Captive portal logon decides what you get, possible?



  • I want to do this:

    I have my firewall computer, with two interfaces. On the outside, I got the internet, on the inside, I got my private network. If need be, network cards can be added.

    Now, what I want is to add WLAN and a captive portal for that (only). Now it gets tricky. What I want to do is that if I give my "family credentials", I get logged in and connected to the inside of the firewall, so I can access my private servers, yet also reach the internet. However, if I use the passwordless guest credentials, I get "logged in to the outside", ie, I can only reach the internet, the inside network is unreachable.

    Is this doable, and if so, how?



  • PfSense, sometimes, it's like a box of chocolates, you never know what you are going to get…....but i am sure the chocolates's box have a list of the ingredients printed out somewhere!  :D
    The problem is that PfSense has not updated the lists for it's sweet newer functions (as i just finded out).
    So, Troberg, if i understand it rightly, to summarize it what you need is:

    1. An account (for the family) which have access to both the internal and external networks

    2. A guest's account, without password, which can only access the external network (internet) but not the LAN

    3. Everything needs to work over a wireless network

    Here are my answers (which surely can be improved by some more knowledgeable's member, but as nobody dared yet, here i am  :D )

    1. Go to System>>User Manager and create as many accounts you like, assigning the usernames, passwords, privileges and make them part of the Administrator's Group (i am not sure if this will allow them to have access to the web as well or not, as i am struggling to find an answer myself...)
    2. As i mentioned above, i can't manage to find which privileges will give a user access to the internet, as all options i can see, looks like if they only give access to the many PfSense menu's items.
    3. You will need an Access Point connected to one of the 2 interfaces you have on your computer


  • Since your family will not be changing hardware often, use the DHCP server to statically assign them IP addresses in a range you allow to access the LAN.  Place them in Allowed IPs if you wish and they will not need to log in.  Other users will use standard DHCP and leave that scop with no access to you lan.  They would need to log in…


Locked