Captive Portal on a Bridge

  • Dear PFSense Users,

    I'm hoping to receive some help getting my setup working.

    Attached to this post is a simple diagram showing the intended setup of a new pfsense system.

    The existing LAN has a gateway and firewall and uses a public registered Internet address space.

    The introduction of a wireless controller into the premises, which needs to use this LAN for Internet traffic only
    means that we need some security and so RADIUS authentication from a captive portal is required.

    As the LAN already exists and already has a firewall and router attached to it which cannot be replaced, we need to use a transparent filter to protect/shield one segment containing the wireless access controller.  This traffic will be behind the captive portal. VLANs are used in the switch fabric to provide either the open access or captive segments of the network.
    suffice to say that traffic on the captive side of the network must traverse the bridge to get to the gateway & thus the Internet.

    At this bridge, I wish to have the captive portal.   Please note that the traffic cannot be routed inside the pfsense device only filtered/captiveportalled/bridged


    • PFsense is installed fine on the host and the network interfaces are plumbed and attached.  The bridge has an IP address on the LAN and can get to the Internet itself  (in fact an auto-upgrade was performed on it).

    • PFsense can also reach the radius and syslog interfaces on the internal network, which is where the webConfigurator can be reached from also.

    • The DHCP server for the whole LAN is now on the bridge, which is working fine, as hosts on both sides receive a lease fine.

    However no traffic passes through the bridge, and also I've not yet managed to see a captive portal redirect.

    • Once the lease is obtained on a host on the protected segment of the lan, the only traffic it seems to get is ARP traffic.  I.e, the host will receive an ARP entry for the gateway and the bridge's IP, but no other traffic is passed.

    • the permitted IP addresses in the Captive Portal config are also not adhered to, as the DNS server should always be permitted, but DNS lookups fail

    • I can't ping hosts on the Internet or the other side of the bridge.

    • If I add firewall rules to the pfsense, it will pass ALL traffic

    • I've tried all combinations of pfil_member and pfil_bridge settings in the advanced options

    Hopefully somebody can shed some light onto how I may proceed to get this working.

    I can post the config if required.


    Rob Shepherd

  • Captive portal with bridging has never been supported, though with 2.0 the input validation has been relaxed a bit so it can be enabled on the bridge interface itself, as long as it has an IP assigned. That's intended for scenarios where the bridge's IP is the default gateway, not transparent bridges. I don't think what you're looking to do is possible, based on some testing.

  • Many thanks for your response.

    There is a work around for this scenario - and that is to NAT into the existing LAN and 1:1 NAT from one subnet to the other.

    Hopefully the pfSense will provide firewall logs of translations so we can match user's traffic on the Internet to authenticated traffic on
    wireless LAN.

    I don't know of another distribution that supports this feature, maybe ZeroShell?

    - so we may just build one!



Log in to reply