Segregate native and guest users via captive portal?

DominikHoffmann · Mar 27, 2021, 3:02 AM

I have never set up a captive portal before. All I know is that it should be conceptually be possible to have it segregate users into native users, i.e., those who have access to all LAN resources, and guest users who will only be granted internet access and will be blocked from the LAN.

I am using a Velop constellation for WiFi. But, because I basically am using it in bridge mode, I cannot use the Velop’s guest SSID feature, because it requires for the Velop system to act as the router. That would not allow me to use my pfSense appliance.

Segregation would be achieved by having guests use a guest password and family members use the one for LAN access. I imagine that the captive portal functionality would establish two lists of MAC addresses and have distinct firewall rules for each.

If, however, it requires VLANs and smart switches, I am afraid I don’t have this capability. I would love to know, before I slog through how to set up a captive portal, only to find out that what I am looking to do cannot be done.

Gertjan · Mar 29, 2021, 7:00 AM

The most simple setup is : a LAN interface, and a access point (not a router !) hooked up to the LAN interface.
Guests and LAN (trusted) users now all share the same access.

Better : a LAN interface, with its own AP's with a SSID, for the trusted users.
Another, OPT1 interface, with its own AP and SSID, for the quests.

Some AP's are capable of doing two SSID or more at the same time, having each SSID connected to its own VLAN. Use a VLAN capable switch to connect the right VLAN to the right interface, LAN or OPT = trusted or guests.

Dono what "velop" is.

@dominikhoffmann said in Segregate native and guest users via captive portal?:

I imagine that the captive portal functionality would establish two lists of MAC addresses and have distinct firewall rules for each.

One of the two firewalls of the captive portal is ipfw that uses also MAC address.
The ip firewall - the rules you see in the GUI - doesn't work with MAC's

A simple captive portal is easy to setup.
You need a pfSense. An AP, and have a look at the pfSense Youtube/Netgate captive portal videos.

DominikHoffmann · Mar 29, 2021, 3:48 PM

@gertjan: Thanks very much for the description!

My Velop system (Linksys—a Belkin company—consumer-level mesh WiFi system) does allow for two SSIDs but only firewalls guest SSID clients from the LAN inside of the system’s router subsystem, which I am not using, because I want to use my pfSense box.

I’ll have to see, whether the captive portal might be the right route for me. Having two of everything, just to have a guest network is too expensive and cumbersome for my home network.

Gertjan · Mar 30, 2021, 6:07 AM

@dominikhoffmann

Keep in mind that you do not want to have a 'router' device in a captive portal network. Just switches and plain access points.

DominikHoffmann · Mar 30, 2021, 5:37 PM

@gertjan: That’s why I have turned off the router functionality, except for the router being able to report to the Linksys cloud servers for remote management. I have turned off DHCP on the Linksys AP and instead have turned on DHCP on the SG-1100’s OPT port. All Wi-Fi clients thus bypass the router functionality of the Velop system.