Captive Portal & WAN interface
-
Thank you for this last answer. That ratifies what I perhaps had in mind. I was not sure at all and I wanted to be pretty sure about it.
Thank you again. You guys are awesome.
Joe
-
Hello!
I have a similar (?) problem.
We are on a public network (subnetted B class IP, part of a university). We have lots of wifi APs all around, NOT in the same subnet (routers between).
Currently, all AP's have dd-wrt in them, with chillispot captive portal to auth the users.Is there a way to 'unite' these wifi-APs, to make them connect through a pfsense box? AND use the captive portal in it?
My idea was to make a PPTP server on the pfsense, configure the APs to connect as PPTP clients, and captive the PPTP interface. But it looks like not that easy.
(The pfsense box only has a WAN interface.)any idea?
thx -
You could add NICs to your pfSense box: either physical NICs or VLAN interfaces with a VLAN capable switch acting as a "port multiplier" then connect the APs to the additional interface(s) and enable captive portal on the additional interface(s). If you do a search on the forums for VLAN port multiplier you will find a number of posts on the subject of using VLANs to get additional interfaces on a pfSense box..
-
Hmm. I can add a physical NIC to the PFS box, but i cannot "connect the APs to the additional interface", because all the APs are on the WAN side, with public IP's, lots of them miles away. That's why i thinking about a VPN, but how can i assign a PPTP connection to a physical interface?
In the "Interfaces" menu, i can add the pptpdX interfaces, but CP doesn't work. Should i bridge them to physical nic or something? I'm a bit noob for this…thx
-
i cannot "connect the APs to the additional interface", because all the APs are on the WAN side, with public IP's, lots of them miles away.
If I understand your setup correctly, i.e. that your APs are dispersed across several different locations miles apart and presumably connected via their own links to the Internet, it doesn't seem a good idea to tunnel their traffic back to your location via a VPN, to go in and back out of your pfSense box, just in order to use pfSense's CP.
If all you need is to centrally authenticate your AP users, since you already run the chillispot CP on your ddwrt APs, a better idea would be to use a central RADIUS server.
-
i cannot "connect the APs to the additional interface", because all the APs are on the WAN side, with public IP's, lots of them miles away.
If I understand your setup correctly, i.e. that your APs are dispersed across several different locations miles apart and presumably connected via their own links to the Internet, it doesn't seem a good idea to tunnel their traffic back to your location via a VPN, to go in and back out of your pfSense box, just in order to use pfSense's CP.
If all you need is to centrally authenticate your AP users, since you already run the chillispot CP on your ddwrt APs, a better idea would be to use a central RADIUS server.
Ok, i see. Actually, i use RADIUS centrally. What i wanted is to make the AP's DDwrt-free (i have more problems with new AP's), and a central firewall/CP would be nice. But i think you're right, tunneling back isn't a good idea. WPA-Enterprise isn't good enough from the point of casual users.
thx
-
it might work if your wan links between campuses is somewhere 500mbps+
So amount of the other trafic don't make any exception to authentication trafic -
it might work if your wan links between campuses is somewhere 500mbps+
So amount of the other trafic don't make any exception to authentication traficThe WAN links are good enough, the backbone is gigabit afaik. And, eventually, if the central building goes down, the RADIUS server goes down, so every building loses wifi auth. But that's a rare case. But i still don't know how CP the end-users, who are transparently connect to the pfsense box through a PPTP connection of the wifi routers. Is it possible actually?
thx
-
I don't know if GRE tunnels are supported on your APs; they are on pfSense. See pfSense man page on gre - http://www.freebsd.org/cgi/man.cgi?query=gre&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&arch=default&format=html
GRE tunnels apparently don't use encryption so should be a lighter load on AP CPU and pfSense server CPU than a VPN. -
I don't know if GRE tunnels are supported on your APs; they are on pfSense. See pfSense man page on gre - http://www.freebsd.org/cgi/man.cgi?query=gre&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&arch=default&format=html
GRE tunnels apparently don't use encryption so should be a lighter load on AP CPU and pfSense server CPU than a VPN.Well..dd-wrt doesn't support it on the webgui, however it's linux, so it's probably possible. But looks like the newer firmwares doing it differently (2.4 vs 2.6 kernel). I don't feel the power in me to do it by hand… i'm sure it gets worse eventually :)
thx