[SOLVED]Multi zones not working on opt interfaces

  • Hi, This is pfsense 2.2.6 box, here are the interfaces info.

    WAN (wan)      -> bge0
    LAN (lan)      -> bge1
    TEST01 (opt1) -> bge1_vlan108
    TEST02 (opt2) -> bge1_vlan109

    I created 2 portals, one operates on LAN interface, the other operates on TEST01 and TEST02:

    zone1: LAN
    zone2: TEST01,TEST02

    When I enable one of them only, it works well, but if I enable both of them, client will not be authorized, clients are required to login again and again, and not able to access internet.

    I checked the CP status page, found client sessions exist in both zones, or maybe they were flapping in both zones.

    I also tried to set up 2 zones as below, it also didn't work when both zones are enabled:

    Zone1: TEST01
    Zone2: TEST02

    May I know if we can set up multi zones between these virtual interfaces?
    or do we have to create zones operating on different physical interfaces?

  • Please provide your record fails the testing and certification

    System logs–> System and Portal Auth

  • Not aware of any issues there, but my guess is maybe the use of tagged and untagged VLANs on the same interface. I know there are people doing multiple different zones on tagged VLANs not using the parent interface. I'd try tagging everything and running CP only on the tagged VLANs and see if that works as expected.

  • test ok. 3 vlan bind one CP

    but my LAN(name:VlanLAN) no IP.Just transfer vlan traffic.

    As cmb said,Your problem maybe is use of tagged and untagged VLANs on the same interface.


  • TEST1:
    LAN+3vlan bind one CP, can work.

    Zone lan_cp:LAN(igb2)
    Zone CP: 3VLAN(igb2)

    client will twice login, Refer login recorded

    VLAN PC –->CP portal---->lan_cp---->internet  =_=

    first login URL: xxxx.xxx.xxx.xx:8003
    second time login URL: xxxx.xxx.xxx.xx:8005

    don't use TEST2 approach and untag-tag port


  • Hi,cmb,
    Yes, you are right, I should avoid using both tagged and untagged on the same interface.

    Now this issue has been solved, thanks for your great support!

  • I suggest to set the redirection url before and after authentication
    it is good also to isolate these different subnets of captive portal interfaces from eachother by using Aliase and apply this aliases in the firewall rules of each captive portal interface.
    i read once but i am not sure if this is correct , Apply Captive portal always on Opt interface not LAN interfcae

    Bet Wishes

Log in to reply