Captive Portal and OPT1 interface

TonyS

Hello everyone, a newbie to pfSense, so please be gentle..

I have installed pfSense 2.3.2 on a Gigabyte Brix to allow me to put in the captive portal between my swicth and a Cisco 1131 Wireless AP.
It's all installed and seems to work very well with one minor exception, that I cannot resolve after spending a few evenings on it, my setup is this:-

Cisco 3560 switch with fa0/48 set as a trunk port, carrying 3 vlans, vlan 50 has unrestricted internet access, vlan 51 will be the vlan that the AP sits on, vlan 21 is purely a management vlan.

FA0/48 connects to the re0 ethernet port on the Brix and re0_vlan50 is the WAN, re0_vlan51 is the LAN (with the AP on it) and re0_vlan20 is the OPT 1interface.

The captive portal works brilliantly for wifi clients, they accept the terms and conditions and happily browse the web.

What I now want to do is allow management access to the webconfigurator from the OPT1 interface (vlan 20) only and not from the other two Vlans, this is where i'm stuck.

After installation, it would not work, so before putting in any firewall rules to BLOCK access from the other two vlans, I have created firewall rules on ALL vlans to allow everything everywhere.
Now, if I plug my laptop into the switch on Vlan 20, I cannot access the Webconfigurator, nor can I ping it (10.0.20.254), I can ping any other machine on vlan 20
it is as if the OPT1 interface is not functioning.
From the cisco 3560, I am able to ping the WAN ip, the LAN ip but not the OPT1 ip.
I even logged into the setup menu on the terminal window on the Brix and exit to the shell and disable firewall rules with pfctl -d. but still unable to get any response from the OPT1 interface, I cannot ping it, nor access the webconfigurator from it.

Can anyone give me any pointers on what to check, of confirm that what I want to do is even possible?

Thanks
Regards
Tony.

Gertjan

What about using the 'default' setup :
Administration is done from LAN, where all trusted people and devices are.
All clients (visitors) are on the Captive Portal.

Works well for many years now … ;)

Adding VLANS to OPT1 ... ok - but I don't know if that compatible with the 'Captive Portal' ....

TonyS

Hi Gertrjan

thank you for replying, what you suggest would work i'm sure, but we have a policy where management of all assets is done on a specific Vlan (Vlan 20).
Unfortunately, I am unable to change that, policy, but as it happens, I resolved the issue earlier today, only just got home to update with the soultion.

I actually had done everythig correctly in pfSense, the problem was the guy who had set up the Cisco 3560, had applied all the three vlans to the trunk port as I had requested him to do, but he also had in the Cisco interface config the line 'switchport native vlan 20'.

I got him to remove this line and everything now works, so i've spent this afternoon setting up firewall rules blocking access to the and from the opt 1 vlan from the lan and wan for security, and blocking access to the management interface from the WAN and LAN interfaces too.

Tomorrow will be the big test day, but I quickly checked everything before I left and it seems to work perfectly, only access the webgui and ssh from vlan 20 and nowhere else.

Thank you again for the suggestion
Regards
Tony.