• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Segregate native and guest users via captive portal?

Scheduled Pinned Locked Moved Captive Portal
5 Posts 2 Posters 817 Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    DominikHoffmann
    last edited by Mar 27, 2021, 3:02 AM

    I have never set up a captive portal before. All I know is that it should be conceptually be possible to have it segregate users into native users, i.e., those who have access to all LAN resources, and guest users who will only be granted internet access and will be blocked from the LAN.

    I am using a Velop constellation for WiFi. But, because I basically am using it in bridge mode, I cannot use the Velop’s guest SSID feature, because it requires for the Velop system to act as the router. That would not allow me to use my pfSense appliance.

    Segregation would be achieved by having guests use a guest password and family members use the one for LAN access. I imagine that the captive portal functionality would establish two lists of MAC addresses and have distinct firewall rules for each.

    If, however, it requires VLANs and smart switches, I am afraid I don’t have this capability. I would love to know, before I slog through how to set up a captive portal, only to find out that what I am looking to do cannot be done.

    G 1 Reply Last reply Mar 29, 2021, 7:00 AM Reply Quote 0
    • G Offline
      Gertjan @DominikHoffmann
      last edited by Mar 29, 2021, 7:00 AM

      The most simple setup is : a LAN interface, and a access point (not a router !) hooked up to the LAN interface.
      Guests and LAN (trusted) users now all share the same access.

      Better : a LAN interface, with its own AP's with a SSID, for the trusted users.
      Another, OPT1 interface, with its own AP and SSID, for the quests.

      Some AP's are capable of doing two SSID or more at the same time, having each SSID connected to its own VLAN. Use a VLAN capable switch to connect the right VLAN to the right interface, LAN or OPT = trusted or guests.

      Dono what "velop" is.

      @dominikhoffmann said in Segregate native and guest users via captive portal?:

      I imagine that the captive portal functionality would establish two lists of MAC addresses and have distinct firewall rules for each.

      One of the two firewalls of the captive portal is ipfw that uses also MAC address.
      The ip firewall - the rules you see in the GUI - doesn't work with MAC's

      A simple captive portal is easy to setup.
      You need a pfSense. An AP, and have a look at the pfSense Youtube/Netgate captive portal videos.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      D 1 Reply Last reply Mar 29, 2021, 3:48 PM Reply Quote 1
      • D Offline
        DominikHoffmann @Gertjan
        last edited by Mar 29, 2021, 3:48 PM

        @gertjan: Thanks very much for the description!

        My Velop system (Linksys—a Belkin company—consumer-level mesh WiFi system) does allow for two SSIDs but only firewalls guest SSID clients from the LAN inside of the system’s router subsystem, which I am not using, because I want to use my pfSense box.

        I’ll have to see, whether the captive portal might be the right route for me. Having two of everything, just to have a guest network is too expensive and cumbersome for my home network.

        G 1 Reply Last reply Mar 30, 2021, 6:07 AM Reply Quote 0
        • G Offline
          Gertjan @DominikHoffmann
          last edited by Mar 30, 2021, 6:07 AM

          @dominikhoffmann

          Keep in mind that you do not want to have a 'router' device in a captive portal network. Just switches and plain access points.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          D 1 Reply Last reply Mar 30, 2021, 5:37 PM Reply Quote 0
          • D Offline
            DominikHoffmann @Gertjan
            last edited by Mar 30, 2021, 5:37 PM

            @gertjan: That’s why I have turned off the router functionality, except for the router being able to report to the Linksys cloud servers for remote management. I have turned off DHCP on the Linksys AP and instead have turned on DHCP on the SG-1100’s OPT port. All Wi-Fi clients thus bypass the router functionality of the Velop system.

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received