Configure pfsense as a captive portal only and without DHCP.

Eollas

Hello,

I am currently installing Pfsense to try to replace an existing captive portal solution on a rather large network (2 firewalls, DMZs etc etc...).
Currently the captive portal in place is as follows:

(NET)-----[ firewall-1 ]----(Captive portal)-------[ firewall 2 ]-------(Vlan User wifi).

Users do not have the same subnetwork as the interface of the captive portal consultation network, it is firewall 2 that acts as DHCP for the Users.
Firewall 2 then redirects the Users from the Vlan user to the captive portal, and the captive portal only acts as a DNS and "interceptor".

My user is well redirected by firewall 1 to pfsense, the LAN interface can see it but I don't have a captive portal that goes up.

I set up a static route to let pfsense know about the existence of the "User wifi" subnetwork but nothing works.

Pfsense is simply configured, it makes DNS resolutions, it outputs to the internet correctly, and the firewall part is open.

Pfsense, can it manage and/or detect users with a subnetwork different from its LAN subnetwork?

I didn't find an answer on the forum or on the doc ( mea culpa if that's the case)
Thank you in advance for your answers ^^

Gertjan

Hi,

The captive portal that pfSense proposes should not be used with an intermediate firewall between pfSense and the connection users.
Out of the box it handles DNS, DHCP, etc.
For a captive portal to work well, it should 'see' the IP and the MAC off the connected device.

Eollas

I understand perfectly, but my company's policy is that you can't put a virtual machine unprotected by the second firewall, moreover, it's not really necessary to see the mac / ip because it's given by the firewall and access is very restricted, I would have liked to know if it was possible to force pfsense to respond to an IP that wasn't granted by it?

Gertjan

Where does this one come from :
@Eollas said in Configure pfsense as a captive portal only and without DHCP.:

a virtual machine

If needed, un-VM it.

The captive portal needs to see distinctive IP addresses (per user) and it would be just great if it also see the MAC addresses.
Your intermediate firewall hides they ? If so, you have a solid no-go.

Eollas

No, my firewall doesn't hide it, when I do a frame capture on pfsense, I see the requests made by my pc-test and its @IP.
However, I do not have an answer.

And the VM comes from the DMZ of firewall 2, I can't create any elsewhere.

in any case, thank you for taking the time to answer me: D

I potentially found this topic on the forum, which is a similar case to mine, but the modification in the code didn't change anything:/
https://forum.netgate.com/topic/39188/captive-portal-behind-router-or-different-subnet/2

do you know a way to force pfsense to take into account @IPs that are not part of its own subnetwork?

mhmd

@Eollas I also have this problem, but unfortunately, I have not found an answer for it because the IP of the LAN firewall is different from the IP range of my LAN network, and because of this, Captive portal does not work. Have you found a way? If so, please guide me. Thank you

stephenw10

The captive portal works at layer 2, it allows/disallows devices by MAC address. It cannot work with a router in between because it only ever sees the MAC address of the router not the clients.

Steve

mhmd

@stephenw10
Thank you for your beautiful answer
My exact problem is that this happened after adding a router between the firewall and the main switch, and in my opinion, this could be the problem.
thanks steve