Is NAT a requirement for Captive Portals?



  • I have a setup with dual routers, only the one on the edge NATs, traffic is sent through a transport network.

    It would be placed on the inner firewall, it's just pure routing to there. Can a portal work in this way--it seems like a 1:1 NAT but on a whole subnet. I think it's called the same...anyway! Can it? Or can I set it up on the edge and route it as well? This was actually my first idea but I'm a little lost on the logistics of it--like who'd take care of DHCP; should I just connect the captive VLAN to both routers; would I create routing (asymmetric) loops if I do, or worse broadcast loops--all that.

    Thanks!


  • Rebel Alliance

    @umademelosemyusernamepfsense captive portal does not require NAT to work, you could set up a captive portal zone on your inner firewall, that's perfectly fine

    captive portal has no impact on firewall / routing / NAT rules.

    (it does however has an impact on traffic shaping rules)

    please be aware that your DHCP server and your DNS server are in the same network as your clients using captive portal. if that's not the case, you will have to add them as "bypass" in your captive portal settings (otherwise your users won't be able to get an IP, because the captive portal will block DHCP requests...)



  • Thanks for clearing that out--since I asked I had a major network redo and had two major "aha!" moments and I'm back to only the edge firewall + L3 switch and using every feature Windows Server's DHCP server has. I've been offline for really long periods while I broke some stuff.

    But I accomplished what I wanted and was told repeatedly not to do it: DHCP option 121.
    0_1551518079822_Screen_Shot_2019-02-13_at_08_45_54.png

    I really liked the simplicity of using a transit network because all rules lay on a single interface plus a few floating ones it's awesome--parting from that and from this diagram I found:
    :
    0_1551518599407_chilli.png

    and... your confirmation about no NAT needed (I'm really grateful, BTW) I'm thinking about setting up a captive portal as a transit network and whitelist hosts as needed. My previous experience with portals was with the UniFi system--it never occurred to me to look at things from another perspective.

    I'll keep breaking stuff a little more, it's weekend, see what else can I learn--thanks a million!


Log in to reply