CP, trying to setup dual LAN, need guidance

  • I'm not really sure if this belongs in the captive portal forum, but heres what I've been trying to do.

    I currently have 3 NICs in my box; LAN, WAN, OPT1.  OPT1 connects to a Netgear wireless AP.  What I want to do is setup captive portal to "gate" access to the OPT1 interface.

    Is this possible?  If so, can you provide some insight on how to do it?  I've been messing around with it and its giving me nothing but headaches.  I had OPT1 bridged to the LAN and it worked, for a few minutes, except I wasn't able to get access out from OPT1 (yeah, set a rule too).

    My AP is setup to pass on DHCP requests, so I'm guessing I have to setup OPT1 with a DHCP server–except it wouldn't let me select a range (said to

  • If I understand you correctly you try to setup something like a reverse captive portal. That's not doable with the captive portal the way it is now.

  • No, I don't think it would be reverse.  Reverse would be on the WAN side, right?  Let me draw it out:


    • LAN->Switches
    • WAN->Modem
    • OPT1->CP->wireless ap

    When a wireless user connects they obtain an IP from DHCP (on pfsense), then get prompted to login with CP.  OPT1 should also be able to talk to the other interfaces for the time being, unless I decide to lock it down.

  • Once a user has authenticated the firewallrules present at the cp enabled interface are obeyed, so you can give them access to lan or a single host or special ports or whatever. All depends on the rules.

  • Ok so everything I described can be done then?  I guess I just need more patients to debug it because it wasn't working correctly.

  • It should work ok for you if I get you right.

  • Ok so what am I missing here, when I try to enable DHCP server on OPT1 it says:
    Subnet mask
    Available range -

    And won't let me choose a range.  Keeps saying "The specified range lies outside of the current subnet."

    Oh and I'm using 1.0.1

  • Your interfaces>opt1 config must be invalid. It calculates the values from what is set there.

  • Ok I set it correctly there except after I go to DHCP server->OPT1 it disappears and reverts back the set IP range.

    Heres more details from the interface status page:
    rl1 LAN
    Status  up
    IP address 
    Subnet mask

    rl0 OPT1
    Status  up
    DHCP up 
    IP address 
    Subnet mask

  • Why did you set opt1 to dhcp? It doesn't get a lease. There doesn'T seem to be a server on that interface.

  • Hm, well that would make sense, now wouldn't it!  Maybe you can append a note to that page, "if you're trying to setup a DHCP server on this interface, select static"

    I should be good to go after a little more tampering, thanks for all your help.

  • That option is for dhcp client, not as dhcp server  ;)

  • ::)

    Ok, ran into another snag.  I've got the access point all configured correctly so its on, I can access from the LAN it and it passes thru CP, now the next item on the agenda would to make CP work on OPT1.  When I try to access the net from my laptop it says it can't find the server, although its connected properly and has an IP address (  I can access the access point config since I setup as an allowed "from" ip in CP.

    Any ideas?  Its probably something simple I'm just overlooking as I did before  :-X

    Edit: I can also access the CP page ( from my LAN.
    Edit 2: I have a rule for OPT1 also set, from OPT1 subnet to any.

  • Make sure clients at opt1 are using the pfsense opt1 IP as dns.

  • Yep, the access point is configured with dns and gateway of, double checked my laptop and it confirms this.

  • Try to delete the allowed IP OPT1 IP. Not sure if this prevents the redirection to the CP page.

  • Hm, ok removed the allowed IP in CP.  Still isn't forwarding to the CP login page.

    Another note, can't access from OPT1 but can from the LAN.

  • What version are you running?

  • 1.0.1 full install

  • Then I'm out of ideas  :-\

  • Ok another idea, disabled CP and I still can't get out to the internet from OPT1…  I'm close, I can taste it.

  • Try to reboot, maybe something broke somewhere in between the misconfigurations.

  • Another question before I do though, what should the gateway be set to on OPT1, the same as the LAN one?

    Edit: getting traffic thru OPT1 after the reboot, no gateway set on OPT1 now also.

    Edit 2:  ;D yay! its working!!

  • Yes, you shouldn't have a gateway unless it's an additional WAN.

  • Sorry for warming up this old thread, but i have the same problem.
    I'm using the latest snapshot - my setup is:

    WAN - DHCP
    LAN - - DHCP Server on
    OPT1 - - DHCP Server and Captive Portal on

    Traffic from LAN to WAN is no problem. But when i'm connecting on OPT1 and enter f.e. "www.google.com" in my browser, there is no redirection to the Captive Portal page. If i enter "" the Captive Portal page ist perfecly shown up an the auth works also. But no connection to the internet.
    DNS Server for the clients on OPT1 is
    I tried reinstalling pfSense but this didnt work either.

    any ideas?


  • Please specify latest snapshot including version and builddate. We have resynced the CP just yesterday against m0n0's code. Are you already running that version?

  • 1.0.1-SNAPSHOT-02-27-2007
    built on Wed Feb 28 10:30:50 EST 2007

    Edit: Installation was performed with the 02 25 2007 snapshot and then updatet via webinterface

    Edit2: I tried a complete reinstall with 1.0.1-SNAPSHOT-02-27-2007 built on Wed Feb 28 16:56:55 EST 2007
    with the same result - i think i forgot something very little…but what...?

    Here my steps

    1. Start PC with pfSense Live CD and assign the interfaces

    • LAN - DHCP on
    • WAN DHCP (in my test setup
      2. Install pfSense to Harddisk
      3. Deactivate "Block local..." on WAN interface 
      5. Activate OPT1
    • OPT1
      6. Activate DHCP Server on OPT1
    • Range:
      6. Activate Captive Portal on OPT1
      7. Result = failed as discribed above

  • i miss you setting up the rules for opt1 interface to access the lan or internet
    for the lan interface these rules are there by default
    you can copy the default lan rule to the opt1 interface and edit it to use the opt1 interface

  • Thank you guys my problem is solved :)

Log in to reply