Ubiquiti + fpSense + Captive Portal



  • Hi guys,

    Following a recommendation I got on this forum, I just received the Ubiquiti UniFi AP-AC I ordered.

    The AP is plugged on a switch on a network managed by pfSense.

    I did the initial set up, configured a SSID and password, with no guest access (for now).

    I tested, everything works perfect.

    Next, I would like to do to things :

    1. Set up a captive portal
      Can you provide a decent tutorial on how to do that with pfSense and this AP?
      I want a captive portable for clients who will just need access to Internet

    2. Set up a radius server
      Same question: do you guys know of a decent tutorial on how to do that with pfSense and this AP?

    Thank you!


  • LAYER 8 Netgate

    Captive portal doesn't care whether your clients are wired, wi-fi, or what AP you use.  Just set up captive portal:

    https://doc.pfsense.org/index.php/Category:Captive_Portal



  • @Derelict:

    Captive portal doesn't care whether your clients are wired, wi-fi, or what AP you use.  Just set up captive portal:

    https://doc.pfsense.org/index.php/Category:Captive_Portal

    Sorry for being such a n00b but how can you set up 2 SSID, or a guest SSID and make sure that this specific SSID goes through the captive portal?


  • LAYER 8 Netgate

    Create VLAN interfaces on pfSense and tag the SSID with the right VLAN from the AP.  Captive portal still doesn't care.  It's just another interface.



  • @Derelict:

    Create VLAN interfaces on pfSense and tag the SSID with the right VLAN from the AP.  Captive portal still doesn't care.  It's just another interface.

    Thanks for your replies.

    1. I went into INTERFACES > ASSIGN
      Then the VLAN tab
      I created a new VLAN, and named it CP_VLAN (for captive portal)
      I gave it the tag "10"
      I used the same "Parent interface" as my LAN, which in this case is bge0

    2. Then back into INTERFACES > ASSIGN
      Then the Interface assignments tab.
      I created a new inteface, called it CP_Interface.
      Configured a few things, and assigned it to CP_VLAN.

    3. Then I went into SERVICES > DHCP
      I configured the CP_Interface DHCP.

    4. Then I went into SERVICES > CAPTIVE PORTAL
      I created a new one called CP.
      I enabled it and added the CP_Interface.

    5. In the UniFi app, I created a new SSID, I called it CAPTIVE PORTAL (for now)
      I tagged it with the tag "10".
      No password, just "open"

    applied everything…

    It doesn't work :(

    When I try to connect to the SSID "CAPTIVE PORTAL" it will not ever connect.

    I tried to remove the VLAN tagging, then it works !

    Where did I screw up?


  • LAYER 8 Netgate

    How is the AP connected to pfSense?  Do you have a managed switch?  VLANs are layer 2.  The switch needs to know about them too.



  • @Derelict:

    How is the AP connected to pfSense?  Do you have a managed switch?  VLANs are layer 2.  The switch needs to know about them too.

    The AP is just plugged into the switch.

    The switch does not manage VLANs.

    I was under the impression that I could just tag the trafic from the AP and somehow associate this tagged trafic to an interface, then manage this interface with a captive portal.

    Maybe I got it all wrong?


  • LAYER 8 Netgate

    Yes, you've got it wrong.  You cannot expect an unmanaged switch to pass VLAN tags.  It might or it might not.

    Something like this will do what you need:

    http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I/



  • @Derelict:

    Yes, you've got it wrong.  You cannot expect an unmanaged switch to pass VLAN tags.  It might or it might not.

    Something like this will do what you need:

    http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I/

    Well it appears I have 2 of those : HP Procurve 1810G-24
    And that they are manageable.
    And you can set up VLAN.
    I just never even opened the webconfigiruator… I just plugged everything in and it worked.

    My question is : do I need to create a VLAN for everyone except the CP of the AP, and then a VLAN for the CP of the AP ?

    Or can I just create a VLAN for the CP of the AP ?

    Thanks !


  • LAYER 8 Netgate


  • LAYER 8 Global Moderator

    Why don't you just run the captive portal on your unifi controller?  Pretty sure is has more features than the pfsense one.



  • @johnpoz:

    Why don't you just run the captive portal on your unifi controller?  Pretty sure is has more features than the pfsense one.

    I second this.  I'm running an UniFi AP-LR, and if you are looking for a captive portal to allow wireless guests, just do it through the UniFi configuration app instead.

    If you actually do want to captivate not only WLAN users but also LAN users, then carry on with trying to get it going in pfSense.



  • @johnpoz:

    Why don't you just run the captive portal on your unifi controller?  Pretty sure is has more features than the pfsense one.

    Sounds like a very good idea!

    What I ideally wanted was to work without a password, without vouchers and without payments.
    When I select the HOTSPOT option on the UniFi controller, it requires that I select PAYMENT or VOUCHER.

    I just wanted users to see the WiFi, connect to it and end up on a landing page where they have to put their names or something.

    Then they have 30 minutes of WiFi and they are disconnected.

    Also I would have liked to set some trafic shaping rules so they can't hog the bandwidth.

    And finally, of course, I didn't want these users to have access to other computers / servers on the network… (CIFS shares, etc.)

    Is that something that is possible with the Hotspot feature of UniFi ?


  • LAYER 8 Global Moderator

    You can do whatever you want with the portal of unifi - since you can customize it, etc.  Why do you want them to put in their name?  With just a click you can have some simple password they enter and get 30 minutes for example.

    Pretty sure could be setup to just take any info you wanted.
    http://community.ubnt.com/t5/UniFi-Configuration-Examples/UniFi-Hotspot-portal-customization/ta-p/474293

    As to bandwidth limits, yeah you can set those as well for guests
    https://community.ubnt.com/t5/UniFi-Configuration-Examples/UniFi-Set-traffic-bandwidth-limits/ta-p/523185




  • BlazeStar, did you ever get the solution that you wanted figured out?
    I have some extra AP AC units and could possibly set one up with a pfSense box and test (if I can find some extra time).



  • im trying to do exactly this. If you just use the unifi captive portal, you need a dedicated computer to run the captive portal on, which is why i want to use pfsense. I can customize the pfsense CP more, and i dont need to sit a second computer on the lan to run it.


Log in to reply