Captive Portal over wireless bridge
-
I did search the forum and found one post from 2012 identifying this problem, but without resolution.
Using Pfsense 2.3.4. I use captive portal to block all internet traffic except on devices I have whitelisted using mac addresses. This has worked great for years. Recently I decided to add another building to the network using a wireless bridge. DHCP works fine over the bridge but when I try to whitelist a device using it's mac address, it doesn't work. If I use the "copy my mac" button from the device in question, the mac address that gets copied is actually the mac address of the bridge. This then grants unlimited internet access to all devices on that side of the bridge. If I copy and paste the correct mac address instead, it still takes user to the captive portal login page. Ironically, when I look at the DHCP status page, it identifies the correct mac addresses so it isn't that the pfsense box can't see the mac addresses.
Has anyone else seen this problem? -
@jose2292 Replying to my own post with a little further information.
I suspected I could circumvent this issue by using vouchers with extremely long expirations. However, when I used a voucher from the bridged location, the voucher was assigned to the mac address of the bridge rather than the end device, which would once again give unlimited internet access to all devices on that side of the bridge. Likewise, if I logged into the captive portal as a regular user, it lists the mac address of the bridge rather than the end user device.
-
Which means your bridge should bridge one level lower.
Now, it looks more like what routers do."Real" bridges behave like switches, they do not modify IP, MAC and other details in the IP packets.
Like, for example, CPL devices. -
@gertjan You are confirming my suspicions that it was related to the hardware employed. I have ordered hardware from a different vendor to test. Thank you for your thoughts on the matter.
-
@gertjan Further update. I tried with different hardware on the bridge side... no luck. It still does the same thing. If I connect directly to the AP, rather than using the bridge, Pfsense captive portal identifies my mac address correctly, but if I use the bridged network, it identifies my mac address as the one of the bridge device, not the end machine I am on. I fail to understand why the dhcp server running on the same pfsense box can identify the mac address correctly, but the captive portal cannot. I may do some testing with more up to date version of pfsense to see if the issue persists across versions.
-
2 guesses on what you wireless bridge is doing, acting like a router and a DHCP relay.
These 2 things would explain the behavior you are seeing.
-
@andyrh Do you have any ideas on how to get them to behave correctly as true "bridges?"
I updated the firmware on the bridge, ensured the AP was on latest firmware, and updated to latest Pfsense/Netgate version on the router and different router hardware, all to no avail.
Can anyone comment if they have a similar setup working correctly?
The two different bridges I have used ran TyconOS and Pharos respectively. -
Unfortunately no, I have little experience with wireless bridges.
