Device to main network

tecnica

Good morning, I have pfsense that receives ip from a router on the wan port and has ip 192.168.1.x. And the lan port is giving dhcp in the 172.16.0.x range to work with the captive portal. I need to put a device that will be connected on the 172.16.0.x network to communicate with the 192.168.1.x network.
Any ideas?

johnpoz

https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal.html

Allowed IP addresses

Allows managing a list of IP addresses which can either:

Always connect from behind the portal (clients)
Always allow clients to an IP address (external servers)

These IP addresses will bypass the portal authentication in the direction specified.

Gertjan

Any device, ones authenticated against the captive portal, can access any device upstream.
Rules on the captive portal's interface could block these, or not.

Btw : thanks for the question : I just discovered that my captive portal users (on a 192.168.2.1/24 OPT extra interface) could visit the GUI of my upstream router, the one in front of pfSEnse.
It's password protected - but I don't want any rosks, so I blocked it with a firewall rule.

Added to what @johnpoz said : you can also add the MAC of your device to the Allowed MAC address list.
If your device is using DHCP it could have another IP in the future.

tecnica

Thanks for the answer.
I already have some computers configured by mac that passes the authentication.
Currently I can ping but can not access network/devices.
Any option with firewall rule without put a opt extra interface?

Gertjan

@tecnica said in Device to main network:

Any option with firewall rule without put a opt extra interface?

I'm using a dedicated (a so called OPTx interface) interface for my captive portal, because, by nature, captive portal users are 'non trusted' users, and they don't belong on a LAN interface.
But a captive portal works just fine on a LAN interface.
With a rule like this :

devices connected to your portal can access your upstream router just fine.

tecnica

I have this, but doesn´t work.
Is locked from LAN to a wan ...
Do I have to put the last rule above?

tecnica

Thank you, i change for the top end work. Now just need select the correct one for pass and block all others.

Thank you.

tecnica

Is it possible to configure the device with the 192.168.1.x range and pass the 172.16.0.x network to the 192.168.1.x network?
It is a camera that is in the range 172.16.0.x and the recorder in 192.168.1.x.

johnpoz

what version of pfsense are you running?

tecnica

I have running 2.2.

johnpoz

Yeah that is just FAIL!! 2.2 has not been supported for years.. Update to current!! 2.4.4p2, the whole 2.3.x line is not even supported any more.