[Solved] Captive Portal question

  • Hi @ll

    Have a CP running on PFSense 2.1.4 Stable and it is runing really fine in a Hotel. However lately it happened that a user
    without user/pass or voucher connected to the network and scanned the network from his android smartphone.
    Of course he  scared the managers to death telling them all the network was all open.  ???

    Does anyone of yo have a similar experience or is there any way to avoid this ?

    Thank you in advance


  • firewall has nothing to do with this

    you must have smart switches or….

    if your access points have an "isolation" function" somewhere then you can close then / him down

  • LAYER 8 Netgate

    Yup.  Cisco Private VLAN Edge, Brocade Uplink ports, Asymmetric VLAN, and wireless AP isolation.  Google them all.

  • If the situation is as you describe with everything is located on the same subnet, this isn't even a pfsense problem, but it is a big security issue that needs fixed ASAP.
    I use a separate physical interface for guest wifi traffic, in addition to AP isolation on the APs themselves. Don't really want just anybody in the vicinity with a wireless device browsing my office network shares!

  • Thank you folks

    My guest wireless network is in fact a separate network and connected separately to a dedicated interface of the pfsense box.
    The guy was able to browse this network only, of course he was able to see all the guest computers that were online at this time.

    It was irritating to me that he could scan the network as soon as he got a IP address, but it was even more irritating that he
    could open the login page of one of my switches in this guest wifi network.

    It was strange that he could do this with his mobile as the Captive Portal should have caught this attempt with a login request,
    is this correct ?

    I know that I could activate MAC rules but this is unadequate for a guest wifi system, so what could I do ? Are we dealing with
    a malfunction here ?



  • LAYER 8 Netgate

    Completely incorrect.

    The captive portal intercepts attempts to access services on TCP port 80 (and maybe 443) that are coming IN the ethernet interface.

    Anyone can connect, get DHCP, and access anything on that network segment that is available prior to CP login.

    What you need is layer 2 isolation. pfSense is a layer 3 device and is not even aware of the traffic on the network segment until it receives traffic to forward on to somewhere else.  It might also be performing services such as DHCP and DNS, but those have to be allowed for the portal and subsequent access to function properly.

    You might also look at an AP vendor that performs captive portal functions in the AP, such as Ruckus.  They will also do full isolation.

    Your network is functioning as designed.  No bugs or malfunctions.

  • Thank you derelict

    Ok thank you very much, thought so. I am using Unifi Ap's in combination with PFSense and in this case
    a layer 2 isolation is a little tricky to realize.
    However thank you for all your help

    cheers Till

  • LAYER 8 Netgate

    How many APs are we talking and how many switches/wiring closets?

  • I have some 24 Unifi Ap's and one Switch (Linksys by Cisco 48 Port), switch is connected to one of the PFSense Interfaces

  • LAYER 8 Netgate

    Ok.  That's easy.  What model switch is it?  I'd be happy to look at the docs and see if it'll do something to isolate the APs from each other.  I'm sure you can keep the wireless clients on each AP from talking on the unifis.  You just need to stop inter-AP traffic.

  • LAYER 8 Netgate

    If your switch does this, turn on wireless isolation in the APs and make the switchports they're connected to "protected."

    ![Screen Shot 2014-09-05 at 8.03.44 PM.png](/public/imported_attachments/1/Screen Shot 2014-09-05 at 8.03.44 PM.png)
    ![Screen Shot 2014-09-05 at 8.03.44 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-05 at 8.03.44 PM.png_thumb)

  • … or

    simply enable "Guest Policy" to your unifi access points and be done with it. ....

    Make sure NOT to check guest portal.

  • LAYER 8 Netgate

    I don't think that will accomplish isolation between users on different APs.  That usually has to be done in the switch.

    Note that this is why I tend to favor brocade.  The isolation is per-VLAN not per-port so you can have isolated SSIDs and regular SSIDs from your WAPs.  I haven't found anyone else that can do that without going way up the product sheet to something that does VACLs.

    I know with Ruckus you can enforce full isolation at the APs per SSID but you have to be sure to carve out exceptions for anything on the local LANs that the users need access to, such as the captive portal IP:port.  Not sure about Ubiquiti unifi.

  • why not use pf as purely firewall/router and use unifi guest portal feature?

  • Thank you all  ;)

    @jaspras : I have tried this but then I do nt get the CP login page of my PFsense Box

    Well I am using PFSense for almost 5 years now, the CP was the reason why I have
    implemented it here.
    Chanknging to the Unifi portal feature would mean to manually migrate some 550
    wireless accounts to the Unifi System.

    Howevee I will have a look at the Switch too but I am not sure if he is capable of this

    Kind regards


  • Hi @all

    Thank you all for your helpful post. I could not solve the problem on the switch side but in the Unifi Controller tool
    by adding the interface address of the PFSense box to the allowed subnets (sounds unlogical I know).

    Since then client isolation works in a way that you can still see the ip addresses of logged in devices but you cannot
    see any open ports and it is impossible to commnicate with these devices.

    Kind regards


  • As said, this isn't a pfsense issues, but an error in the design of the network hooked up to the portal interface.
    When using more then ONE AP - and these AP's works like switches, this kind of trouble pops up.

    We are in 2014 now, so some OS's that clients use have this famous question:
    Is this a private or Company network ? Or a public network ?
    (I guess we all know now which OS this is  :) )
    If the clients choses "public", then their PC can communicate ONLY with the gateway, and block ALL other incoming/outgoing connections.
    Problems solved, the pfsense portal network engineer can go the bed again.

    But, of course, there are clients that consider the portal Wifi network as their home network - and they share all their holiday photos on the network ("because then it works at home"). They just hit 'Home network' when their OS says "This is a new network, please chose …".
    The same clients (our Wifi portal network clients) start to yell when they discover that pure strangers are 'surfing' their PC ... ad all their holiday photos are indexed by Google Images a couple of days later on.
    (You better get a lawyer when you get home, your wife isn't gona like this one)

    Anyway: I present https://forum.pfsense.org/index.php?topic=66368.msg365658#msg365658
    It started here https://forum.pfsense.org/index.php?topic=1268.msg7542#msg7542 (even Sullrich was surprised  ;))

    It all boils down to: activate AP isolation - and route all trafic from clients to gateway - and back. NO CLIENT TO CLIENT communication.
    The rule to be enforced is "You, as an pfSense operator, do NOT OFFER A LAN PARTY, but Internet Access only".

Log in to reply