Setup a Captive portal for PON Network

huyhieu9900

Hi all,

Currently, I setup a topology which is using the PON architecture, as the picture below:

I've had some trouble:

1. When enable Captive portal:

• The WAN interface in ONT can't get the IP from DHCP server
• Captive portal doesn't work, not redirect to other page (Login or Accept) for accessing Internet

2. The WAN connection of pfSense is unstable: The WAN interface still gets the IP but I can't access WEB GUI and ping to internet from WAN interface. So, I need to do some CLI to config the IP for WAN interface to get the IP, and then it's normal

Do you have the performance review for pfSense? I want to deploy this model in the real site for serving around 200-500 users. If you have, please share something with me.

Be thankful for any your recommendation!

Gertjan

@huyhieu9900 said in Setup a Captive portal for PON Network:

When enable Captive portal:

The WAN interface in ONT can't get the IP from DHCP server
Captive portal doesn't work, not redirect to other page (Login or Accept) for accessing Internet

The first issue says 'nothing after LAN works'.
That includes 'captive portal'. Even a PC (world's most simple connection) with a LAN cable won't work.

As already discussed earlier this week, don't put 'routers' in a "captive portal" network.
It's possible, but there is a price to pay.
And you have to face the portal gods .... experts might consider doing this, but no one came back with the 'how it went' story.

So : captive portal ? => Ok, use dedicated pfSense interface, a cable, a big switch, more switches, and access points. Live will be easy.

Btw : in the past we always started 'simple' : a WAN, a switch, one or two devices and we build up from there.
The keyword was step-by-step.
That's not done anymore ?

@huyhieu9900 said in Setup a Captive portal for PON Network:

Do you have the performance review for pfSense?

Noop.
Here in France, I've seen a mid size airport hooked (2 million passengers a year) up to a dual HA pfSense. A double 6100. These are running in circles doing close 'nothing'. Hundreds of portal users.
Thousands have been mentioned here for other sides.
Entire schools.

And if things go heavy : take the sledge hammer method : TNSR - and use a dedicated Portal 'server'.

huyhieu9900

@Gertjan said in Setup a Captive portal for PON Network:

The first issue says 'nothing after LAN works'.
That includes 'captive portal'. Even a PC (world's most simple connection) with a LAN cable won't work.

Yes, in the LAN site, connected by LAN cable, client can receive IP from DHCP server of pfSense, but still can't access internet and redirect to the portal page

@Gertjan said in Setup a Captive portal for PON Network:

As already discussed earlier this week, don't put 'routers' in a "captive portal" network.

You mean the ONT. We can't replace ONT because customer requires ONT for accessing internet by Wi-Fi

@Gertjan said in Setup a Captive portal for PON Network:

Btw : in the past we always started 'simple' : a WAN, a switch, one or two devices and we build up from there.

I know, the popular topology deploys in the AON infrastructure. But currently, customer has a demand for deploying in the GPON infrastructure. So I need to test based on GPON topology

@Gertjan said in Setup a Captive portal for PON Network:

Noop.
Here in France, I've seen a mid size airport hooked (2 million passengers a year) up to a dual HA pfSense. A double 6100. These are running in circles doing close 'nothing'. Hundreds of portal users.
Thousands have been mentioned here for other sides.
Entire schools.

Thank you for your information!

@Gertjan said in Setup a Captive portal for PON Network:

That's not done anymore ?
I did step-by-step, but the basic issue is pfSense didn't allow internet access when enabling CP.

Gertjan

@huyhieu9900 said in Setup a Captive portal for PON Network:

but the basic issue is pfSense didn't allow internet access when enabling CP.

In short: when you use a router in the captive portal network, pfSense (the captive portal) can't "see" the portal user's MAC anymore.

The captive protal can work without the MAC information (of every connected client), but that leaves only the IP of the client as a client-identification.

See also captive portal issues : Troubleshooting Captive Portal which uses a friendly language to tell you you broke 'DNS'
Well, yeah, you shouldn't do that.

huyhieu9900

@Gertjan said in Setup a Captive portal for PON Network:

In short: when you use a router in the captive portal network, pfSense (the captive portal) can't "see" the portal user's MAC anymore.

I see, the pfSense has just seen the MAC of router/ONT WAN. not client from router/ONT. So how can I deploy? Just connected direct the AP/ client to pfSense and then Captive portal is ready?

Thank you!

Gertjan

@huyhieu9900 said in Setup a Captive portal for PON Network:

Just connected direct the AP/ client to pfSense and then Captive portal is ready?

Like

@Gertjan said in Setup a Captive portal for PON Network:

use dedicated pfSense interface, a cable, a big switch, more switches, and access points.

I know this isn't what you want to achieve, but a captive portal 'wants' to use/see the actual client IP and MAC addresses.
A captive portal, on the pfSense side, is just a set of firewall rules. And these need these two, as there is not else to handle upon.

huyhieu9900

@Gertjan

@Gertjan said in Setup a Captive portal for PON Network:

I know this isn't what you want to achieve, but a captive portal 'wants' to use/see the actual client IP and MAC addresses.
A captive portal, on the pfSense side, is just a set of firewall rules. And these need these two, as there is not else to handle upon.

Hi Gertjan,
I've done to setup the whole system, and it worked.
However, now I consider to use a separate DHCP server, not rely on pfSense. Could I deploy this model? And How to setup network connection between DHCP server <--> pfSense <--> AP?

Thank you!