Configure pfsense as a captive portal only and without DHCP.



  • Hello,

    I am currently installing Pfsense to try to replace an existing captive portal solution on a rather large network (2 firewalls, DMZs etc etc...).
    Currently the captive portal in place is as follows:

    (NET)-----[ firewall-1 ]----(Captive portal)-------[ firewall 2 ]-------(Vlan User wifi).

    Users do not have the same subnetwork as the interface of the captive portal consultation network, it is firewall 2 that acts as DHCP for the Users.
    Firewall 2 then redirects the Users from the Vlan user to the captive portal, and the captive portal only acts as a DNS and "interceptor".

    My user is well redirected by firewall 1 to pfsense, the LAN interface can see it but I don't have a captive portal that goes up.

    I set up a static route to let pfsense know about the existence of the "User wifi" subnetwork but nothing works.

    Pfsense is simply configured, it makes DNS resolutions, it outputs to the internet correctly, and the firewall part is open.

    Pfsense, can it manage and/or detect users with a subnetwork different from its LAN subnetwork?

    I didn't find an answer on the forum or on the doc ( mea culpa if that's the case)
    Thank you in advance for your answers ^^



  • Hi,

    The captive portal that pfSense proposes should not be used with an intermediate firewall between pfSense and the connection users.
    Out of the box it handles DNS, DHCP, etc.
    For a captive portal to work well, it should 'see' the IP and the MAC off the connected device.



  • I understand perfectly, but my company's policy is that you can't put a virtual machine unprotected by the second firewall, moreover, it's not really necessary to see the mac / ip because it's given by the firewall and access is very restricted, I would have liked to know if it was possible to force pfsense to respond to an IP that wasn't granted by it?



  • Where does this one come from :
    @Eollas said in Configure pfsense as a captive portal only and without DHCP.:

    a virtual machine

    If needed, un-VM it.

    The captive portal needs to see distinctive IP addresses (per user) and it would be just great if it also see the MAC addresses.
    Your intermediate firewall hides they ? If so, you have a solid no-go.



  • No, my firewall doesn't hide it, when I do a frame capture on pfsense, I see the requests made by my pc-test and its @IP.
    However, I do not have an answer.

    And the VM comes from the DMZ of firewall 2, I can't create any elsewhere.

    in any case, thank you for taking the time to answer me: D

    I potentially found this topic on the forum, which is a similar case to mine, but the modification in the code didn't change anything:/
    https://forum.netgate.com/topic/39188/captive-portal-behind-router-or-different-subnet/2

    do you know a way to force pfsense to take into account @IPs that are not part of its own subnetwork?


Log in to reply