Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLANs/CP and OpenDNS clarification question

    Scheduled Pinned Locked Moved Captive Portal
    10 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GS850L
      last edited by

      Hi,
          Did I say how great the members on this forum are ;)

      I am trying to get a good understanding of how the dns forwarders work in pfSense. So if I have OpenDNS set in the GeneralSettings tab, and have CP running on a VLAN interface with DNS forwarding turned on the same VLAN interface, does pfSense bypass the VLAN dns forwarder thus also bypassing the captive portal?

      Just trying to get this straight in my head ??? LOL

      Edit: I have multiple VLANs coming into one lan card on the pfSense box

      Andy

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Your CP clients will presumably be configured with the pfSense interface address as their DNS server using DHCP.  The clients will submit their queries to the interface address.  The forwarder will then ask the DNS servers configured in general settings for answers to queries it doesn't have cached yet.

        Your Captive Portal does not need to be configured to allow direct access to the OpenDNS servers from behind the portal.

        There does need to be a rule on your captive portal interface allowing access to tcp/udp port 53 on the interface address though.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • G
          GS850L
          last edited by

          I guess it's the opening up port 53 that I don't "get".  If there is no General Settings dns server listed then we don't have to have a rule for port 53 for CP to work.  Why doesn't captive portal work without a port 53 rule when there is a general settings dns server listed?

          Just trying to understand this.

          Thanks much,
          Andy

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You need firewall rules for everything that comes in the LAN port for routing elsewhere.

            If you have a permit any any it will cover the port 53 to the LAN interface for DNS.

            Are you trying to fix a specific problem?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • G
              GS850L
              last edited by

              Hi,
                  Yes there is a problem with clients not going to the CP page on VLAN2, it is turned  on only for this VLAN. The dns forwarder is turned on for all interfaces. OpenDNS is set in the General Setup tab. Not sure what to check next.

              Thank you

              | –- WAN
              |
              |--- LAN----->VLAN1
                                >VLAN2-->Captiveportal on this VLAN, clients don't see CP though.
                                >VLAN3
                                >VLAN4
                                >VLAN5

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Can the clients on VLAN2 resolve DNS queries before punching through the portal?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • G
                  GS850L
                  last edited by

                  Hello,
                    I tested some more today. I was getting a dhcp ip, the vlan ip was set as my dns and the captive portal page came up when trying to get to google or wherever. The strange part is when I entered an active voucher and hit enter I was transferred to the  pfSense admin. login screen…?

                  Good day,
                  Andy

                  1 Reply Last reply Reply Quote 0
                  • G
                    GS850L
                    last edited by

                    My test system webpage had an i.p. in place of "$PORTAL_ACTION$". It worked on the test system but not the live system. Anyway, replaced the i.p. and redirect with the proper commands.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      With acceptable results?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • G
                        GS850L
                        last edited by

                        Yes, all fixed.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.