Using CP on OPT interface with wireless AP?

  • Ok there has got to be a stupid answer to this one, but I can't seem to find it.
    I will try to give as much detail as I can.

    I am trying to use the CP on an OPT interface and am hanging a Wireless router used only as an AP off this interface. It is connected using a crossover cable.  This same config worked fine in monowall.

    The router has an internal IP of my OPT interface has one of
    (what is the dif between static and DHCP under interfaces > opt1 > General configuration anyway?)

    pfsense LAN is
    DHCP is on on CP interface and range is (above .2 of course)

    I have seen hoba ask several people if they have the IP of the wireless as the gateway DNS for clients…Have tried both the actual IP of the router and the OPT dice.  I am maybe misunderstanding this here?

    I have a firewall rule to permit any proto anywhere just like LAN and WAN

    OPT interface is enabled, as is captive portal and it is on that interface.

    I can connect wireless through the AP and get an IP from pfsense (DHCP is turned off on the AP), but not get anywhere else.
    The portal page will just not come up.
    I can click on the "view current page" under Services:Captive portal to see the portal pages...they will work there, but only there.

    I have had this setup working before in monowall, but for the life of me can't do it again with pfsense.
    I was able to use the MAC passthrough with pfsense before, but even that won't work now.
    I never had any issues with monowall's CP it always worked out great...there has to be some little setting I'm missing.
    I understand there to be very little difference between the mono version and pfsense version.

    Anyway if there is anything anyone can clarify or any details anyone needs to ask go ahead.


  • Is the HTTPS server name set correctly?  The HTTPS server name should be the DNS name (in which case DNS servers should be reachable w/o logging into the portal) or IP address of the Opt interface.  Can you plug into the pfsense box and test for similar behavior just to rule out any complications with the wireless?  The captive portal is pretty much the same code from m0n0wall unless something has drastically changed recently.  CP uses ipfw and not pf.

  • the IP of the https server is the pfsense local IP right?
    I have set it as so in the Services:Captive portal section and the Services: DHCP server > CaptivePortal > DNS servers section to no avail.

    Ethernet adapter Wireless Network Connection 3:

    Connection-specific DNS Suffix  . : local
            Description . . . . . . . . . . . : Linksys Wireless-B USB Network Adapter

    Dhcp Enabled. . . . . . . . . . . : Yes
            Autoconfiguration Enabled . . . . : Yes
            IP Address. . . . . . . . . . . . :
            Subnet Mask . . . . . . . . . . . :
            Default Gateway . . . . . . . . . :
            DHCP Server . . . . . . . . . . . :
            DNS Servers . . . . . . . . . . . :
            Lease Obtained. . . . . . . . . . : Thursday, December 14, 2006 3:56:59 PM
            Lease Expires . . . . . . . . . . : Thursday, December 14, 2006 5:56:59 PM

    I think there is a machine that I can hook directly up to the pfsense box, but it may take me a few mins to get it over there.
    I will try and post back.


  • ok, I was able to hook into the router being used as an AP via the built in 4 port switch, get an IP and same results as earlier.
    Also used the same crossover cable that was hooking into the AP (completely bypassing the router/AP) for the computer I hooked up with same results.  Got an IP and nothing else.

    What next?

  • make the dns server or add as a always passtrue adress on the captive portal

  • the dns server was192.168.11.1 prior. 
    I changed it back and still nothing.
    I tried adding the as Allowed IP addresses both from and to (2 entries) to no avail again.

    Any other ideas?


  • If the captive portal is running on the opt interface, the The HTTPS server name needs to be the address (or resolvable DNS name) of that interface or else it will get captured and redirected to an address outside the captive network ( and go nowhere.


  • ok, the https server name is the same as the address for the opt interface I am running the CP on now and still nothing.

    I happen to have an OPT1 and OPT2 on this box and just for troubleshooting I tried to switch everything CP wise to the other (OPT2) interface with the same results.

    I am to the point of starting over. 
    I guess I will do the reset to factory defaults when the workday is over and start from scratch.

    Is there a tutorial on how to set up the CP from scratch?

    Or does anyone feel like throwing one together??
    I have seen the ones on doing it for radius and integrated user manager, but they both use the LAN and don't show you how to do the OPT interface. 
    I don't remember it being this difficult the last time I did it in monowall, but I am obviously missing something.

    thanks for the help so far

  • did you make sure there are no pf rules prohibiting the connection to the opt address/interface?  From the cli can you see the lighthttpd instances running, check and make sure they are actually running,  this should show you at least:

    netstat -an |grep 800
    tcp4       0      0  *.8001                 *.*                    LISTEN

    Thats the ssl captive portal instance.

    tcp4       0      0  *.8000                 *.*                    LISTEN

    is the standard non-ssl page.

    You can also do

    ps -auxww |grep light
    root    320  0.0  1.2  3480  3032  ??  S    Tue03PM   0:13.68 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
    root    409  0.0  1.0  3000  2420  ??  S    Tue03PM   0:12.12 /usr/local/sbin/lighttpd -f /var/etc/lighty-CaptivePortal-SSL.conf

    to see what is running.

  • Please upgrade to the latest testing snapshot.  I fixed a rules issue for CP + OPT interfaces.

  • Do you happpen to have a cvs link for the change?  I can dig for it if you don't have it on hand.  I'm curious to see what changed.


  • I hope to have time to update this weekend.
    I will report back as soon as I do the update.


  • Ok, I documented everything I did as I did it so that someone can hopefully tell me what I did wrong.
    I did the full update to latest snapshot and then after it rebooted I did a reset to factory defaults and went through that reboot.

    From there I went through the wizard and changed my time zone and password. That is all.

    Then I have to login in IE since firefox won't let you get to the system menu with the default skin….some javascript error or whatever is doing the rollover and dropdown. Changed the skin to pfsense....back to firefox 2.0.

    Ok then I then changed the name of the OPT1 interface to CP, changed it's IP to, enabled it and clicked on save.

    I then went to DHCP server, clicked on the CP tab and checked enable... then put in the range from to .60.
    Not sure what to put for DNS servers or gateway, but as I have been told earlier I put in for DNS.
    Clicked save.

    Go to Captive Portal, check enable choose the CP interface, click on save. No other changes.

    Go to firewall > Rules  click on CP tab, click on add new rule.  Click on save.  Hit Apply
    Results in this:
    Proto  Source  Port  Destination  Port  Gateway 
    TCP * * * * *

    Result is the same as before.
    Went back to Services:Captive portal > Allowed IP addresses and because of advice given above added both from and to (2 entries) and hit apply both times.

    Result is same as before.

    The one thing I was able to try this time since there are no users other than me on was to try the captive portal on the LAN.
    It works perfectly and since I had no authentication I simply clicked on continue and off I it was intended.

    So what am I doing wrong here?

    Oh, all this testing was done with a computer hooked directly to the pfsense box via a crossover cable and it Can get an IP in the range I put in.

    Thanks for any help anyone can give me here.

  • @danbutter:

    Then I have to login in IE since firefox won't let you get to the system menu with the default skin….some javascript error or whatever is doing the rollover and dropdown. Changed the skin to pfsense....back to firefox 2.0.

    That's strange. Actually all devs use firefox for testing and developement. Something must beborked with your Firefox. Maybe some extension or setting or whatever. I'm using the webgui nearly exclusively with firefox and don't have issues. I rarely use something else just to test if it works in other browsers too.

  • I just tested captive portal at opt1 interface with a wrap using local user manager. Works like expected. Just a stupid idea, does your browser use a proxy?

  • Not a stupid idea, but no.
    I have to believe that it is a stupid issue though.

    I have multiple workstations that I can use and none of them have issues with the internet or connecting to outside vpn…I just can't get the CP to work.

    Does it look like I am doing anything wrong with the setup?

    thanks for checking for me.

  • It looks ok. In general you need to use the interface IP of the captive portal enabled interface as DNS server for the redirect to work and to bring up the CP page. After authenticating at the CP page the firewallrules present for the interface will be applied. From what you did I don't see any obvious error. Maybe a reinstall would help. Is this a system that has been upgraded a lot of times already starting with a pretty old version?

  • I actually tried two different systems one of which was. From back at .9xx something. But I never went past 1.0.1 with that one.
    The current one I am using is using the latest snapsnot that sullrich posted. This box was a fresh install of 1.0.1.

    I could burn a disc and try a new install.

    Maybe tomorrow.

  • Please send me your config.xml to holger <dot>bauer <at>citec-ag <dot>de. Maybe some other feature like nat reflection or whatever is not playing well in the mix.</dot></at></dot>

  • will do, but in the meantime I have even more weirdness to report.

    Ok this box has 4 nics and therefore 2 OPT interfaces.
    Just messing around I left the OPT1 that I had named CP alone. No changes at all.

    I then enabled the OPT2 interface.
    Gave it an IP of
    went to the DHCP server put that IP as the dns and set a range from to .55
    Went to firewall > rules and this time set ANY rather than leaving it at TCP.
    Plugged in the wireless and it worked!
    Tried with computer and the crossover cable and it worked!

    I thought great! it works, but…
    I used a usb wireless adapter  on my main computer.  I would switch between them in network connections by disabling one and using the other one to test the wireless.

    Well... when I went to switch back to the wired nic which should be LAN I got an IP from the OPT2 interface!
    I tried to release and renew...same IP.  I tried to use flushdns in between there...same IP.
    I rebooted the machine...same IP.
    I went to another PC on the network that still had a valid lease and got into the web interface and turned off the OPT2 interface...same IP.
    I then turned it back on, went to the DHCP server for OPT2 and disabled it.

    Now I can get an IP for the LAN as I am supposed to.

    I'm starting to think my pfsense box is haunted.

    sending the config in a couple mins here.

  • @danbutter:

    Ok, I documented everything I did as I did it so that someone can hopefully tell me what I did wrong.

    Ok then I then changed the name of the OPT1 interface to CP, changed it's IP to 192.168.11/24, enabled it and clicked on save.

    Thanks for any help anyone can give me here.

    i hope you meen

  • yes, I did mean

    Good catch though.

  • Just to update this, I was able to do the same thing on the OPT1 interface.
    I changed the IP to a /16 rather than /24 and changed the firewall rule to ANY rather than just TCP and it works.

    However the DHCP server for the OPT interface still takes over my LAN clients.
    I have to turn off the DHCP server for the OPT interface to get the one on the LAN interface to work again.

    hoba…Did you get the config.xml that I sent to you?

  • Didn't get anything yet.

  • well, I sent it out on the 16th so I either typed something wrong or maybe your email doesn't like hotmail?

    Either way I am attaching it now.
    I don't think there is anything private in there.


  • Ok, I'll test it with one of my systems soon.

  • Ok thanks.
    No hurry. 
    I won't be messing with the box till next year at this point anyway.

    I do believe that I will do a fresh install of 1.0.1 though as there are things like the shaper wizard that are broken for me in the snapshot.
    I also keep getting a very strange thing where some computers on my network will only get between 5 and 6MB to the internet while others get 20Mb….it isn't all the time....just strange.
    So I think a fresh install is in order after the holidays.

  • Ok. Just installed 1.0.1 on a 4801-60. All is working fine. for me until I enable captive portal (CP). I basically have my network configured the same way. Here is what I have

    sis0: LAN:
    sis1: WAN: DHCP (Public IP Supplied by SBC DSL Modem)
    sis2: OPT: (Airport wireless Network with WDS)

    sis0 is running a DHCP server for the LAN clients
    sis2 is running a DHCP server for the users that are wireless

    all this works before enabling CP. Once I enable CP the browser never gets redirected to the CP to allow me to authenticate.

    any ideas?

  • @hoba:

    …you need to use the interface IP of the captive portal enabled interface as DNS server for the redirect to work and to bring up the CP page....

  • After reading thru the thread before posting by post I had noticed that and have set it up accordingly. The DHCP server that assigns IP addresses on that interface assigns the interface as the primary DNS server.

    Still NO go.  ;-(

Log in to reply