Walled Garden
The walled garden (or pre-authentication access list) specifies which websites users can reach before logging in. You must add IronWifi's IP and any authentication provider domains (Google, Facebook, Stripe, etc.) for the captive portal to work correctly.
Quick Start
- Add IronWifi IP:
107.178.250.42/32(required) - Add domains for your authentication providers (Google, Facebook, etc.)
- Configure entries in your controller's captive portal settings
- Test by connecting and verifying splash page loads
- Test each authentication method works
How It Works
- User connects to WiFi
- User is in a "walled garden" - can only access specified resources
- Any other request redirects to the splash page
- After authentication, full internet access is granted
Required Entries
IronWifi Splash Page
Always include the IronWifi hosting IP:
107.178.250.42/32
This hosts your captive portal splash page.
Your Splash Page Hostname
If using a custom domain:
splash.yourdomain.com
Authentication Provider Requirements
Add these domains based on your enabled authentication providers:
Google Login
accounts.google.com
*.googleapis.com
*.gstatic.com
*.google.com
Facebook Login
facebook.com
*.facebook.com
*.fbcdn.net
connect.facebook.net
LinkedIn Login
linkedin.com
*.linkedin.com
*.licdn.com
Twitter/X Login
twitter.com
*.twitter.com
*.twimg.com
x.com
*.x.com
Apple Login
appleid.apple.com
*.apple.com
*.icloud.com
Microsoft/Azure AD
login.microsoftonline.com
*.microsoft.com
*.azure.com
*.msftauth.net
SMS Providers
Twilio:
*.twilio.com
Other providers: Check your SMS provider's documentation.
Payment Gateways
Stripe:
*.stripe.com
js.stripe.com
Braintree:
*.braintreegateway.com
*.braintree-api.com
*.paypal.com
Configuring Walled Garden
Ubiquiti UniFi
In UniFi Controller:
- Navigate to Settings > Guest Control
- Under Pre-Authorization Access, add entries
- Enter IP addresses or hostnames
Cisco Meraki
In Meraki Dashboard:
- Navigate to Wireless > Configure > Access Control
- Enable Walled Garden
- Add ranges under Walled Garden Ranges
Aruba
In Aruba Controller:
- Navigate to Configuration > Security > Captive Portal
- Add entries to Whitelist
MikroTik
In RouterOS:
/ip hotspot walled-garden
add dst-host=*.google.com
add dst-host=107.178.250.42
pfSense
In pfSense:
- Navigate to Services > Captive Portal
- Click Allowed IP Addresses
- Add entries with direction (Both/From/To)
FortiGate
In FortiGate GUI:
- Navigate to WiFi & Switch Controller > SSID
- Edit your captive portal SSID
- Under Captive Portal, find Exempt Sources/Destinations
- Add IP addresses and FQDNs
CLI method:
config wireless-controller vap
edit "guest-wifi"
config portal-exempt-addr
edit 1
set address "107.178.250.42/32"
next
end
next
end
Ruckus SmartZone
In SmartZone:
- Navigate to Services & Profiles > Hotspot Services
- Edit or create your hotspot profile
- Under Walled Garden, add entries:
- Click Create New
- Enter IP address or domain
- Set traffic direction
Ruckus Cloud
In Ruckus Cloud:
- Navigate to WiFi Networks > select network
- Go to Guest Access settings
- Under Walled Garden, add entries
- Click Save
Juniper Mist
In Mist Dashboard:
- Navigate to Organization > Wireless > WLANs
- Edit your guest WLAN
- Scroll to Captive Portal section
- Add entries under Allowed Subnets and Allowed Hostnames
TP-Link Omada
In Omada Controller:
- Navigate to Wireless Networks > edit network
- Go to Portal tab
- Under Free Authentication Policy, add:
- IP ranges
- MAC addresses
- Hostnames
Cisco WLC (Wireless LAN Controller)
In WLC:
- Navigate to Security > Access Control Lists > Pre-Auth ACL
- Create or edit ACL
- Add permit rules for required IPs/subnets
- Apply ACL to WLAN
CLI method:
config acl create PreAuth-ACL
config acl rule add PreAuth-ACL 1 permit host 107.178.250.42
config wlan pre-auth acl PreAuth-ACL enable <wlan-id>
OPNsense
In OPNsense:
- Navigate to Services > Captive Portal
- Select your zone
- Go to Allowed Addresses tab
- Add entries:
- Direction: Both/In/Out
- IP address or hostname
Grandstream
In Grandstream controller:
- Navigate to SSID settings
- Find Portal section
- Under Whitelist, add:
- IP addresses
- Domain names
IP Address vs Hostname
IP Addresses
Pros:
- Always works
- No DNS resolution required
- More reliable
Cons:
- May change
- May miss CDN endpoints
Format:
107.178.250.42/32
10.0.0.0/24
192.168.1.100
Hostnames
Pros:
- Automatically follows DNS changes
- Covers multiple IPs
- Easier to manage
Cons:
- Requires DNS to work before auth
- May not work on all controllers
Format:
*.google.com
accounts.google.com
example.com
Testing Walled Garden
- Connect a device to the WiFi
- Try accessing each walled garden entry
- Verify splash page loads
- Test each authentication provider
- Confirm other sites redirect to splash page
Troubleshooting
Authentication Provider Not Working
- Verify all required domains are in walled garden
- Check for HTTPS/SSL certificate issues
- Test on different devices
- Review browser console for blocked resources
Splash Page Not Loading
- Confirm
107.178.250.42/32is in walled garden - Check controller captive portal settings
- Verify redirect URL is correct
- Test direct access to splash URL
Users Bypass Captive Portal
- Review walled garden - may be too permissive
- Check for MAC whitelist entries
- Verify session timeout settings
- Check for cached authentication
Best Practices
- Minimal entries - Only add what's necessary
- Use wildcards wisely -
*.google.comis broad - Test thoroughly - After any changes
- Document changes - Track what you've added and why
- Regular review - Remove unnecessary entries
- Monitor - Check for authentication failures
Complete Example
For a portal with Google login and Stripe payment:
# IronWifi
107.178.250.42/32
# Google
accounts.google.com
*.googleapis.com
*.gstatic.com
fonts.googleapis.com
# Stripe
*.stripe.com
js.stripe.com
# Your custom domain (if used)
splash.yourcompany.com