Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal - client isolation

    Scheduled Pinned Locked Moved Captive Portal
    6 Posts 4 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      josephborg07
      last edited by

      In my scenaio, pfsense is only used for captive portal; captive portal is setup like this: pfsense machine –> switch –> access point

      I would like to setup client isolation for this setup, meaning that every user connecting to the captive portal is not allowed to communicate with eachother and is limited to internet access only.

      Is this possible to achieve with pfsense ?

      Thanks in advance,
      J

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        So enable client isolation on the AP.

        1 Reply Last reply Reply Quote 0
        • J
          josephborg07
          last edited by

          Unfortunately the ap doesn't support it. Is there a way to achieve this from the pfsense itself ?

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            No. That traffic does NOT go through pfSense at all.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Get an AP that does.  Note that if you have more than one AP or wired + wireless clients you need isolation in the switch.  Asymmetric VLANs can do this.  Cisco PVLAN edge is even better (easier to configure).

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                @Derelict:

                Note that if you have more than one AP or wired + wireless clients you need isolation in the switch.  Asymmetric VLANs can do this.  Cisco PVLAN edge is even better (easier to configure).

                Another solution exists, while still using 'no-brain' (non-expensive) switches.
                I (still) use inexpensive Linksys (Cisco now) AP's - ejected the original firmware and installed DD-WRT.

                The secret is : use 'ebtables' (yep, that not iptables.)

                #!/bin/ash
                insmod ebtables
                insmod ebtable_filter
                ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT
                ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT
                ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT
                ebtables -t filter -A FORWARD -j DROP
                

                00:0f:b5:fe:4e:e7  = The MAC of my Portal Interface NIC
                (DHCP) broadcasts are permitted.
                Traffic TO and FROM the portal NIC are permitted.

                These rules enforce:
                A client who is connected by Wifi on AP "1" cannot not communicate with any other clients that are connected on other AP's (AP "2", "3", etc).
                All connections are only permitted TO the gateway, the pfSense Portal Interface NIC.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.