External wifi router and Captive Portal. (possible?)



  • I'd like to use a regular external wifi router, but I still need CP ability. Is it possible (or has already been done) to use an external router, forward that traffic through the pfSense router and force users to authenticate via CP on the pfSense?



  • @rdugaue obviously it's possible.



  • I'd like to add that this with router shouldn't route.
    It should behave as a 'simple' Access point.

    Otherwise pfSense only sees the router's MAC and IP. A fist client visiting the Wifi network has to logging, and all other clients afterwards will be logged in.



  • @snailkhan Quite un-helpful, is there a how-to for it?



  • @gertjan Yeah, I'm figuring the wifi router should be lan-to-lan instead of using the wifi's wan-lan. I have an AC1200, there's a guest mode that I can assign that a separate IP pool. It's that side that I want to captive portal, the users on the regular ssid should not have to auth.


  • Netgate

    You want access point mode, or you want to connect LAN to pfSense LAN.

    You want a bridge between wifi and ethernet, not a wifi router. It is necessary for Captive Portal because it needs to see the individual wireless client MAC addresses.



  • @derelict I don't quite understand your reply.

    My hardware is a Netgate SG1000. LAN is on 8 port switch, I have PCs hardwired to that. I also have an AC1200 wifi router. The AC1200's lan is on the switch. DHCP is off on the AC1200. It's not being used as a router, but as a wifi access point. I want to know if I can use PFSense's Captive Portal to force AC1200 wifi users to accept a T&C and redirect them to a landing page. If so, is there a walk-thru available or can you give me some directions. Thank you.


  • Netgate

    Yes. Not sure what your issue is but you have something misconfigured.

    Hangout Videos:

    Captive Portal

    Advanced Captive Portal



  • I don't have anything misconfigured, because I haven't configured anything. Both these videos appear to assume the wifi is running on the pfSense router itself, not an external wifi device. It doesn't address the subject line of this post. The wifi is an external ap (only being used for wifi and hooked lan-to-lan to the pfSense router). The videos are helpful, I've setup lots of Captive Portal when the pfSense router has a wifi card, just not when the wifi is an external ap that needs CP.


  • Netgate

    Captive portal simply does not care if the users are connected to an access point or the ethernet LAN as long as they are all on the SAME layer 2 network. Does not care one bit.

    If you put a wireless ROUTER on the network controlled by Captive Portal and all of the users appear to come from the WAN address of that router, then after one user behind the router logs in everyone who is on the wifi behind that router will be logged in because that is a DIFFERENT layer 2 network.



  • @derelict I've said several times the AP is lan-to-lan and not via the WAN. I've done quite a lot of searching, most posts I've found point to threads that no longer work. IE: I thought I found a what I needed here: https://forum.netgate.com/topic/44106/adding-an-external-access-point-to-pfsense/2, but most of the threads don't work. I have the external AP working, the AP can do 2 SSIDs, I want to put one of those up as a guest SSID that requires a T&C and CP login. The guest network needs to be on a different subnet (vlan?) so that they can not see traffic on the other network. I guess I'll just start tinkering and figure it out. Obviously, I'm asking the wrong questions and not getting pointed in the right directions except for "it's possible or it's misconfigured" which isn't helpful. Thanks for trying.


  • Netgate

    It works if it is the same layer 2. Not sure what more of an answer you want.

    Tagging VLANs from different SSIDs is a completely different question than External wifi router and Captive Portal. (possible?).

    My hardware is a Netgate SG1000. LAN is on 8 port switch,

    Is that a managed switch? It will need to be to do what you want to do.



  • so, i am running into this exact scenario.

    pf sense 2.4.3 (amd64) running on a server with 4 ports.
    eth0 = WAN
    eth1 = LAN
    eth2 = (unused currently)
    eth3 = DMZ

    everything is setup correctly... have dmz firewalled off from lan and vice versa. everything functions as it should. i have a wireless access point connected to eth3. it is passing through dhcp and can see all connections through that access point. i have tried setting up a basic captive portal without authentication (simply want a url to load when first accessed)... the moment i turn that captive portal on, i cannot connect through that ap. turn off the captive portal, and everything works great.

    so, i am obviously missing something. i thought it was due to the access point not being whitelisted, but i allowed it via mac address. ive tried giving it a static ip, and allowing that ip through... none of that helped. same issue still.

    any ideas on what to look for? what am i doing wrong with this?


  • Netgate

    The access point should never be initiating connections.

    It should simply be bridging the wifi clients to the ethernet network.

    Captive Portal is designed to "break the internet."

    You have to sign in through it to get out.

    How are you testing?

    Instead of saying "everything is setup correctly..." (which it obviously isn't or it would be working) you might consider posting your configs.



  • @dlpc Sigh.. Please start your own thread. Now @Derelict is responding to what is NOT my situation. I need an external AP setup on a different wifi (guest) that is on a different subnet separate from the main subnet and uses captive portal for the guest wifi.


  • Netgate

    Generally you would put the other subnet on a different interface and put captive portal on that (You can select multiple interfaces served by the same captive portal instance).

    If there is a router between your users and the captive portal interface you will lose the ability to see a MAC/IP address pair and captive portal won't work as you would like.



  • @derelict Yes, if I had spare lan port to do this I would have long ago. The sg-1000 has 1 wan/1 lan. The one lan used now is on a switch for local traffic and an AP (lan-to-lan) for internal wifi. That AP has a guest mode, but I don't see a way to give it a different subnet. Maybe the answer is to use the usb port with an Ethernet adapter (I've about given up trying to find a working usb wifi adapter) and a 2nd access point for guest wifi on the usb lan side.



  • @rdugaue

    I set up a wireless router behind a pf router like you are describing. My config was:

    pfSense:
    192.168.4.1

    ASUS RT N-16
    192.168.4.10

    The cable was connected LAN-LAN. DHCP was off on the ASUS RT N-16.
    This configuration allowed DHCP to be issued by pfSense through the ASUS RT N-16 to wireless clients.
    I did not run CP on this setup.

    You can try not enabling guest mode and manually config your AC1200 to have an ip on the same subnet as the pfSense router and disable DHCP on the AC1200.


  • Netgate

    @rdugaue said in External wifi router and Captive Portal. (possible?):

    @derelict Yes, if I had spare lan port to do this I would have long ago. The sg-1000 has 1 wan/1 lan.

    So get a managed switch and use VLANs to separate your inside network segments or get a router with enough ports for your use case.