Bind Captive-Portal to something other than an interface?



  • Hello,

    is it possible to bind the CP feature to anything other than an real interface?
    I've tried Virtual IP and Aliases with no success.

    I'm looking for a way to save certificates, because i have many local WIFIs and therefore multiple CPs. If i had to provide one cert per CP, it would be very expensive. But the CP should last on the pfSense itself. So how can i configure a single CP for all wifi networks?
    I already tried using the WAN interface with no luck. It seems that CP-feature is only triggered for traffice originated to the CP-interface but not transit.

    Any help?



  • Aliases and Virtual IP's are NOT interfaces.
    You can bind to any interface listed in the menu "Interfaces", except one (which ought to be logic) …

    I already tried using the WAN interface with no luck

    I know, I could fill my car's gas-tank with water to see if my cars runs - nothing is indicated that I shouldn't .. but some how, I knew it already.
    Thanks for telling, your were good for a 5 minutes rofl …  ;D

    In a worst-case scenario, you activate the portal on the LAN interface. (the poor-mans setup).
    You'll find out that something isn't 'right' and ... you will be right ! The captive portal is run best on its own dedicated interface (OPT1, 2, etc).

    Btw : certs are expensive ? I'm suing 2 on my pfsense (from startssl.com - other sources exist) and I paid NOTHING.

    Note: you said that you have many WIFI's.
    What does that mean ? Many AP's ? Many AP's with many (SSID) ? All on different networks ?
    Why running more then one CP ?
    What about 'standardized' drawing (tools are indicated on this forum) and show us your setup ?



  • I was looking for some kind of multiplex CP, which is not in design of pfSense.
    My fault. I mixed up the concepts. It should be: One CP, one Interface.
    But now that i know how it works and that it is that easy, i have no problem in using it like it is.



  • You can only have a single CP instance on a given broadcast domain. There are a lot more complications to it than CP itself, for instance your clients would have to be on a different DHCP scope, which isn't possible unless you have DHCP reservations defined for every device on the non-default subnet.

    In that type of network environment, if you're not isolating broadcast domains between different customers (I presume the use case there, not sure why else you'd want diff domains), your network design is fundamentally wrong.


Log in to reply