Friday, May 09, 2008

pfSense: Configure captive portal

The captive portal in pfSense lets you provide restricted internet access to guests via a web-portal that prompts them to type a username and password. It looks and feels very similar to what you find in Wi-Fi hotspots, hotels, business centers, and coffee shops around the world.

In short, here’s how it works… you configure the captive portal in pfSense, hang some open access points off of it, and have pfSense hand out IP’s to anyone who connects. Guests (contractors, stakeholders, etc.) arrive at your office, see the open AP’s and associate with them. They get an IP, and as soon as they try to browse the internet, DNS resolves their request to a portal for authentication. They authenticate, and now they can access the internet… segmented off of your business LAN.

Now, this isn’t quite the same thing as NAP, but beyond pfSense there’s no infrastructure investment, a limited configuration effort, and it makes life better for everyone.

Configuration in pfSense is pretty straightforward. There’s a video tutorial on the wiki, and my short how-to below.

In pfSense do the following:

  1. Interfaces>Add new interface
  2. Interfaces>OPT1 (new interface)
  3. Optional Interface Configuration>Enable
  4. IP Configuration>Assign an IP address on a new subnet (e.g.
  5. No gateway – allow it to use the next hop, then save.
  6. Services>Captive Portal
  7. Enable Captive Portal, On.
  8. Put in the appropriate interface (e.g. OPT1)
  9. Assign a hard timeout that’s appropriate
  10. Use Local User Manager (or RADIUS if you’d prefer), save. Click Users, add a guest account.
  11. Services>DHCP server, and switch to the correct interface tab. Have it hand out IP’s in a range that makes sense… 192.168.177- Click Save.

You’re good to go… just hook up a test system to the captive portal segment, and verify connectivity.


max chock said...

Hi, i'm trying to explore more about pfsense for my internet cafe.

I'm wondering whether can pfsense allow specific user group to enjoy higher bandwidth after authenticate by captive portal?


Nick said...

I believe you can with a RADIUS server backending authentication. Skimming through the forums I found this...,22741.0.html ... which deals with making changes while users are logged in.