Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Device to main network

    Scheduled Pinned Locked Moved Captive Portal
    11 Posts 3 Posters 1.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Online
      johnpoz LAYER 8 Global Moderator
      last edited by

      https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal.html

      Allowed IP addresses

      Allows managing a list of IP addresses which can either:

      Always connect from behind the portal (clients)
Always allow clients to an IP address (external servers)

      These IP addresses will bypass the portal authentication in the direction specified.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07 | Lab VMs 2.8, 25.07

      1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan
        last edited by

        Any device, ones authenticated against the captive portal, can access any device upstream.
        Rules on the captive portal's interface could block these, or not.

        Btw : thanks for the question : I just discovered that my captive portal users (on a 192.168.2.1/24 OPT extra interface) could visit the GUI of my upstream router, the one in front of pfSEnse.
        It's password protected - but I don't want any rosks, so I blocked it with a firewall rule.

        Added to what @johnpoz said : you can also add the MAC of your device to the Allowed MAC address list.
        If your device is using DHCP it could have another IP in the future.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • T Offline
          tecnica
          last edited by tecnica

          Thanks for the answer.
          I already have some computers configured by mac that passes the authentication.
          Currently I can ping but can not access network/devices.
          Any option with firewall rule without put a opt extra interface?

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @tecnica
            last edited by

            @tecnica said in Device to main network:

            Any option with firewall rule without put a opt extra interface?

            I'm using a dedicated (a so called OPTx interface) interface for my captive portal, because, by nature, captive portal users are 'non trusted' users, and they don't belong on a LAN interface.
            But a captive portal works just fine on a LAN interface.
            With a rule like this :

            35fb5937-07ea-4691-afbd-33241d86789f-image.png

            devices connected to your portal can access your upstream router just fine.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • T Offline
              tecnica
              last edited by tecnica

              image.jpg

              I have this, but doesn´t work.
              Is locked from LAN to a wan ...
              Do I have to put the last rule above?

              1 Reply Last reply Reply Quote 0
              • T Offline
                tecnica
                last edited by

                Thank you, i change for the top end work. Now just need select the correct one for pass and block all others.

                Thank you.

                1 Reply Last reply Reply Quote 0
                • T Offline
                  tecnica
                  last edited by tecnica

                  Is it possible to configure the device with the 192.168.1.x range and pass the 172.16.0.x network to the 192.168.1.x network?
                  It is a camera that is in the range 172.16.0.x and the recorder in 192.168.1.x.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    what version of pfsense are you running?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                    1 Reply Last reply Reply Quote 0
                    • T Offline
                      tecnica
                      last edited by

                      I have running 2.2.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Yeah that is just FAIL!! 2.2 has not been supported for years.. Update to current!! 2.4.4p2, the whole 2.3.x line is not even supported any more.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07 | Lab VMs 2.8, 25.07

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.