page, accept terms, and get internet access. Guest traffic is isolated from staff systems.

Use Case 3: Coffee Shop

Scenario: A coffee shop with two wireless SSIDs - one for employees and one for customers. Both require acceptance of terms before getting internet access, but employees additionally must enter a username and password. This prevents customers from using the employee SSID (which may have access to the POS system or back office) even if they know the WiFi password.

Network topology:

  • VLAN 10 - Employees (Captive Portal, credentials required)
  • VLAN 20 - Customers (Captive Portal, terms only)

What RADIUS does: The AP assigns devices to VLANs based on which SSID they connect to (static SSID-to-VLAN mapping on the AP). RADIUS may be disabled or used only to flag known devices. The captive portal handles authentication.

What Captive Portal does: Both VLANs are Captive Portal VLANs. Employees see a portal with a username and password form plus terms. Customers see a simpler portal with terms only.

Configuration Steps

1. Network Layout page

  • Add VLAN 10 (Employees) and VLAN 20 (Customers).
  • Set both VLANs as Restricted VLAN type: Captive Portal.
  • Configure your AP with two SSIDs, each mapped statically to the corresponding VLAN. RADIUS is not used for VLAN placement here - the SSID determines the VLAN.

2. Captive Portal page

  • Edit VLAN 10 (Employees):
    • Title: "Employee Network"
    • Splash Text: "Enter your credentials to access the employee network."
    • Terms: "I agree not to share these credentials."
    • Require username and password: checked.
    • Default Session Duration: 8 hours (a work shift).
  • Edit VLAN 20 (Customers):
    • Title: "Guest WiFi"
    • Splash Text: "Welcome. Free WiFi for customers."
    • Terms: "I agree to the acceptable use policy."
    • Require username and password: unchecked.
    • Default Session Duration: 2 hours.

3. Client Credentials page

  • Add a credential for each employee: User Type = Captive Portal, VLAN = Employees (VLAN 10).
  • The Valid For field will auto-populate with 8 hours (the VLAN default session duration).
  • Set a unique username and password per employee. Leave password blank to auto-generate.

4. Apply

Result: Employees connect to the employee SSID, are shown the portal, and enter their credentials. Customers connect to the customer SSID and accept terms. The employee portal rejects anyone without valid credentials, even if they find the SSID. Employee sessions expire after one shift.

Use Case 4: Corporate

Scenario: A mid-sized office with multiple departments that should be network-isolated from each other. Employees are assigned to their department VLAN automatically when they connect. Visitors and conference room devices land on a Captive Portal VLAN where they accept terms before getting internet access. Corporate devices authenticate strongly via 802.1X with installed certificates, preventing any unauthorized device from joining departmental VLANs.

Network topology:

  • VLAN 10 - Engineering
  • VLAN 20 - Finance
  • VLAN 30 - HR
  • VLAN 40 - Management
  • VLAN 50 - Visitors / Conference Rooms (Captive Portal)
  • VLAN 60 - IT Infrastructure (printers, servers, NAS)

What RADIUS does: Each employee device has a client certificate installed (by IT/MDM). When the device connects, 802.1X EAP-TLS authenticates the certificate and RADIUS responds with the appropriate departmental VLAN assignment based on the device's credential record. Devices without a valid certificate cannot join any departmental VLAN. Unknown devices fall back to VLAN 50.

What Captive Portal does: Visitor VLAN 50 requires terms acceptance. The session duration is set short (e.g. 4 hours) since visitors typically leave the same day.

Configuration Steps

1. Network Layout page

  • Add all VLANs (10-60).
  • Set VLAN 50 as Restricted VLAN type: Captive Portal.
  • Set VLAN 50 as the RADIUS Default VLAN.

2. DHCP Reservations page

  • Mark switches and APs as RADIUS Clients.
  • If using "Try MAB first": add reservations for infrastructure devices (printers, servers) with static MACs that should be admitted without a certificate, and assign them to the appropriate VLAN (e.g., VLAN 60).
  • Corporate employee devices do not need DHCP reservations - their VLAN assignment comes from the Client Credentials page, not from MAC address lookup.

3. RADIUS page

  • Authentication Mode: 802.1X - Client Certificate (EAP-TLS).
  • Try MAB first: optionally enabled so that known infrastructure devices (printers, servers with static MACs) are admitted without needing a certificate.
  • Default VLAN: Visitors (VLAN 50).
  • Logging: enabled for auditing.

4. Client Credentials page

  • Add a credential for each corporate device: User Type = 802.1X Supplicant, Username = the certificate Common Name (CN), VLAN = the appropriate department VLAN.
  • When a device authenticates with EAP-TLS, RADIUS looks up the certificate CN in this table to determine the VLAN assignment.
  • The Valid For field will auto-populate with the RADIUS default session duration.

5. Captive Portal page

  • Edit VLAN 50 (Visitors):
    • Title: "Visitor Network"
    • Splash Text: "Welcome. This network is for authorized visitors only."
    • Terms: "I agree to the acceptable use policy. I agree not to share this network access."
    • Require username and password: unchecked (terms only for visitors).
    • Default Session Duration: 4 hours.

6. Apply

Result: Corporate devices with valid certificates are placed on their department VLAN automatically and silently. Devices without certificates (visitor laptops, phones) land on VLAN 50 and are shown the visitor portal. Departmental VLANs are fully isolated from each other and from the visitor network. The visitor portal session expires after 4 hours, requiring re-acceptance of terms for extended stays.

Quick Reference

Feature Configured on Controls
VLAN assignment for known devices DHCP Reservations Which VLAN a pre-registered device lands on
VLAN assignment for unknown devices RADIUS page - Default VLAN Fallback VLAN for any unrecognized device
Authentication method RADIUS page - Authentication Mode MAB (by MAC), 802.1X password, or 802.1X certificate
Internet access gating Captive Portal page Whether a device on a VLAN must pass a portal before reaching the internet
Credential store Client Credentials page Usernames/passwords for 802.1X password mode and captive portal logins
Session expiry Client Credentials - Valid For How long a credential admission lasts before reauthentication