External wifi router and Captive Portal. (possible?)

Derelict

Captive portal simply does not care if the users are connected to an access point or the ethernet LAN as long as they are all on the SAME layer 2 network. Does not care one bit.

If you put a wireless ROUTER on the network controlled by Captive Portal and all of the users appear to come from the WAN address of that router, then after one user behind the router logs in everyone who is on the wifi behind that router will be logged in because that is a DIFFERENT layer 2 network.

rdugaue

@derelict I've said several times the AP is lan-to-lan and not via the WAN. I've done quite a lot of searching, most posts I've found point to threads that no longer work. IE: I thought I found a what I needed here: https://forum.netgate.com/topic/44106/adding-an-external-access-point-to-pfsense/2, but most of the threads don't work. I have the external AP working, the AP can do 2 SSIDs, I want to put one of those up as a guest SSID that requires a T&C and CP login. The guest network needs to be on a different subnet (vlan?) so that they can not see traffic on the other network. I guess I'll just start tinkering and figure it out. Obviously, I'm asking the wrong questions and not getting pointed in the right directions except for "it's possible or it's misconfigured" which isn't helpful. Thanks for trying.

Derelict

It works if it is the same layer 2. Not sure what more of an answer you want.

Tagging VLANs from different SSIDs is a completely different question than External wifi router and Captive Portal. (possible?).

My hardware is a Netgate SG1000. LAN is on 8 port switch,

Is that a managed switch? It will need to be to do what you want to do.

dlpc

so, i am running into this exact scenario.

pf sense 2.4.3 (amd64) running on a server with 4 ports.
eth0 = WAN
eth1 = LAN
eth2 = (unused currently)
eth3 = DMZ

everything is setup correctly... have dmz firewalled off from lan and vice versa. everything functions as it should. i have a wireless access point connected to eth3. it is passing through dhcp and can see all connections through that access point. i have tried setting up a basic captive portal without authentication (simply want a url to load when first accessed)... the moment i turn that captive portal on, i cannot connect through that ap. turn off the captive portal, and everything works great.

so, i am obviously missing something. i thought it was due to the access point not being whitelisted, but i allowed it via mac address. ive tried giving it a static ip, and allowing that ip through... none of that helped. same issue still.

any ideas on what to look for? what am i doing wrong with this?

Derelict

The access point should never be initiating connections.

It should simply be bridging the wifi clients to the ethernet network.

Captive Portal is designed to "break the internet."

You have to sign in through it to get out.

How are you testing?

Instead of saying "everything is setup correctly..." (which it obviously isn't or it would be working) you might consider posting your configs.

rdugaue

@dlpc Sigh.. Please start your own thread. Now @Derelict is responding to what is NOT my situation. I need an external AP setup on a different wifi (guest) that is on a different subnet separate from the main subnet and uses captive portal for the guest wifi.

Derelict

Generally you would put the other subnet on a different interface and put captive portal on that (You can select multiple interfaces served by the same captive portal instance).

If there is a router between your users and the captive portal interface you will lose the ability to see a MAC/IP address pair and captive portal won't work as you would like.

rdugaue

@derelict Yes, if I had spare lan port to do this I would have long ago. The sg-1000 has 1 wan/1 lan. The one lan used now is on a switch for local traffic and an AP (lan-to-lan) for internal wifi. That AP has a guest mode, but I don't see a way to give it a different subnet. Maybe the answer is to use the usb port with an Ethernet adapter (I've about given up trying to find a working usb wifi adapter) and a 2nd access point for guest wifi on the usb lan side.

Presbuteros

@rdugaue

I set up a wireless router behind a pf router like you are describing. My config was:

pfSense:
192.168.4.1

ASUS RT N-16
192.168.4.10

The cable was connected LAN-LAN. DHCP was off on the ASUS RT N-16.
This configuration allowed DHCP to be issued by pfSense through the ASUS RT N-16 to wireless clients.
I did not run CP on this setup.

You can try not enabling guest mode and manually config your AC1200 to have an ip on the same subnet as the pfSense router and disable DHCP on the AC1200.

Derelict

@rdugaue said in External wifi router and Captive Portal. (possible?):

@derelict Yes, if I had spare lan port to do this I would have long ago. The sg-1000 has 1 wan/1 lan.

So get a managed switch and use VLANs to separate your inside network segments or get a router with enough ports for your use case.