pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!
-
Experts,
Desire;tl/dr:
-Allow one group of users to log in to WiFi with name/passwd, with their traffic on a VLAN configured at APs and pfSense firewall.
-Other users authenticate normally on a few SSIDs/VLANs, with others just logging on with one password (Guests).Setup:
- Any number of unifi APs, running multiple SSIDs and a VLAN for each one.
- One Network (VLAN, SSID, LAN segment) is a gut one with a single password, no portal.
- One network is sensitive/office, but still a secure WiFi passwd for all.
- They want volunteers to be on a network (VLAN, SSID, LAN segment) whereby each volunteer logs on with a user/passwd, which is fine on pfSense local database.
- Running on commodity HW, with 2 phys NICs.
Network detail:
10.10.0.0/24 is the LAN net (no VLAN)
10.10.10.0/24 is the LAN net for VLAN 10 Office, servers, secure)
10.10.20.0/24 is the LAN net for VLAN 20 Team/Volunteers/Need individual login creds <- DESIRED
10.10.30.0/24 is the LAN net for VLAN 30 Guests, one passwd for WiFi AP for all, meaning no login after AP authorizes-anonymous.How close am I?
Since no thorough tutorials on this kind of setup, I get as far as the client passing the AP's passwd challenge, BUT I cannot get the web client to then go to the portal login. If, however, I type in the portal IP (*.1 on all nets), I get the challenge form...
I have tried so many things, I probably have settings from stock that don't even make a difference by now...
Anyone else doing this? And can you only do one captive portal per LAN interface?
Thank you very much in advance if you can commiserate, or perhaps offer insight. :-)
-
@bogusexception said in pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!:
I get as far as the client passing the AP's passwd challenge,
Do you mean simply entering the wifi pass key (WAP2/3)?
Or are you using the Unifi captive portal for that?
If it's the latter then serial captive portals could be a problem.
Steve
-
@stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired:
- Employee see AP's SSID, "Team" for example.
- They enter the known password, known by all team peeps.
- They are presented with the CP (captive portal) challenge for user & pw from pfsense.
- They have their own user & password on pfSense, and use it to get past the challenge.
- Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs.
Now for each of your questions:
Do you mean simply entering the wifi pass key (WAP2/3)?
Yes. Steps 1 & 2 above.Or are you using the Unifi captive portal for that?
I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that!If it's the latter then serial captive portals could be a problem.
I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that.Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do.
P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most.
I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20.
-
Hmm, OK this doesn't seem that complex. From pfSense's point of view it's just 4 interfaces, 3 are VLANs, one has a captive portal enabled on it. The rest is just different firewall rules on those interfaces.
It's recommended to avoid using tagged and untagged traffic on the same interface because you can run into unexpected issues if tags are stripped incorrectly be a switch in the path.
It certain can and will work though as long as everything in configured correctly.Are you seeing anything at all on the two VLANs?
Do clients using those SSIDs get an IPs address from pfSense as expected?You say pfSense only has two interfaces so I assume there are unmanaged switches in your network?
Unmanaged switches usually pass VLAN traffic without an issue but you cannot guarantee that.Steve
-
@bogusexception said in pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!:
@stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired:
- Employee see AP's SSID, "Team" for example.
- They enter the known password, known by all team peeps.
- They are presented with the CP (captive portal) challenge for user & pw from pfsense.
- They have their own user & password on pfSense, and use it to get past the challenge.
- Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs.
Now for each of your questions:
Do you mean simply entering the wifi pass key (WAP2/3)?
Yes. Steps 1 & 2 above.Or are you using the Unifi captive portal for that?
I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that!If it's the latter then serial captive portals could be a problem.
I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that.Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do.
P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most.
I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20.
Seems overly complex, thought about using wpa2-enterprise & freeradius ?
