Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WiFi Users should connect via PPPoE Server

    Scheduled Pinned Locked Moved Captive Portal
    9 Posts 3 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ocavid
      last edited by

      Hi,

      it might be weird, but let me state it this way.  here is our setup

      <wifi users="">–------- <wifi router="">------- <pfsenese w="" cp="">----- <internet>our problem is when Wifi user login in CP all others connected on certain WiFi Router can surf without being ask by pfsense for authentication. We did set the Disable MAC Filtering all the pfSense get is from same IP and MAC (the WiFi Router's).

      one way we thought of but we don't how is to enable PPPoE server in pfSense, and make all users connect via PPPoE Server, in this way we thought that each user will have a direct connection to pfSense and make the Captive Portal works for each of them.  Means all users connected will not be able to surf unless they will make a vpn connection to pfSense PPPoE Server.

      will this be possible and how could it be done? any idea and guide is very much welcome.

      thanks,
      ??? ocavid ???</internet></pfsenese></wifi></wifi>

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Stop doing NAT on the wifi router, and route
        or
        Usually a wifi router has an integrated switch (LAN ports) and a WAN port.
        Connect the pfSense to one of the LAN ports instead of the WAN. –> wired to wireless bridge.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • O
          ocavid
          last edited by

          @GruensFroeschli:

          Stop doing NAT on the wifi router, and route
          or
          Usually a wifi router has an integrated switch (LAN ports) and a WAN port.
          Connect the pfSense to one of the LAN ports instead of the WAN. –> wired to wireless bridge.

          Yeah, we tried this option, but our client don't want that the wifi users will be able connect to the wired network. what they want is that something like a vpn, that all wifi routers must be directly routed to pfsense.  what they like is to use the existing network infrastructure without adding additional wirings specifically for wireless network.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            I dont see in your diagram where the rest of the network is and how it relates to the WLAN.
            If your WLAN users are on its own interface on pfSense then how can wireless users access the wired LAN?

            If they are not on their own port: why should the captive portal prevent them from accessing the internal wired LAN?

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • O
              ocavid
              last edited by

              actually it is something like this

              <wifi users="">–- <wifi routers="">---()wired lan) --- <firewall>--- <internet>1                      2        |                                    |
                                                                  +--------- <pfsense>------+
                                                                              3              4
              1 = Wifi  (e.g. 192.168.0.1)
              2 = WAN Port of Wifi Routers connected to Wired LAN (e.g. 192.168.3.200/24)
              3 = LAN port of pfSense (e. g. 192.168.3.240/24)
              4 = WAN port of pfSense (Public IP)

              IPs in Wired LAN is in 192.168.100.0/24

              They want that all Wifi access is for internet only.</pfsense></internet></firewall></wifi></wifi>

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                There is no way pfSense can protect the wired LAN if the wifi routers are connected directly to it.

                Do your wifi routers support VLANs?
                Do they have built in firewalls?
                Do they support any form of VPN themself?
                To what kind of switches are the wifi routers connected? Are these switches VLAN capable?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • O
                  ocavid
                  last edited by

                  @GruensFroeschli:

                  There is no way pfSense can protect the wired LAN if the wifi routers are connected directly to it.

                  Do your wifi routers support VLANs?
                  Do they have built in firewalls?
                  Do they support any form of VPN themself?
                  To what kind of switches are the wifi routers connected? Are these switches VLAN capable?

                  :) this settles it.

                  wifi routers do not support vlans.
                  they have builtin firewalls.
                  most of the wifi routers supports PPPoE
                  switches are diverse, some are capable of vlan some are not.

                  thanks!

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    Well if the wifi routers have a firewall i would simply set up a routed network (use the WAN port, have a different subnet for the WLAN), and simply only allow the pfSense as destination.
                    Block everything else.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • C
                      capnsteve
                      last edited by

                      Why don't set the routers to an AP mode and use pfSense as the gateway and have it do the DHCP for all the wireless?  And though I'm not sure what you're doing for DHCP, if you've already got that part working then just set the the wired connections to the pass-through IPs and leave the wireless stuck facing the captive portal?

                      I mean, of course multiple users are going to get through out after one person has auth'd as pfSense is just seeing one device that has auth'd.  That's why you'd use APs not routers.

                      Our solution to something like this involved routing the wireless through a separate, communications isolated, vLAN routed by the Core Switch and using WAPs pointed at the gateway (pfSense).

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.