Multiple Vlan with Captive Portal
-
Good Day,
I have created a VLAN ID of 10,20 and 30 where this VLan has its own IP Address
VLan10 192.168.10.1
VLan20 192.168.20.1
VLan30 192.168.30.1I enabled the captive portal and selected the VLans so that the captive portal page or login page appears
but only Vlan10 can display the login page and the other two Vlans do not display anything.
appreciated any helps
Thanks
-
Start the easy way : don't layer complex things, as if one fails, it's harder to know which complex thing failed.
So, first, use one non ( ! ) VLAN interface, and make it work. Don't forget to check firewall rules on this interface.
Then add a second LAN (non VLAN ! ) and make it work. Don't forget to check firewall rules on this interface.Now, make one VLAN, and see if it works. Don't forget to check firewall rules on this interface.
A second, and so on.Btw : VLAN, or not, as soon as you disable the portal on that VLAN (or not) interface, it will be a normal LAN (VLAN) type interface.
Basic DHCP operation, and DNS should work, and easy to test.
If all is well, you can activate the captive portal. -
@rsumook
Follow Gertjan's advice but it might help if I provide a step by step overview perspective:If you have multiple captive portals on VLans, you likely have a LAN on 192.168.1.1, an OPT(X) interface with those VLANs utilizing it. Check Interface, Assignments and verify you have at least WAN, LAN and an OPT(X) interface defined. (Note on Netgate appliances with the Marvel switch, you can associate the VLan witout the using a physical interface as the interface is a "logical" one.)
Now check Interfaces, Assignments, VLANs and make sure all of your VLans are there, typically listing association with OPT(X) in the interface column. Note: it is not unusual for them to be associated with the wrong interface, particularly after a restore to a different pfSense computer.
Next go back to Interface Assignments and make sure you have an Interface also listed for each VLan. If not, define/associate them to match the above configuration.
At this time, think about the way the data flows to and from your Access Point. The Access Point needs to have a station ID with a VLan enabled and the VLan Tag must match the Tag of the VLan definition in pfSense. Think of that data passing through the AP, getting "tagged" with the VLan ID (10,20 or 30 in your example). Your switch must use L2 routing to ensure that "tagged" data packet can flow from the port the AP is plugged into and be routed by the switch to the port the OPT(X) cable is plugged into. (note: it is common, but not necessary, to have the switch route everything to every port, just enable/associate the specific VLans tags you need with the Port(s)). This will ensure that pfSense receives you tagged data and can decode it correctly for routing to the Captive Portal.
Go to Services, Captive Portal and you will see the defined Captive Portals and note that the interface column value matches the Interfaces, Assignments value. Click on each Captive Portal and make sure it is enabled and associated with that same interface. If you want a login page instead of a simple "acccept" prompt, also make sure an authentication server is assigned and that you have credentials there for testing (note, for local database, the user needs Effective Privileges, PortalLogins).
Next check the Firewall, Rules and make sure your data can get to/from the WAN for each and every VLan. The easiest way is to setup a default any to any rule and restrict it further as necessary after you get it working. Note: once debugged, you may want to restrict all VLans so they can't load webconfig on 192.168.1.1 or communicate with the other VLans. This will make your setup more secure for your users.
In order to work, the device connecting to the Captive Portal needs an IP address and that address must be in the range of addresses assigned to that VLan,. That is done by assigning a DHCP Server to the Interface associated with the Captive Portal/Vlan Tag. (Note: if you are using RFC8910, you must setup a DHCP option 114 and that requires ICE as KEA does not yet support options). Check that all of your Captive Portals have DCHP setup.
Whew,,,, Now you can test your portal(s). First connect a device to the WiFi Station ID associated with the VLan Tag, Captive Portal Interface. If you do not see the default login screen you need to start by ensuring you have an IP address so check Status, DHCP Leases and you should see that your device got a lease and what the IP is. If not, you have a problem with the AP communication with pfSense, check the switch setup and Interface the VLan is on.
If you are missing a login screen and have no Internet access, but do have a valid IP, then perhaps you have not triggered the Login. That must be done through an http://domain.ext. I use neverssl.com to see if it will trigger the login page but that is mostly applicable to desktop and laptop computers. With Phones/Tablets they often will not allow http:// traffic through and have to be told how to load the Captive Portal login page directly as Captive Portal can not decode https traffic to be "aware" of a desire to use the WAN, thus no login page is sent in lieu of the requested url. That is where DHCP option 114, or RFC8910 comes in. See "captive portal is not working on mobiles" topic in this forum. https://forum.netgate.com/topic/184936/captive-portal-is-not-working-on-mobiles/37.
I hope that helps.