Keep originating ip addresses captive portal clients on WAN side

  • We have a firewall with extensive logging capabilities but we use a PfSense VM for the captive portal on our guest network. The traffic goes from our PfSense captive portal LAN, to the WAN which is connected through a small transit subnet to our main firewall (which is connected to the internet). Setup is like this:

    PfSense LAN

    PfSense WAN

    The only problem now is that the logging on our firewall is useless because the source ip address is always the same (, so i can't monitor clients if it's ever necessary. How should i set this up if still wanted to use the PfSense captive portal but my firewall's logging capabilities?

  • Your pfSense is a router. After the router (pfSEnse WAN side) all client-IP info is lost - only the WAN IP will be known.
    That's one of the reasons pfSense (a native firewall) also handles the 'Captive portal'.

  • LAYER 8 Netgate

    There is no need for NAT.  Add a route in your firewall for destination and disable NAT in pfSense. Your edge firewall will then be responsible for NAT but will have the client IP available to it.

    If your firewall is capable, and the address is available, you might want to set it so CP clients are natted to a different public IP than the rest of your network.

  • Thank you Derelict, so simple, yet exactly what I was looking for. Works like a charm.

Log in to reply