Deploying pfsense Captive portal behind existing firewall



  • My customer has following network topology. There are hundreds of wired devices that connect up to a switch and then to a firewall. And multiple wireless devices that connect to access points (4 of those) which connect to firewall directly. Firewall also has DHCP server.

    The existing firewall does not have captive portal functionality. And the customer wants to enable captive portal for all the devices connecting from his site.
    How can I achieve this using pfsense ?

    The requirement from customer is that we should do minimal network configuration changes and enable captive portal.

    wired devices –----------------------------------------[ switch ] –----- [firewall] –--- internet
                                                                                                          |
                                                                                                          |
    wireless devices --- [access points] –---------------------------------------

    Following is the option I am considering.

    Place pfsense before the firewall, connect pfsense WAN to firewall LAN. Connect all devices to LAN side of pfsense.
    1. does that mean I need 5 LAN ports on pfsense ( 1 for wired devices + 4 for access points) ?
    2. will it affect performance at firewall ? (previously firewall was able to receive traffic on 5 different ports and can process it. Now all traffic comes on one port on firewall.)
    3. Do I need to run DHCP server on pfsense now instead of firewall?

    I would really appreciate any pointers on this. Thank you!



  • Hello.

    As the other "hundreds of wired devices", you could hook up the pfSense box to your existing firewall.
    Set up the "WAN" connection  to DHCP, so it will receive an IP from your existing firewall.
    Activate on the LAN connection the captive portal interface - hook up a switch to it, and after the switch your "Portal Access points".

    Or, maybe ever better: ditch your existing firewall - and put in place a pfSense box - with 3 network adapters.
    One called "WAN"
    One called "LAN" for all your actual devices,
    and one called (OPT1) = Captive Portal for all your Captive Portal clients.
    Depending on the hardware you plan to use, pfSense can handle this all very well.

    Btw: who or what is your existing Firewall right now ?



  • Thanks for your reply. We have a mid range Juniper FW and it's not really an option to get rid of it in favor of pfsense. We are introducing pfsense just to add captive portal functionality that existing firewall does not have.

    The first deployment option you mentioned is what we have currently set up. But, I have a few concerns about scalability of it.

    1. pfsense WAN connects just to one of the LAN ports of the firewall. so, the total throughput will be limited by what that port can handle and rest of the FW ports are wasted. how do i justify to the customer that with pfsense, you will be able to use only 1 port of your existing FW?

    2. I need to introduce this new network that Pfsense DHCP server will support. And what if customer had 5 different subnets connected to 5 ports of the firewall? I will need to create same number of subnets on pfsense and will need to have same number of ports on pfsense to support it right?

    this looks very ugly to me, but I can't think of a better solution. pls help.



    1. What about using a switch ? Use one of the Juniper LAN port, put a 3 port switch (if it exists) on it, use port 2 f the switch to the existing network segment and the third to the pfsense box.
      Of course, bandwidth goes up to the capacity of the LAN port of the Juniper firewall.

    2. The DHCP server of pfSense isn't really from "pfSEnse". Its a industrial strengh DHCP server that is already known and being used on FreeBSD for years (also a reference). It can handle a lot of DHCP request … the only limit might be network bandwidth and "pure processor power" of your firewall. This is valid for your actual Juniper firewall, or the pfense box. I guess all possible setup-possibilities are there.
      I'm using pfSense as the main "firewall" at my work - about 10 PC's and seperate a Portal Wifi subnet for our customers (a hotel).
      I use a PowerEdge from Dell to handle it all (or an older Dell Dimension 51xx, an old retired desktop PC) with a quad NIC Intel PCI card - the onboard NIC is my WAN NIC. It runs fine for years now (it only breaks when I mess up the script/code ones more).
      Here are the stats: https://www.test-domaine.fr/munin/dyndns.org/brithotelfumel.dyndns.org/index.html
      As you can see, my 'firewall' is just twisting its fingers all the time .....
      You could also consider buying a special appliance as said here: https://www.pfsense.org/hardware/index.html#sizing - stuff like this (example) http://store.netgate.com/Netgate-FW-7541-1U-Rack-Mount-System-BTO-P1903.aspx (6 Giga NIC's) will handle hundreds of PC's easily.


Log in to reply