Create Captive Portal for company



  • Hello Everyone. I am very new to this forum and I would appreciate any help. I would like to place a captive portal in my existing network. How would I go about doing this with my current setup, physically and have it setup properly on the software side. I would like to have just guests sign in using just the internet and not be able to access my lan.

    current setup ISP–---ASA-----switches-----computers

    Where do I put the pfsense box and what do I plug the two nics to?

    Thanks,



  • Your Question Is confusing. can u be more specific about

    I would like to have just guests sign in using just the internet and not be able to access my lan.



  • I basically want to put in pfsense to my existing network. I already have a firewall so I was just wondering the best way to do this without messing anything up. Just to clarify my current network setup is ISP–--ASA5510-----Cisco2811/Router------3 Cisco switches-----computers. I was wondering if I can plug in (from the pfsense box) the WAN port to the cisco switch and the LAN port to my Access point. If so what else do I need to configure to do this? (IP's, gateway address)



  • What I am trying to accomplish is this, I want to create a separate network that guests connect to. I do not want them to access my network but rather have their own network.



  • @goran81:

    I was wondering if I can plug in (from the pfsense box) the WAN port to the cisco switch and the LAN port to my Access point. If so what else do I need to configure to do this? (IP's, gateway address)

    Yes. Configure pfSense WAN port interface Type as DHCP (assuming you have an an accessible DHCP server on your network). Configure the pfSense LAN interface with static IP address in an unused subnet, enable DHCP server on the interface, connect the pfSense LAN port to an unused LAN port on your AP (see http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense), enable Captive Portal on pfSense and add firewall rules to LAN interface on pfSense to block access to "local" networks.



  • Thank you wallabybob. I will try this setup very soon and see if it works. So by this setup there will be no double natting or anything like that. Can I some how manage the pfsense server from my local lan?



  • By default, pfSense will NAT on LAN to WAN connections but that can be disabled.

    I manage one of my pfSense boxes by accessing it through it WAN interface.



  • I'm not sure I follow. I am very new to this so forgive me. So do I need to disable something then from the setup you recommend? Also, can you please give me a scenario that I want to achieve with ip's and gateway addresses? I think it will register better if I see visually what you prefer me to do.



  • @goran81:

    I'm not sure I follow. I am very new to this so forgive me. So do I need to disable something then from the setup you recommend?

    Since you are new to this I would highly recommend you start with a very basic configuration and get that working. Then tweak it one step at a time so when it stops working you can more easily go back to a working configuration and you have only a small number of steps to analyse to see what broke.

    @goran81:

    Also, can you please give me a scenario that I want to achieve with ip's and gateway addresses? I think it will register better if I see visually what you prefer me to do.

    I am not prepared to guess the details of your existing network configuration. Help me to help you by giving more details about your network. For a start, give me a network diagram and address my assumptions.



  • ISP–--ASA5510-----Cisco2811/Router------3 Cisco switches-----computers. my current lan ip scheme is 10.10.1.1/24 and I want to give my wireless clients and ip of 192.168.5.x/24. Do I need to give a static ip to my WAN connection on my pfsense box? like 10.10.1.2? and my wireless a static of 192.168.5.x?



  • Can anyone please help me with my initial setup? I would appreciate it.

    Thanks



  • @goran81:

    Do I need to give a static ip to my WAN connection on my pfsense box? like 10.10.1.2?

    If you don't have a suitable DHCP server, yes and yes.

    @goran81:

    and my wireless a static of 192.168.5.x?

    Yes, WiFi interface in pfSense should be a static IP in 192.168,5,x/24  (static so you can enable DHCP server).



  • What about the gateway addresses for both WAN and LAN?



  • Anyone?



  • Just wanted to say thanks for your help. I configured pfsense and captive portal. it seems to work pretty well. I am going to get familiar with it and maybe post some more questions later on.

    Thank you so much



  • How do I make it so that I can access the web GUI just through my WAN connection? I have placed a rule on my LAN interface just to have internet access and not be able to access my internal LAN which is my WAN connection on my box.



  • Anyone please?



  • @goran81:

    How do I make it so that I can access the web GUI just through my WAN connection?

    Have you tried it? If so and it "doesn't work" please post what the browser reports when you attempt it.



  • I have not tried it. I need help configuring it



  • I expect you will need a firewall rule on the WAN interface to allow access and a firewall rule on the LAN interface to block access.

    Step 1. Try access  from both WAN interface and LAN interface and report the outcome.



  • When I am on the WAN it will not open up the web gui but when I am on the lan it will open. What rule do I need to place to make this work?

    Thanks for your help.



  • These are the current rules I have. I know I have to uncheck the block private networks but what else do I need to do.

    Thanks






  • I think you will at least need to replicate on the WAN interface the Anti lockout rule on the LAN interface EXCEPT the destination Address in the new rule will be WAN Address rather than LAN address.

    Then you should go to Diagnostics -> States, click on the Reset States tab, read the explanation and click on the Reset button.



  • You know what I figured it out.

    Thanks,


Locked