Keep originating ip addresses captive portal clients on WAN side



  • We have a firewall with extensive logging capabilities but we use a PfSense VM for the captive portal on our guest network. The traffic goes from our PfSense captive portal LAN, to the WAN which is connected through a small transit subnet to our main firewall (which is connected to the internet). Setup is like this:

    PfSense LAN
    172.16.0.1/21

    PfSense WAN
    192.168.0.2/30
    Firewall
    192.168.0.1/30

    The only problem now is that the logging on our firewall is useless because the source ip address is always the same (192.168.0.2), so i can't monitor clients if it's ever necessary. How should i set this up if still wanted to use the PfSense captive portal but my firewall's logging capabilities?



  • Your pfSense is a router. After the router (pfSEnse WAN side) all client-IP info is lost - only the WAN IP will be known.
    That's one of the reasons pfSense (a native firewall) also handles the 'Captive portal'.


  • Netgate

    There is no need for NAT.  Add a route in your firewall for 172.16.0.0/21 destination 192.168.0.2 and disable NAT in pfSense. Your edge firewall will then be responsible for NAT but will have the client IP available to it.

    If your firewall is capable, and the address is available, you might want to set it so CP clients are natted to a different public IP than the rest of your network.



  • Thank you Derelict, so simple, yet exactly what I was looking for. Works like a charm.