Do you offer a free cybersecurity audit in Ireland?

Yes. Intellix offers a free, non-intrusive 3–5 page external cybersecurity audit for SMEs and mid-market organisations in Ireland and the UK. Delivered in 7 working days. Covers DNS, DMARC/SPF/DKIM, TLS, security headers, application surface and Business Email Compromise readiness. Mapped to GDPR Art. 32, NIS2 and MITRE ATT&CK.

How much does a paid cybersecurity audit cost?

Paid tiers start at €1,500 for the Deep-dive Report (the report most clients hand to their insurer or board — internal scan, cloud configuration review, MFA audit and risk register), €5,000 for the Full Security Assessment (external penetration test, phishing simulation, vendor coordination, retest), and €8,000 for the NIS2 Readiness Programme (gap analysis against all ten Article 21 measures, policy drafting, board briefing, CISO/DPO scorecard). For ongoing coverage: €500/quarter Quarterly Monitoring and from €1,800/month Managed Cybersecurity Oversight. Every scope is fixed-price and confirmed before work starts.

Do you build custom software in Ireland?

Yes. Custom software development is one of our core service lines. We build B2B portals, internal operational tools, ERP-grade production systems (Keystone), integrations across Shopify / Akeneo / Sage, and customer-facing platforms. Same team delivers the code, the cloud infrastructure and the long-term support. UK + Ireland delivery, EU data jurisdiction.

Do you build AI and machine-learning software?

Yes. We build applied AI and ML systems for serious operators — retrieval-augmented (RAG) assistants on private data, computer-vision pipelines for production lines, document automation, demand forecasting, fraud and anomaly detection, and LLM integration into existing software. Delivery is product-engineering-grade with evaluation, observability, cost control and EU data residency.

Can you help us comply with NIS2 in Ireland?

Yes. We deliver NIS2 readiness assessments and remediation for in-scope Irish and UK SMEs. Findings are indexed against the eight NIS2 control families (governance, supply-chain, vulnerability management, incident handling, cryptography, access control, asset management, business continuity) with a CISO/DPO scorecard. Optional ongoing oversight available.

Are you a Netgate pfSense partner?

Yes. Intellix deploys and supports Netgate pfSense for hotels, hospitality groups, food producers and B2B portal operators across Ireland and the UK. We handle the firewall design, captive-portal guest WiFi, VLAN segmentation, VPN and ongoing change management.

Do you provide DMARC, SPF and DKIM setup?

Yes. Email authentication setup is one of the highest-impact cybersecurity controls for any organisation. We configure SPF mechanisms, DKIM selectors, DMARC policy enforcement (move from p=none to p=reject safely), MTA-STS and TLS-RPT — and validate the changes via reporting. Included in the Deep-dive Report and as a standalone engagement.

Do you support hospitality WiFi and hotel IT in Ireland?

Hospitality is a core wedge for us. Hotels handle guest data, PCI scope, captive-portal WiFi, PMS / POS integrations, and 24/7 uptime obligations. We deliver hospitality-grade WiFi (Ubiquiti, pfSense), Microsoft 365 security hardening, backup and ransomware readiness, vendor coordination and ongoing managed cybersecurity oversight — built around the operational rhythm of a hotel or restaurant.

All field notes

Networking

pfSense captive portal setup for guest WiFi (Ireland)

Asif Khan 16 May 2026#pfSense#Netgate#Captive Portal

Captive portals on pfSense are one of those features that almost works out of the box — until you try to launch with one and realise nine settings have to line up correctly or it does nothing.

Here's the field-tested setup we use for Irish hotels, restaurants and venues. Assumes pfSense Plus 23.09 or later on a Netgate appliance.

Step 1 — interface and VLAN

The captive portal binds to a network interface, not a subnet. Create a dedicated GUEST_WIFI VLAN (e.g. VLAN 30) on your LAN trunk. Assign it a /22 so you have room for 1,000+ concurrent devices without re-architecting on a Bank Holiday.

Firewall rules on this VLAN:

Allow DNS to your chosen upstream (Cloudflare / Google — NOT your router)
Allow HTTP/HTTPS to anywhere
Block any traffic to RFC1918 destinations (10/8, 172.16/12, 192.168/16) — this is what stops guests from poking your back-office
Block TCP/445 SMB outbound — stops WannaCry-style propagation from a guest device

Step 2 — captive portal zone

Services → Captive Portal → Zones → Add. Pick the GUEST_WIFI interface. Enable. Critical settings:

Maximum concurrent connections per IP: 4. Stops one rogue device hogging session slots.
Idle timeout: 60 minutes. Hard timeout: 24 hours. Don't leave them at zero (infinite).
Disable concurrent logins: tick this. Stops one credential being shared infinitely across a coach party.
MAC filtering: leave off. MAC addresses are randomised on modern phones; you'll annoy guests.

Step 3 — GDPR-compliant T&C page

The default 'login page' is a placeholder. Replace it with branded HTML containing:

Your hotel/venue logo and name
Plain-language WiFi T&Cs (max 250 words — guests don't read more)
One required checkbox: 'I agree to the WiFi acceptable-use policy'
One optional checkbox (must default UNTICKED): 'I'd like occasional emails from [Hotel Name]' — this is the GDPR-compliant marketing opt-in
Link to your privacy policy

Upload via Services → Captive Portal → File Manager and reference from the HTML.

Step 4 — bandwidth shaping

Services → Captive Portal → [zone] → Bandwidth. Set defaults: 8 Mbps down, 4 Mbps up per session. Then use per-user bandwidth from RADIUS attributes if you want VIP guests to bypass this. Most hotels don't need RADIUS — flat per-user shaping is fine.

Step 5 — vouchers (optional but recommended)

For private events, conferences, or 'paid WiFi' tiers, enable Voucher authentication. Generate a roll of single-use codes, print them on table cards or reception slips. Each voucher = one device session with the bandwidth/duration you specify.

Four pitfalls we see most often

DNS is set to the router. Guests get the captive portal, hit Submit, and... nothing loads. Because your router can't resolve google.com fast enough during peak load. Point the captive portal's DHCP DNS at 1.1.1.1 and 8.8.8.8.
HTTPS sites don't trigger the portal. Modern phones expect HTTPS everywhere; many never trigger a captive-portal redirect. Enable 'HTTPS protocol' in the portal settings AND ensure the captive-portal cert is signed by a real CA, not pfSense's self-signed default.
The portal URL contains the LAN IP. Anyone screenshotting the URL sees 192.168.30.1 — embarrassing. Use the FQDN by setting a hostname under System → General Setup and a DNS A record on your domain pointing at the GUEST interface.
No HA failover. When the pfSense box reboots for an update, every guest disconnects. For 20+ room properties, run pfSense in HA pair (CARP) so the portal survives reboots.

When to call us

If any of the above gave you a queasy feeling: we're a Netgate partner. We do this for a living. Book a free pfSense site survey.

More field notes

Something here resonate? Talk to us →