• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Captive Portal configuration for multiple VLAN

Scheduled Pinned Locked Moved Captive Portal
3 Posts 2 Posters 678 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    salousama
    last edited by Jun 8, 2023, 12:56 PM

    I am trying to activate a captive portal for more than one interfaces (meaning two different VLAN). The attempt is to also use HTTPS login. If I specify the hostname of the pfsense host (e.g. pfsense.example.com), it resolves to the LAN address. So far so good, but when a DHCP client (not in LAN) attempts to be redirected to the captive portal, it times out. For example:

    LAN: 192.168.42.0/24
    VLAN 1: 192.168.10.0/24 (Captive portal enabled)
    VLAN 2: 192.168.20.0/24

    1. DHCP client gets an IP from VLAN 1.
    2. Hitting the browser, it tries to redirect to pfsense.example.com, which resolves (successfully) to the LAN address.
    3. The timeout occurs.

    The firewall rules for VLAN 1 allow everything (for troubleshooting) and the logs don't indicate it's a firewall deny case, at least up to the current investigation progress.

    An option would be to override the DNS host in the resolver, but it does not support a per interface override. Haven't explored the possibility of a forwarder or BIND for now.

    Am I missing something with regards to the captive portal setup maybe?

    G 1 Reply Last reply Jun 8, 2023, 1:18 PM Reply Quote 0
    • G
      Gertjan @salousama
      last edited by Jun 8, 2023, 1:18 PM

      @salousama

      Do it like this :
      For VLAN 1: 192.168.10.0/24 - create a host override (under Services > DNS Resolver > General Settings - at the bottom) : portal1.example.com pointing to 192.168.10.1
      For VLAN 1: 192.168.20.0/24 - create a host override (under Services > DNS Resolver > General Settings - at the bottom) : portal2.example.com pointing to 192.168.20.1

      If possible, use the acme.sh pfSense package to get a *.example.com certicate.

      Then

      75eb7da9-a311-45a8-beae-0aefa99546cb-image.png

      for the first "192.168.10.0/24" portal.
      And portal2.example.com" for the "192.168.20.0/24" portal.

      This is the issue :

      @salousama said in Captive Portal configuration for multiple VLAN:

      Hitting the browser, it tries to redirect to pfsense.example.com,

      when the device (portal user) isn't authenticated, the GUI firewall rules aren't even used yet.
      So you can't redirect to 'LAN'.

      The captive portal uses "Hidden" pf (firewall) rules that :
      Let pass DNS (port 53, TCP and UDP) request to itself (pfSense).
      Redirect incoming 'TCP 80' to the internal 127.0.0.1:800a
      Redirect incoming 'TCP 443' to the internal 127.0.0.1:800(a+1
      )

      Nothing else passes.

      Again : when authenticated, the GUI captive portal interface firewall rules come into action.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      S 1 Reply Last reply Jun 8, 2023, 1:37 PM Reply Quote 0
      • S
        salousama @Gertjan
        last edited by Jun 8, 2023, 1:37 PM

        @Gertjan Thank you for your response and effort, it all makes sense then.. I will try out the different DNS overrides and see how that will go.

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received