Setting gateway on OPT = No Internet for Captive Portal users



  • I have LAN, OPT and WAN (PPPoE) interfaces. LAN & OPT are private subnets.
    The default gateway is the WAN (PPPoE) auto-generated entry.
    I created two outbound NAT rules on the WAN interface for LAN->Any & OPT->Any for Internet access via WAN.
    I created firewall rules on the LAN & OPT interfaces allowing LAN->Any & OPT->Any respectively so that both subnets can access each other and the Internet.
    Captive Portal is enabed only on OPT. I allowed IP addresses Any->LAN in the captive portal so that OPT can access LAN without logging in.
    Clients from each subnet have their default gateway set to pfSense's LAN address and OPT address respectively.

    The above setup works perfectly. LAN can access everything. OPT can access LAN, but must log into the captive portal to access the Internet.

    Problem:
    I have a 2nd Internet connection through an ADSL router on the OPT subnet. It's configured in NAT mode and has an IP address say, "BACKUP address" on the OPT subnet. I want pfSense to failover to this when the default gateway (WAN) is down.

    I added a gateway called BACKUP and specified BACKUP address as the gateway address. WAN is still the default gateway.
    Before creating the gateway group etc., I selected BACKUP as the gateway on the OPT interface so that BACKUP is recognised as a valid Internet gateway. Now OPT clients cannot access the Internet anymore after logging into the captive portal. The firewall rule for OPT->Any still has "default" as the gateway under advanced so it should still be using WAN for Internet. Even if for some reason it is routing OPT through BACKUP, the Internet should be working since both connections are functional, but it's not. (I'm not sure if I need a double NAT rule on OPT, but that's besides the point since AFAIK it shouldn't even be routing through BACKUP at this point since the gateways in the firewall rules are still "default".)

    If this is resolved I can go ahead and create the gateway group and use it as the gateway for the firewall & NAT rules. I don't want to proceed until I understand what's happening at this point and why it's failing.



  • Ok, I found that "default" gateway in the firewall rules means the gateway assigned to the interface the rule is created on and NOT the default gateway of the system routing table like the description says.



  • @KurianOfBorg:

    Ok, I found that "default" gateway in the firewall rules means the gateway assigned to the interface the rule is created on and NOT the default gateway of the system routing table like the description says.

    that's not true, it means the system's routing table and will use its default gateway.



  • @cmb:

    that's not true, it means the system's routing table and will use its default gateway.

    Then my original question still stands. I have outbound NAT rules for both WAN and OPT.
    The OPT->* firewall rule allows Captive Portal users to access the internet. However Internet access only works if I set the rule to use the WAN gateway (or the failover gateway group). It does not work if the rule is set to use the default gateway. I must remove the BACKUP gateway from the OPT interface settings in order for Internet to work with the default gateway in the rule.


Log in to reply