Captive Portal & WAN interface



  • Hello guys,

    I enabled the captive portal. I need it work on the WAN interface and I take nothing. I got the service tested on the LAN interface and it's fine. Shouldn't it work ON WAN the same way it does on the LAN? Am I missing something?

    Joe



  • I suspect that both you and I are missing something. I'm not sure I understand what you want to do. By asking for Captive Portal on WAN it seems to me you are wanting to block access from the internet EXCEPT to systems that pass the captive portal by quoting a registered username and password or a valid voucher code. Is that correct?

    I don't understand and I take nothing

    One thing I suspect you are missing is that the interfaces named LAN and WAN in pfSense and special and not equivalent. For example, in the default configuration access from WAN to other interfaces is blocked EXCEPT for connections that have already been established from one of the other interfaces.



  • What do you want to do?



  • Hi again,

    It looks I was not clear enough and I didn't explained the whole story. I'm sorry about that.

    I configured NAT on WAN and opened port 80. Next, on Port Forward I'm sending the packets to my apache publisher on the subnet. So I want everyone accessing port 80 to go through the Captive Portal. I hope that can be done without too much hassle. The Captive Portal service is working quite well on the LAN interface.

    Thanks in advance for your help.

    Joe



  • That is a reverse Captive Portal which is presently not supported.
    If you need the feature you can contat support.pfsense.com



  • Thank you for this last answer. That ratifies what I perhaps had in mind. I was not sure at all and I wanted to be pretty sure about it.

    Thank you again. You guys are awesome.

    Joe



  • Hello!

    I have a similar (?) problem.
    We are on a public network (subnetted B class IP, part of a university). We have lots of wifi APs all around, NOT in the same subnet (routers between).
    Currently, all AP's have dd-wrt in them, with chillispot captive portal to auth the users.

    Is there a way to 'unite' these wifi-APs, to make them connect through a pfsense box? AND use the captive portal in it?

    My idea was to make a PPTP server on the pfsense, configure the APs to  connect as PPTP clients, and captive the PPTP interface. But it looks like not that easy.
    (The pfsense box only has a WAN interface.)

    any idea?
    thx



  • You could add NICs to your pfSense box: either physical NICs or VLAN interfaces with a VLAN capable switch acting as a "port multiplier" then connect the APs to the additional interface(s) and enable captive portal on the additional interface(s). If you do a search on the forums for VLAN port multiplier you will find a number of posts on the subject of using VLANs to get additional interfaces on a pfSense box..



  • Hmm. I can add a physical NIC to the PFS box, but i cannot "connect the APs to the additional interface", because all the APs are on the WAN side, with public IP's, lots of them miles away. That's why i thinking about a VPN, but how can i assign a PPTP connection to a physical interface?
    In the "Interfaces" menu, i can add the pptpdX interfaces, but CP doesn't work. Should i bridge them to physical nic or something? I'm a bit noob for this…

    thx



  • @Ravine:

    i cannot "connect the APs to the additional interface", because all the APs are on the WAN side, with public IP's, lots of them miles away.

    If I understand your setup correctly, i.e. that your APs are dispersed across several different locations miles apart and presumably connected via their own links to the Internet, it doesn't seem a good idea to tunnel their traffic back to your location via a VPN, to go in and back out of your pfSense box, just in order to use pfSense's CP.

    If all you need is to centrally authenticate your AP users, since you already run the chillispot CP on your ddwrt APs, a better idea would be to use a central RADIUS server.



  • @dhatz:

    @Ravine:

    i cannot "connect the APs to the additional interface", because all the APs are on the WAN side, with public IP's, lots of them miles away.

    If I understand your setup correctly, i.e. that your APs are dispersed across several different locations miles apart and presumably connected via their own links to the Internet, it doesn't seem a good idea to tunnel their traffic back to your location via a VPN, to go in and back out of your pfSense box, just in order to use pfSense's CP.

    If all you need is to centrally authenticate your AP users, since you already run the chillispot CP on your ddwrt APs, a better idea would be to use a central RADIUS server.

    Ok, i see. Actually, i use RADIUS centrally. What i wanted is to make the AP's DDwrt-free (i have more problems with new AP's), and a central firewall/CP would be nice. But i think you're right, tunneling back isn't a good idea. WPA-Enterprise isn't good enough from the point of casual users.

    thx



  • it might work if your wan links between campuses is somewhere 500mbps+
    So amount of the other trafic don't make any exception to authentication trafic



  • @Metu69salemi:

    it might work if your wan links between campuses is somewhere 500mbps+
    So amount of the other trafic don't make any exception to authentication trafic

    The WAN links are good enough, the backbone is gigabit afaik. And, eventually, if the central building goes down, the RADIUS server goes down, so every building loses wifi auth. But that's a rare case. But i still don't know how CP the end-users, who are transparently connect to the pfsense box through a PPTP connection of the wifi routers. Is it possible actually?

    thx



  • I don't know if GRE tunnels are supported on your APs; they are on pfSense. See pfSense man page on gre - http://www.freebsd.org/cgi/man.cgi?query=gre&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&arch=default&format=html
    GRE tunnels apparently don't use encryption so should be a lighter load on AP CPU and pfSense server CPU than a VPN.



  • @wallabybob:

    I don't know if GRE tunnels are supported on your APs; they are on pfSense. See pfSense man page on gre - http://www.freebsd.org/cgi/man.cgi?query=gre&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&arch=default&format=html
    GRE tunnels apparently don't use encryption so should be a lighter load on AP CPU and pfSense server CPU than a VPN.

    Well..dd-wrt doesn't support it on the webgui, however it's linux, so it's probably possible. But looks like the newer firmwares doing it differently (2.4 vs 2.6 kernel). I don't feel the power in me to do it by hand… i'm sure it gets worse eventually :)

    thx


Log in to reply