Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Keep originating ip addresses captive portal clients on WAN side

    Scheduled Pinned Locked Moved Captive Portal
    4 Posts 3 Posters 802 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      youdontsay
      last edited by

      We have a firewall with extensive logging capabilities but we use a PfSense VM for the captive portal on our guest network. The traffic goes from our PfSense captive portal LAN, to the WAN which is connected through a small transit subnet to our main firewall (which is connected to the internet). Setup is like this:

      PfSense LAN
      172.16.0.1/21

      PfSense WAN
      192.168.0.2/30
      Firewall
      192.168.0.1/30

      The only problem now is that the logging on our firewall is useless because the source ip address is always the same (192.168.0.2), so i can't monitor clients if it's ever necessary. How should i set this up if still wanted to use the PfSense captive portal but my firewall's logging capabilities?

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Your pfSense is a router. After the router (pfSEnse WAN side) all client-IP info is lost - only the WAN IP will be known.
        That's one of the reasons pfSense (a native firewall) also handles the 'Captive portal'.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          There is no need for NAT.  Add a route in your firewall for 172.16.0.0/21 destination 192.168.0.2 and disable NAT in pfSense. Your edge firewall will then be responsible for NAT but will have the client IP available to it.

          If your firewall is capable, and the address is available, you might want to set it so CP clients are natted to a different public IP than the rest of your network.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • Y
            youdontsay
            last edited by

            Thank you Derelict, so simple, yet exactly what I was looking for. Works like a charm.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.