Not been able to get CP working on OPT1 tagged VLAN

  • Have everything up & running Properly without Captive portal.
    Wan Interface UP & working
    LAN UP & working
    OPT1 (LAN2) is up & working have a /24 subnet DHCP server and NAT to WAN for Internet access all working great & tested.

    I've tested this same arrangement on a physical box with 3 separate interfaces and it works fine there.

    This system is different in that it is a virtual machine running on Windows and VMware server.
    The physical server has two network interface.. my virtual machines bridge Their interfaces to either of the two physical NICS.

    My Windows server has 2 physical interfaces and one virtual interface (3rd interfaces is vlan tagged for the vlan I intend to use for wireless).
    This is using the Intel server NICs and setting up VLANs on the interfaces.

    I have the special vlan interface TAGGING vlan packets and sending them to a managed switch where it is vlan aware and also has ports setup as
    port vlan ports for the wireless access points.. I ONLY pass specific VLAN traffic to-from the port vlan ports on the switch.

    My pfsense (virtual machine) has 3 Interfaces. WAN LAN and OPT1

    The WAN and LAN are setup for what you'd call a normal or usual network allowing Internet access to the LAN and natting traffic to a single public IP.

    I have set up OPT 1 to do the same on another subnet as well (LAN2)

    All works and has been working great for some time.

    OPT1 is bridged to the wireless VLAN interface (virtual interface) on the physical server  which in turn is vlan tagging out to the managed switch which has port vlan ports to the wireless access points.
    which all works!!
    But if I turn on the captive portal for OPT1 clients on the OPT1 network still get a DHCP address can ping the address of the OPT1 interface but cannot get past the OPT1 interface or to the Internet
    Nor do they get the normal redirect login page.

    I suspect something that is being done on the CP is not compatible with tagged vlans somehow. :-(

    If you have any thoughts on something I might be missing that'd be great.. I realize this is not the normal or usual setup or use of the captive portal :-)
    But it IS cool. :-) and otherwise is allowing one server to do a lot of really cool things.
    & If you're not really used to working with VLANS this post might be really confusing without a visual network diagram.

  • That's actually a very common captive portal setup. If you disable CP can the clients get out fine? With it enabled, do they get DNS? Their DNS server must be the DNS forwarder, or otherwise you must put in the DNS server as an allowed IP.

  • Thank You.. I feel like a total idiot.
    I thought all along I had the DNS forwarder on but I had disabled it earlier as it wasn't needed before bringing up the CP.
    I also forgot that it is needed for the CP for obvious reasons URGH!

    Works great..

    This thing (PFSense) is awesome we are starting to get some paid jobs because of how well done this is and how reliable it is and how impressive the user interface is.
    It's seriously the ONLY web interface I have ever used that I'd say was done right.
    I plan to be rolling in a year of PAID support with our next big job even if I could get away without it.