Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT fails when Captive Portal is enabled

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      j0ris
      last edited by

      I spent hours in bewilderment trying to find out why I just couldn't get a simple port forward to work, before I stumbled upon this ticket: http://cvstrac.pfsense.com/tktview?tn=1565

      Turns out that you must add both a MAC and an IP passthrough in the Captive portal for the servers you are forwarding ports to. Otherwise the forwarded traffic simply will not go out of the pfsense box.

      I think it would be a good idea if the Pfsense GUI gave some kind of warning about this. Just a comment on the Captive portal page would help. Even better would be a warning when pfsense detects that you have enabled both the Captive portal and NAT forwarding.

      1 Reply Last reply Reply Quote 0
      • J
        j0ris
        last edited by

        Actually, the problem is worse: apart from the server, it seems I also need to provide the IPs of the clients in the "allowed IP addresses" table for the port forwarding to work so that the clients on the lan side can access the server.

        This would be a security risk however, as IP addresses can obviously be changed very easily on clients: connect once with a valid login through the captive portal, then use the assigned IP in the future without needing to login.

        1 Reply Last reply Reply Quote 0
        • R
          rhy7s
          last edited by

          Thanks for that, this was driving me nuts. There was one machine which intermittently allowed inbound connections. I could see no difference in the rules applied to it vs other machines. Turned out it was allowed through the captive portal by MAC address whereas the others were being let through via IP. Added an IP rule and everything's fine.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.