Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal for IPsec Clients

    Scheduled Pinned Locked Moved Captive Portal
    6 Posts 5 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jnorthe
      last edited by

      Hi,
      we have the following scenario with pfsense version 2.2.4:

      Internet –- pfSense(Voucher-CaPo) =====IPSec-Tunnel===== RemoteFirewall(nonPfSense) --- Guests 10.0.220.0/24
                                        |
                                        |------------------ Guests 10.0.200.0/24

      The guests comming from 10.0.200.0/24 are running into captive portal but guests comming from 10.0.220.0/24 can access internet without  :o.
      Due to the fact that strongswan is not creating an ipsec interface I tried to bind captive portal to LAN only, LAN+WAN but this does not helped me.

      When clients from 10.0.220.0 access http://pfsense:8000 by hand they get a rewritten URL with the public IP address of the pfsense box of the captive portal page.

      Any hints for me?

      Thanks in advance
      Juergen

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Yeah, the hint is that this will never work.

        1 Reply Last reply Reply Quote 0
        • J
          jnorthe
          last edited by

          cool.
          thanx

          Juergen

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Put a router doing captive portal in front of the router doing IPsec and it won't know the difference.

            WAY too much emphasis in the pfSense world at getting one "box" (node) doing everything.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • H
              hpmueller
              last edited by

              @jnorthe:

              Any hints for me?

              Yeah, the captive portal needs a real interface (that you can select in the captive portal list). I havn't tested this, but if your remote firewall can do GRE, do an additional GRE tunnel over ipsec, that way you get an interface what should work. If you can do OpenVPN, this also work…

              /hp

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                WAY too much emphasis in the pfSense world at getting one "box" (node) doing everything.

                • 1 from for that.

                additional GRE tunnel over ipsec, that way you get an interface what should work.

                L2TP/IPSec would be the way to realize this.

                Internet –- pfSense(Voucher-CaPo) =====IPSec-Tunnel===== RemoteFirewall(nonPfSense) --- Guests 10.0.220.0/24

                One Question from me onto this, why not both sides are using then a pfSense firewall with Captive Portal?
                A small PC Engines APU is really able to hold this pfSense based Captive Portal for many users.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.