Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configure pfsense as a captive portal only and without DHCP.

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Eollas
      last edited by Eollas

      Hello,

      I am currently installing Pfsense to try to replace an existing captive portal solution on a rather large network (2 firewalls, DMZs etc etc...).
      Currently the captive portal in place is as follows:

      (NET)-----[ firewall-1 ]----(Captive portal)-------[ firewall 2 ]-------(Vlan User wifi).

      Users do not have the same subnetwork as the interface of the captive portal consultation network, it is firewall 2 that acts as DHCP for the Users.
      Firewall 2 then redirects the Users from the Vlan user to the captive portal, and the captive portal only acts as a DNS and "interceptor".

      My user is well redirected by firewall 1 to pfsense, the LAN interface can see it but I don't have a captive portal that goes up.

      I set up a static route to let pfsense know about the existence of the "User wifi" subnetwork but nothing works.

      Pfsense is simply configured, it makes DNS resolutions, it outputs to the internet correctly, and the firewall part is open.

      Pfsense, can it manage and/or detect users with a subnetwork different from its LAN subnetwork?

      I didn't find an answer on the forum or on the doc ( mea culpa if that's the case)
      Thank you in advance for your answers ^^

      M 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        Hi,

        The captive portal that pfSense proposes should not be used with an intermediate firewall between pfSense and the connection users.
        Out of the box it handles DNS, DHCP, etc.
        For a captive portal to work well, it should 'see' the IP and the MAC off the connected device.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • E
          Eollas
          last edited by

          I understand perfectly, but my company's policy is that you can't put a virtual machine unprotected by the second firewall, moreover, it's not really necessary to see the mac / ip because it's given by the firewall and access is very restricted, I would have liked to know if it was possible to force pfsense to respond to an IP that wasn't granted by it?

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @Eollas
            last edited by

            Where does this one come from :
            @Eollas said in Configure pfsense as a captive portal only and without DHCP.:

            a virtual machine

            If needed, un-VM it.

            The captive portal needs to see distinctive IP addresses (per user) and it would be just great if it also see the MAC addresses.
            Your intermediate firewall hides they ? If so, you have a solid no-go.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • E
              Eollas
              last edited by Eollas

              No, my firewall doesn't hide it, when I do a frame capture on pfsense, I see the requests made by my pc-test and its @IP.
              However, I do not have an answer.

              And the VM comes from the DMZ of firewall 2, I can't create any elsewhere.

              in any case, thank you for taking the time to answer me: D

              I potentially found this topic on the forum, which is a similar case to mine, but the modification in the code didn't change anything:/
              https://forum.netgate.com/topic/39188/captive-portal-behind-router-or-different-subnet/2

              do you know a way to force pfsense to take into account @IPs that are not part of its own subnetwork?

              1 Reply Last reply Reply Quote 0
              • M
                mhmd @Eollas
                last edited by

                @Eollas I also have this problem, but unfortunately, I have not found an answer for it because the IP of the LAN firewall is different from the IP range of my LAN network, and because of this, Captive portal does not work. Have you found a way? If so, please guide me. Thank you

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  The captive portal works at layer 2, it allows/disallows devices by MAC address. It cannot work with a router in between because it only ever sees the MAC address of the router not the clients.

                  Steve

                  M 1 Reply Last reply Reply Quote 1
                  • M
                    mhmd @stephenw10
                    last edited by

                    @stephenw10
                    Thank you for your beautiful answer
                    My exact problem is that this happened after adding a router between the firewall and the main switch, and in my opinion, this could be the problem.
                    thanks steve

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.