Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need to enable Rules to allow UniFi based Captive Portal Page?

    General pfSense Questions
    4
    12
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Z3r0sum
      last edited by

      I am using UniFi WiFi Network based Captive Portal enabled through the unifi Controller on my Guest Network.
      The Guest Network does not have access to Internal LAN network. Now due to the fact that the internal Management LAN access is blocked for the Guest network when the guest SSID is connected the Portal Page does not show up and throws up page not found error.
      Just for the sake of testing when i disable the Block LAN rule for the guest network the unifi captive portal page works on for the guest network.
      So what rule do i need to add in pfsense to allow unifi captive portal?
      My unifi controller is on the same subnet of the management, the ip address is 192.168.1.112
      Guest is on 192.168.4.0 subnet.
      have a look at the rules I have for my guest network.
      alt text

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        You need to poke a pinhole in your LAN Management network to let the UniFi controller talk to your Guest network and vice-versa. The needed ports are 8880 or 8843 depending on whether you are using insecure (8880) or secure (8843) redirection.

        What has to happen is the hosts on your Guest Wireless network need to be able to send packets to the UniFi Controller (where the captive portal app resides) on a specific port. You can lock that down pretty tight by using the specific IP of the UniFi Controller and that port I mentioned.

        So on your LAN you would want a rule that let traffic from GUEST_net destined to your UniFi_Controller (192.168.1.112) on ports 8880, 8843 pass. So if you don't already have an alias for your UniFi Controller, I would create one to make the rule easy to see and manage. You could also create a ports alias with the captive portal ports and use that in your rule.

        1 Reply Last reply Reply Quote 0
        • Z
          Z3r0sum
          last edited by

          @bmeeks said in Need to enable Rules to allow UniFi based Captive Portal Page?:

          LAN Management network to let the UniFi controller talk to your Guest network and vice-versa

          Thanks for your replies.
          You actually understood my problem. None of the other folks on unifi network forum did manage to even understand the question.
          So you advice, to punch a hole from unifi controller's ip address for ports 8880 (thats what i see when the url is redirecting when connecting the ssid).. this needs to be enabled on unfi IP and also needs to be enabled on lan ip?
          Please see below, does this look ok to you?
          Or i am i doing it wrong.

          alt text

          Do i need to enable "Invert match" in source and destination as well?

          1 Reply Last reply Reply Quote 0
          • C
            Chrismallia
            last edited by Chrismallia

            @z3r0sum said in Need to enable Rules to allow UniFi based Captive Portal Page?:

            am using UniFi WiFi Network based Captive Portal enabled through the unifi Controller on my Guest Network.
            The Guest Network does not have access to Internal LAN network. Now due to the fact that the internal Management LAN access is blocked for the Guest network when the guest SSID is connected the Portal Page does not show up and throws up page not found error.
            Just for the sake of testing when i disable the Block LAN rule for the guest network the unifi captive portal page works on for the guest network.
            So what rule do i need to add in pfsense to allow unifi captive portal?
            My unifi controller is on the same subnet of the management, the ip address is 192.168.1.112
            Guest is on 192.168.4.0 subnet.
            have a look at the rules I have for my guest network.

            For the portal to show up in the Guest network from pfsense you must allow port 8880 to the Guest network, So try invert dest your server and port 8880, also dest I would lock it down to the controller IP insted of LAN NET

            Z 1 Reply Last reply Reply Quote 0
            • Z
              Z3r0sum @Chrismallia
              last edited by

              @chrismallia
              Thanks for your help bro.
              Does this look ok? or i am doing it wrong? I am sorry i am new to pfsense. I used to be with sophos earlier.

              alt text

              C 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by bmeeks

                You have to get what "IN" and "OUT" mean in relation to the pfSense firewall. It is not instinctively intuitive to many folks. So "IN" means traffic coming into an interface and "OUT" means traffic leaving that interface bound for somewhere else.

                The LAN in pfSense gets a default "allow LAN_net to go anywhere" rule, but all other interfaces get a default "deny everything inbound" rule. So you need two rules: one on GUEST, and one on LAN to make your captive portal work.

                You need a rule on GUEST that lets GUEST_net traffic come into the interface and go anywhere. That's probably the only rule you may want on the GUEST interface. Then you need a second rule on the LAN that specifies GUEST_net as the Source and the UniFi_Controller (192.168.1.112) as the destination with the port being 8880 and probably 8843 as well. I would put the two ports in a Port alias and use that alias in the ports portion of the rule.

                1 Reply Last reply Reply Quote 2
                • C
                  Chrismallia @Z3r0sum
                  last edited by

                  @z3r0sum
                  Are you creating a new pass rule? cos Invert is only used in the block rule you created.

                  Z 1 Reply Last reply Reply Quote 0
                  • Z
                    Z3r0sum @Chrismallia
                    last edited by

                    @chrismallia

                    Perfect its working now.
                    I have created an alias for the unifi controller port.
                    and used these rules.

                    alt text

                    However there is one caveat. After authentication, the page redirects to an error with https an unsecured google page.
                    Here is my unifi controller guest control settings.

                    alt text

                    Pls note, I have added the pfsense certificates for https in my AD, and pfsense shows secured https.

                    C 1 Reply Last reply Reply Quote 0
                    • C
                      Chrismallia @Z3r0sum
                      last edited by Chrismallia

                      @z3r0sum said in Need to enable Rules to allow UniFi based Captive Portal Page?:

                      However there is one caveat. After authentication, the page redirects to an error with https an unsecured google page.
                      Here is my unifi controller guest control settings.

                      That is normal as the SSL cert is self-signed, to remove that you would buy a trusted cert and add to the controller. Here is a video.

                      https://www.youtube.com/watch?v=Dvw0kU_80SY

                      Z GertjanG 2 Replies Last reply Reply Quote 1
                      • Z
                        Z3r0sum @Chrismallia
                        last edited by

                        @chrismallia
                        THanks for the tip. I did not realize this could be from unifi side. I have added certificates for pfsense and have ssl enabled. But not unifi yet. But I do not use cloud key or remote services.
                        Still self hosted. I gotta figure out to add certificates to my Active Directory Certificate Services for unifi.

                        1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @Chrismallia
                          last edited by

                          @chrismallia said in Need to enable Rules to allow UniFi based Captive Portal Page?:

                          you would buy a trusted cert

                          If you pass some time with the acme package you could learn it to obtain a free of cost (that is money, not your time) wild card cert.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          C 1 Reply Last reply Reply Quote 1
                          • C
                            Chrismallia @Gertjan
                            last edited by

                            @gertjan said in Need to enable Rules to allow UniFi based Captive Portal Page?:

                            If you pass some time with the acme package you could learn it to obtain a free of cost (that is money, not your time) wild card cert.

                            Hey thank you for this info will look at the package for sure.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.