Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!

    General pfSense Questions
    captive portal vlans unifi
    3
    5
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BogusExceptionB
      BogusException
      last edited by

      Experts,

      Desire;tl/dr:
      -Allow one group of users to log in to WiFi with name/passwd, with their traffic on a VLAN configured at APs and pfSense firewall.
      -Other users authenticate normally on a few SSIDs/VLANs, with others just logging on with one password (Guests).

      Setup:

      1. Any number of unifi APs, running multiple SSIDs and a VLAN for each one.
      2. One Network (VLAN, SSID, LAN segment) is a gut one with a single password, no portal.
      3. One network is sensitive/office, but still a secure WiFi passwd for all.
      4. They want volunteers to be on a network (VLAN, SSID, LAN segment) whereby each volunteer logs on with a user/passwd, which is fine on pfSense local database.
      5. Running on commodity HW, with 2 phys NICs.

      Network detail:
      10.10.0.0/24 is the LAN net (no VLAN)
      10.10.10.0/24 is the LAN net for VLAN 10 Office, servers, secure)
      10.10.20.0/24 is the LAN net for VLAN 20 Team/Volunteers/Need individual login creds <- DESIRED
      10.10.30.0/24 is the LAN net for VLAN 30 Guests, one passwd for WiFi AP for all, meaning no login after AP authorizes-anonymous.

      How close am I?

      Since no thorough tutorials on this kind of setup, I get as far as the client passing the AP's passwd challenge, BUT I cannot get the web client to then go to the portal login. If, however, I type in the portal IP (*.1 on all nets), I get the challenge form...

      I have tried so many things, I probably have settings from stock that don't even make a difference by now...

      Anyone else doing this? And can you only do one captive portal per LAN interface?

      Thank you very much in advance if you can commiserate, or perhaps offer insight. :-) 😢

      stephenw10S 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator @BogusException
        last edited by

        @bogusexception said in pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!:

        I get as far as the client passing the AP's passwd challenge,

        Do you mean simply entering the wifi pass key (WAP2/3)?

        Or are you using the Unifi captive portal for that?

        If it's the latter then serial captive portals could be a problem.

        Steve

        BogusExceptionB 1 Reply Last reply Reply Quote 0
        • BogusExceptionB
          BogusException @stephenw10
          last edited by

          @stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired:

          1. Employee see AP's SSID, "Team" for example.
          2. They enter the known password, known by all team peeps.
          3. They are presented with the CP (captive portal) challenge for user & pw from pfsense.
          4. They have their own user & password on pfSense, and use it to get past the challenge.
          5. Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs.

          Now for each of your questions:

          Do you mean simply entering the wifi pass key (WAP2/3)?
          Yes. Steps 1 & 2 above.

          Or are you using the Unifi captive portal for that?
          I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that!

          If it's the latter then serial captive portals could be a problem.
          I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that.

          Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do.

          P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most.

          I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20.

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by stephenw10

            Hmm, OK this doesn't seem that complex. From pfSense's point of view it's just 4 interfaces, 3 are VLANs, one has a captive portal enabled on it. The rest is just different firewall rules on those interfaces.

            It's recommended to avoid using tagged and untagged traffic on the same interface because you can run into unexpected issues if tags are stripped incorrectly be a switch in the path.
            It certain can and will work though as long as everything in configured correctly.

            Are you seeing anything at all on the two VLANs?
            Do clients using those SSIDs get an IPs address from pfSense as expected?

            You say pfSense only has two interfaces so I assume there are unmanaged switches in your network?
            Unmanaged switches usually pass VLAN traffic without an issue but you cannot guarantee that.

            Steve

            1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @BogusException
              last edited by

              @bogusexception said in pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!:

              @stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired:

              1. Employee see AP's SSID, "Team" for example.
              2. They enter the known password, known by all team peeps.
              3. They are presented with the CP (captive portal) challenge for user & pw from pfsense.
              4. They have their own user & password on pfSense, and use it to get past the challenge.
              5. Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs.

              Now for each of your questions:

              Do you mean simply entering the wifi pass key (WAP2/3)?
              Yes. Steps 1 & 2 above.

              Or are you using the Unifi captive portal for that?
              I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that!

              If it's the latter then serial captive portals could be a problem.
              I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that.

              Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do.

              P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most.

              I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20.

              Seems overly complex, thought about using wpa2-enterprise & freeradius ?

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • First post
                Last post