NEW SETUP - Captive Portal



  • Ok, let me lay some ground work here…  I'm new to pfSense and I'm trying to setup a captive portal for my employers public internet access through multiple AP's with assigned static IP's.

    "LAN"
    pfsense interface ip 10.10.10.1
    LAN interface 10.10.10.1/24
    DHCP Service enabled and pool from 10.10.10.100-200

    "WAN"
    We have a DSL modem (192.168.0.1) as our gateway(tested and confirmed working).
    This I'm using as my "WAN" interface with my pfsense interface ip assigned at 192.168.0.2
    192.168.0.1 is the upstream gateway assigned in pfsense.
    DHCP service is disabled for this interface.

    I have tried to configure the Captive Portal(enabled), however I think I'm missing something.  I have it set to no authentication(We just want to use a click through page for acceptable use acknowledgement).

    I have created a rule to allow for all traffic on the LAN interface to access the gateway(192.168.0.1).

    I cannot get out...  I can get an IP address from the dhcp service and access the admin page, 10.10.10.1, but I can't connect to google or anything else...

    When I do a ping test, I can ping google from both the LAN and WAN interfaces through the admin ping tool...

    Most of the documentation refers to the pfsense book, which I don't have.  Any help here would be appreciated.


  • Banned

    Do NOT put your CP on LAN. Create a separate OPT interface for that.



  • Thanks for the reply, however I'm not sure what you mean here.  I have the LAN interface dedicated to my access points and its also serving the DHCP address to the clients who are connecting through the APs.

    Do I create a separate "opt" interface just for the Captive Portal?  If so, how to I route that through to the WAN?

    Thanks in advance…

    Cheers,
    Alan


  • Netgate

    If this is a dedicated install just for the guest access, there's no harm in putting it on LAN.

    If you change anything put the DSL modem in bridge mode and let pfSense get the public IP on its WAN port.  I would consider this an important step.

    I have created a rule to allow for all traffic on the LAN interface to access the gateway(192.168.0.1)

    You want a rule allowing access from LAN net  to "any" not the gateway IP.

    Do yourself a favor and disable the CP until you get your internet access working how you like.  Make sure your guests can't get at anything you don't want them to get at (like the pfSense interface, etc) then worry about the portal.  Turn off your APs and use a wired client while you test if you want to.  It'll work the same as the wireless clients as long as your APs are really APs, and not routers.



  • Yes, this network segment is dedicated solely to our public internet access…  It is isolated from our internal network.  He have the AP's dedicated to this purpose.

    I have been testing with a hard-wired connection up to this point, which is getting a 10.10.10.100 address from the DHCP pool I created for the "LAN" network.  This is the same device I have been hitting the administrative interface with as well...

    Due to some internal reasons, I cannot put the modem in Bridge mode...  I believe we have a few other things route through it like our skype connection and what not.

    For ease, I have installed pfsense on a dedicated 64bit all in one workstation we had laying around.  This device has two NIC's in it.  One is connected to the 10. side which is my "LAN" and the other NIC is connected to the 192. side which is the side for my modem.

    I'm trying to use pfsense solely for the captive portal(with acceptance use splash page).  Is this overkill???  This seems like it should be simple.  I have watched a few of the youtubers out there who have a few quick videos such as this one: https://www.youtube.com/watch?v=lDoVnt5sMJc.  I'm new to pfsense but I have a solid linux background.  When looking for a captive portal solution, pfsense was the main one that was mentioned.

    Sorry for the noobness, but I'm trying and the documentation references here are minimal, most to buy the book if you want anything detailed(which I don't like)...


  • Netgate

    It'll do just fine.  Overkill is a matter of opinion.

    You want a rule allowing access from LAN net  to "any" not the gateway IP.

    Of course, you want to block access from LAN to anything you don't want your guests to have access to.

    Having access to free software like pfSense, I can't imagine why anyone would want to run the "firewall" built into a DSL modem, but that too is probably a matter of opinion.

    Sorry for the noobness, but I'm trying and the documentation references here are minimal, most to buy the book if you want anything detailed(which I don't like)…

    Hmm.  There are plenty of Captive Portal setup walkthroughs available.  From what you've described so far, it's a simple firewall rule problem.

    https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

    doc.pfsense.org.  Charge: $0.00