Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal and OPT1 interface

    Scheduled Pinned Locked Moved Captive Portal
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TonyS
      last edited by

      Hello everyone, a newbie to pfSense, so please be gentle..

      I have installed pfSense 2.3.2 on a Gigabyte Brix to allow me to put in the captive portal between my swicth and a Cisco 1131 Wireless AP.
      It's all installed and seems to work very well with one minor exception, that I cannot resolve after spending a few evenings on it, my setup is this:-

      Cisco 3560 switch with fa0/48 set as a trunk port, carrying 3 vlans, vlan 50 has unrestricted internet access, vlan 51 will be the vlan that the AP sits on, vlan 21 is purely a management vlan.

      FA0/48 connects to the re0 ethernet port on the Brix and re0_vlan50 is the WAN, re0_vlan51 is the LAN (with the AP on it) and re0_vlan20 is the OPT 1interface.

      The captive portal works brilliantly for wifi clients, they accept the terms and conditions and happily browse the web.

      What I now want to do is allow management access to the webconfigurator from the OPT1 interface (vlan 20) only and not from the other two Vlans, this is where i'm stuck.

      After installation, it would not work, so before putting in any firewall rules to BLOCK access from the other two vlans, I have created firewall rules on ALL vlans to allow everything everywhere.
      Now, if I plug my laptop into the switch on Vlan 20, I cannot access the Webconfigurator, nor can I ping it (10.0.20.254), I can ping any other machine on vlan 20
      it is as if the OPT1 interface is not functioning.
      From the cisco 3560, I am able to ping the WAN ip, the LAN ip but not the OPT1 ip.
      I even logged into the setup menu on the terminal window on the Brix and exit to the shell and disable firewall rules with pfctl -d. but still unable to get any response from the OPT1 interface, I cannot ping it, nor access the webconfigurator from it.

      Can anyone give me any pointers on what to check, of confirm that what I want to do is even possible?

      Thanks
      Regards
      Tony.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        What about using the 'default' setup :
        Administration is done from LAN, where all trusted people and devices are.
        All clients (visitors) are on the Captive Portal.

        Works well for many years now … ;)

        Adding VLANS to OPT1 ... ok - but I don't know if that compatible with the 'Captive Portal' ....

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • T
          TonyS
          last edited by

          Hi Gertrjan

          thank you for replying, what you suggest would work i'm sure, but we have a policy where management of all assets is done on a specific Vlan (Vlan 20).
          Unfortunately, I am unable to change that, policy, but as it happens, I resolved the issue earlier today, only just got home to update with the soultion.

          I actually had done everythig correctly in pfSense, the problem was the guy who had set up the Cisco 3560, had applied all the three vlans to the trunk port as I had requested him to do, but he also had in the Cisco interface config the line 'switchport native vlan 20'.

          I got him to remove this line and everything now works, so i've spent this afternoon setting up firewall rules blocking access to the and from the opt 1 vlan from the lan and wan for security, and blocking access to the management interface from the WAN and LAN interfaces too.

          Tomorrow will be the big test day, but I quickly checked everything before I left and it seems to work perfectly, only access the webgui and ssh from vlan 20 and nowhere else.

          Thank you again for the suggestion
          Regards
          Tony.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.