WiFi Users should connect via PPPoE Server



  • Hi,

    it might be weird, but let me state it this way.  here is our setup

    <wifi users="">–------- <wifi router="">------- <pfsenese w="" cp="">----- <internet>our problem is when Wifi user login in CP all others connected on certain WiFi Router can surf without being ask by pfsense for authentication. We did set the Disable MAC Filtering all the pfSense get is from same IP and MAC (the WiFi Router's).

    one way we thought of but we don't how is to enable PPPoE server in pfSense, and make all users connect via PPPoE Server, in this way we thought that each user will have a direct connection to pfSense and make the Captive Portal works for each of them.  Means all users connected will not be able to surf unless they will make a vpn connection to pfSense PPPoE Server.

    will this be possible and how could it be done? any idea and guide is very much welcome.

    thanks,
    ??? ocavid ???</internet></pfsenese></wifi></wifi>



  • Stop doing NAT on the wifi router, and route
    or
    Usually a wifi router has an integrated switch (LAN ports) and a WAN port.
    Connect the pfSense to one of the LAN ports instead of the WAN. –> wired to wireless bridge.



  • @GruensFroeschli:

    Stop doing NAT on the wifi router, and route
    or
    Usually a wifi router has an integrated switch (LAN ports) and a WAN port.
    Connect the pfSense to one of the LAN ports instead of the WAN. –> wired to wireless bridge.

    Yeah, we tried this option, but our client don't want that the wifi users will be able connect to the wired network. what they want is that something like a vpn, that all wifi routers must be directly routed to pfsense.  what they like is to use the existing network infrastructure without adding additional wirings specifically for wireless network.



  • I dont see in your diagram where the rest of the network is and how it relates to the WLAN.
    If your WLAN users are on its own interface on pfSense then how can wireless users access the wired LAN?

    If they are not on their own port: why should the captive portal prevent them from accessing the internal wired LAN?



  • actually it is something like this

    <wifi users="">–- <wifi routers="">---()wired lan) --- <firewall>--- <internet>1                      2        |                                    |
                                                        +--------- <pfsense>------+
                                                                    3              4
    1 = Wifi  (e.g. 192.168.0.1)
    2 = WAN Port of Wifi Routers connected to Wired LAN (e.g. 192.168.3.200/24)
    3 = LAN port of pfSense (e. g. 192.168.3.240/24)
    4 = WAN port of pfSense (Public IP)

    IPs in Wired LAN is in 192.168.100.0/24

    They want that all Wifi access is for internet only.</pfsense></internet></firewall></wifi></wifi>



  • There is no way pfSense can protect the wired LAN if the wifi routers are connected directly to it.

    Do your wifi routers support VLANs?
    Do they have built in firewalls?
    Do they support any form of VPN themself?
    To what kind of switches are the wifi routers connected? Are these switches VLAN capable?



  • @GruensFroeschli:

    There is no way pfSense can protect the wired LAN if the wifi routers are connected directly to it.

    Do your wifi routers support VLANs?
    Do they have built in firewalls?
    Do they support any form of VPN themself?
    To what kind of switches are the wifi routers connected? Are these switches VLAN capable?

    :) this settles it.

    wifi routers do not support vlans.
    they have builtin firewalls.
    most of the wifi routers supports PPPoE
    switches are diverse, some are capable of vlan some are not.

    thanks!



  • Well if the wifi routers have a firewall i would simply set up a routed network (use the WAN port, have a different subnet for the WLAN), and simply only allow the pfSense as destination.
    Block everything else.



  • Why don't set the routers to an AP mode and use pfSense as the gateway and have it do the DHCP for all the wireless?  And though I'm not sure what you're doing for DHCP, if you've already got that part working then just set the the wired connections to the pass-through IPs and leave the wireless stuck facing the captive portal?

    I mean, of course multiple users are going to get through out after one person has auth'd as pfSense is just seeing one device that has auth'd.  That's why you'd use APs not routers.

    Our solution to something like this involved routing the wireless through a separate, communications isolated, vLAN routed by the Core Switch and using WAPs pointed at the gateway (pfSense).


Log in to reply