No CP from fixed LAN IP, dhcp scoop only?

  • Hi

    I'll admit, I must have done something wrong but fail to figure it out myself.
    I can't get a stable Captive Portal service running.
    Or this might be just as it should be for all that I know.

    The Captive Portal only captures my browser when my LAN client is on the DHCP scoop.
    As soon as a fixed IP client (outside the dhcp scoop) tries to go online, all he get is the timeout of the page he tries to reach.
    Only random and once in a while the users hits the captive portal. This is the same for both Firefox and IE on Windows XP.

    Since I do have some clients on fixed IP's (due to services running on the client that needs to be reached from outside too), am I supposed to add these to the allowed IP addresses, or mac pass-through?
    If so, they don't need to authenticate for now against the user manager, but later against freeradius.
    I would like them to authenticate for getting logs etc.
    Any solution to this scenario?

    My settings
    System -> General Setup, webGUI is set to http.
    Services -> DNS forwarder, is enabled.
    Services -> DHCP server, it's enabled and a range is set ( and the IP ( is set as the Gateway.
    Captive Portal -> Enabled, Interface is LAN, idle=30, hard=60, popup enabled, Concurrent users disabled, mac filtering disabled, authentication by local user manager.

    There was no default captive portal webpage, so I copied the login form on the settings page and uploaded it as index.html

    My platform is a pentium 4 @ 2.6GHz with 512MB ram
    re0 is the LAN nic, RealTek 8169SB/8110SB Gb eth.
    bge0 is the WAN nic, Broadcom BCM5705 A3, ASIC rev. 0x3003
    pfSense is 1.2 stable

    Kind regards

  • Did you make sure that your clients with a static IP have the pfSense DNS-forwarder as primary DNS?

  • Hi

    That was indeed the fault.
    So they can't use the wan provided dns, but must use (the gateway) as primary dns?
    Well, thank you, it fixed my problem. No reason to dwell any longer on this.

    Now I'm off to explore this pfSense world :)

    Kind regards

  • Yes, because otherwise pfSense has no way to redirect the connecting clients to the authenticatio-page.

  • you can usy external DNS servers if you add them to the ip passthrough if you are so inclined.

  • This wont work.
    You have to use the dns forwarder so pfSense can hijack an outgoing connection and redirect it to the captive portal.

    If you set a different DNS you can resolve the IP, but wont be able to get past pfSense, since you never authenticated your MAC/IP pair.

  • It works fine, I do it on all of my installs.

  • Hmmm.
    This is new and interesting for me.

    I guess i need to reread the CP docu and play a bit with it :)
    Thanks for the info.

  • No problem.  If it can be done with the CP, I've probably done it.  =P

Log in to reply