Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal and AP with multiple SSID

    Scheduled Pinned Locked Moved Captive Portal
    4 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ThePirat
      last edited by

      Hello everyone,
      I need to create a captive portal on my pfsense with a RADIUS server on it and this is my situation:

      AP –> PFSENSE --> ISP

      I have not wired clients or other switchs (my ap does this function directly with is 4 ports)

      My goal is to have two ssid on my ap, one named "guests" with internet connection (via captive portal and radius server on pfsense) and the second named "users" with direct internet connection (without captive portal)
      My pfsense box has 3 nic --> 1 WAN, 2 LAN, 3 not used

      I have in mind to configure the two ssid with two different vlan, PVID 1 for users and PVID 2 for guests
      On my pfsense, I connected the ap on LAN nic and configurated the same two vlan of ap on LAN interface

      My captive portal and radius listen on pfsense LAN interface

      My question is: how can I configure pfsense box to activate the captive portal only on "guest" ssid/vlan and do direct internet access, without it, to my "users" ssid/vlan?

      thanks in advance

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        In your Services->Captive Portal config,all of your interfaces, including the tagged VLAN interfaces will be available for selection.  Select the proper interface and save and only that VLAN will be behind the captive portal.

        Rereading, I can't tell if you created the VLAN interfaces in pfSense or not.

        First, forget VLAN 1 exists.  You are going to tag your traffic.  Avoid VLAN 1.

        Example (Assuming your LAN interface is em0):

        Users: VLAN 10

        Guests: VLAN 20

        Interfaces->Assign->VLANs

        Create VLANs 10 and 20 on your LAN physical interface

        Interfaces->Assign

        If OPT1 doesn't exist, click the '+' to add it.

        Assign LAN to interface VLAN 10 on em0
        Assign OPT1 to interface VLAN 20 on em0

        Edit LAN and OPT1 setting IP addresses, enable DHCP, etc.

        Tell your AP that the Users SSID is VLAN 10 and Guest SSID is VLAN 20

        You probably also want to tell the AP to put the wired ports on VLAN 10.

        Enable the Captive Portal on OPT1.

        There are several ways to lock yourself out of the web interface while you're doing work like this.  You might want to enable that third interface, enable DHCP, etc on a third network, and plug your laptop into it while you're doing all this.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          ThePirat
          last edited by

          Thank you very much Derelict, I'll try and let you know if it works

          Best,
          Cristian

          ps…yes, I have configured my pfsense two vlan yet

          1 Reply Last reply Reply Quote 0
          • J
            julio_cdn
            last edited by

            @ThePirat:

            Thank you very much Derelict, I'll try and let you know if it works

            Best,
            Cristian

            ps…yes, I have configured my pfsense two vlan yet

            such could you solve your problem.? If you've been able to solve what was the solution if you would be so kind. Regards.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.