Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Relay Captive Portal to VLANs in Layer 3 Switch

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CNCNITC
      last edited by

      In my network, users connect to Layer 3 switch where multiple VLANs are defined. To make it more precise, the gateways of VLANs are defined in the L3 switch. The default gateway of the L3 switch is given as the IP address of the Firewall, which connects with the WAN. Once I am configuring the captive portal in PFSense, the users in the default VLAN of the L3 Switch are able to get the captive portal on their screens, but the users connecting to the other VLANs in the L3 switch are not able to get the login screen and is also not able to get internet connectivity in their machines. Without enabling the captive portal everyone is getting internet.

      I am stuck here for days and tried multiple options in PFSense, but is not able to get it solved to date. Please help and guide me on how to get it solved.

      johnpozJ JKnottJ Dobby_D 3 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @CNCNITC
        last edited by johnpoz

        @cncnitc Well since captive portal uses mac and is layer 2.. The captive portal would never see the actual mac of the client - they would be seeing the mac of the switch that is routing the traffic.

        What switch are you using - some offer a captive portal or http auth method if the device can not use the typical 802.1x auth that you normally do on as switch - this is normally for when you might have "guests" etc..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        C 1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @CNCNITC
          last edited by

          @cncnitc

          Wouldn't it be easier if those users are on a different SSID & VLAN? That way, they're already sorted out at the access point.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @JKnott
            last edited by

            @jknott yeah with wifi its easier for sure, but I take the OP is also working with wired devices he wants to leverage a captive portal for.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            JKnottJ 1 Reply Last reply Reply Quote 1
            • JKnottJ
              JKnott @johnpoz
              last edited by

              @johnpoz

              Perhaps he can use DHCP option 132, to put the devices on a VLAN.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @JKnott
                last edited by

                @jknott doesn't seem like he wants or is having issues assigning vlans. His is issue is he has downstream networks routed by his L3 switch..

                If his pfsense routed the networks then it wouldn't be an issue because pfsense would be attached to the different L2 networks and see the macs of all the clients in all the networks and you could leverage the captive portal.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                JKnottJ 1 Reply Last reply Reply Quote 1
                • JKnottJ
                  JKnott @johnpoz
                  last edited by

                  @johnpoz

                  It's hard to say exactly what he's doing. My understanding is he's not getting the correct VLAN. A different SSID or DHCP option 132 would put those devices on the correct VLAN.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  C 1 Reply Last reply Reply Quote 0
                  • C
                    CNCNITC @johnpoz
                    last edited by

                    @johnpoz Thank you for the reply. We are using DLINK 3630.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • C
                      CNCNITC @JKnott
                      last edited by

                      Thanks to both of you @johnpoz @JKnott . As you have discussed in the thread, I am not having any issues with DHCP. The only problem is I am not able to configure the Captive portal, and unfortunately, it is a wired network and needs to be used by guests as well as regular users.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @CNCNITC
                        last edited by johnpoz

                        @cncnitc said in Relay Captive Portal to VLANs in Layer 3 Switch:

                        DLINK 3630

                        I have no experience with that switch, but a quick google

                        https://www.manualslib.com/manual/1344033/D-Link-Dgs-3630-Series.html?page=517

                        Web-based Access Control
                        Web-based Access Control (WAC) is a feature designed to authenticate a user when the user is trying to access the
                        Internet via the Switch. The authentication process uses the HTTP or HTTPS protocol. The Switch enters the
                        authenticating stage when users attempt to browse Web pages (e.g., http://www.dlink.com) through a Web browser.
                        When the Switch detects HTTP or HTTPS packets and this port is unauthenticated, the Switch will launch a pop-up
                        user name and password window to query users. Users are not able to access the Internet until the authentication
                        process is passed.

                        So it does look like you could have your switch do the captive portal auth for you..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        C 1 Reply Last reply Reply Quote 0
                        • C
                          CNCNITC @johnpoz
                          last edited by CNCNITC

                          @johnpoz In the switch, there is a user limit of 100 users in each port. Also, it has support only for plain text password authentication, which we are not able to use as per our radius configuration. Anyway I will explore more with the switch

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @CNCNITC
                            last edited by johnpoz

                            @cncnitc said in Relay Captive Portal to VLANs in Layer 3 Switch:

                            t has support only for plain text password authentication

                            I don't have any experience with that line of switch - but looks like you can use radius for the web-auth with a quick look at the cli cmd listings.. Which wouldn't be plain text, or wouldn't have to be, etc.

                            The only way you can get the pfsense captive portal to work is if the L2 is connected to pfsense.. I have never heard of any sort of like helper or proxy that could forward captive macs for use in a captive portal - even if you could, how would it work after the auth.. The only mac pfsense is ever going to see is the mac of the switch port connected to pfsense on your uplink since your switch is doing the L3 routing.

                            Simple solution would be to let pfsense do the routing, now you can run multiple captive portals on all your networks, etc.

                            Might want to take a look at https://www.packetfence.org/ - if it will work with that switch, you might be able to let it do the captive portal auth, and just tell the switch to let the client on, etc.

                            It is a pretty well rounded opensource NAC

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            C 1 Reply Last reply Reply Quote 0
                            • Dobby_D
                              Dobby_ @CNCNITC
                              last edited by Dobby_

                              @cncnitc

                              The wired based pc´s and servers could be secured over
                              LDAP. The entire wireless units could be secured over the
                              captive portal and the Radius server together, but
                              therefore the switch should be supporting multiple user
                              auth. per each switch port. With that captive portal and voucher system you may be also able to write the
                              VLAN ID directly in the voucher (radius certificate) so all
                              user will be placed in the right VLAN then.

                              But if you are working with radius certificates and
                              encryption together, you may be forget to serve ~100
                              users per port! This is often a theoretical number and
                              will be shorten down due to the circumstance of the
                              hard traffic that will be produced by using radius & encryption.

                              If you set up a transfer network (vlan) from the pfSense
                              to the switch and then other vlans for the wifi aps and
                              wifi users, all the vlans must be reachable by the pfSense
                              by setting up ACLs on the switch (vlans).

                              #~. @Dobby

                              Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                              PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                              PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                              1 Reply Last reply Reply Quote 0
                              • C
                                CNCNITC @johnpoz
                                last edited by CNCNITC

                                @johnpoz @dobby_ Thank you I will explore

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.