pfSense Firewall

  • Updated

Logging in

Open a web browser and log in to your pfSense Firewall interface.

Guest Interface

Click Interfaces > Assignments on the top menu.

If you do not already have an interface for guest usage, create a new interface named GUEST with the available network port.

Take note of the MAC address of this interface; you'll need it later in this config. Click into the GUEST interface to bring up the configuration screen. If this is an existing interface you may skip, else configure with:

Enable Yes
IPv4 Configuration Type Static IPv4
IPv6 Configuration Type None
IPv4 Address 10.1.0.1 / 18

Click Save to save.

Firewall Rules

Click Firewall > Rules on the top menu. Select the GUEST interface tab.

In order to allow pre-authentication traffic, two rules must be created. Click the first Add button and configure with:

Action Pass
Interface GUEST
Address Family IPv4
Protocol TCP/UDP
Source GUEST net
Destination GUEST address
Destination Port Range From DNS (53) to DNS (53)
Description Allow Guest DNS

Click Save. Add another rule and configure with:

Action Pass
Interface GUEST
Address Family IPv4
Protocol Any
Source GUEST net
Destination Invert match - GUEST net
Destination Port Range From DNS (53) to DNS (53)
Description Allow Guest Traffic

Click Save.

DNS Resolver

Click Services > DNS Resolver on the top menu. Ensure that the DNS resolver is enabled for the Network and Outgoing Network interfaces (either the GUEST interface or All interfaces) as the guest service requires this. Save and Apply if required.

DHCP Server

Click Services > DHCP Server on the top menu. Under the GUEST tab, configure with:

Enable Yes
Range 10.1.0.2 to 10.1.63.250

Click Save.

RADIUS Servers

Click System > User Manager on the top menu. Under the Authentication Servers tab, click Add and configure with:

Name guestrad1
Type RADIUS
Protocol PAP
Hostname *insert radius_server here*
Shared Secret *insert radius_secret here*
Services offered Authentication and Accounting
Authentication Port 1812
Accounting Port 1813
Authentication Timeout 5
RADIUS NAS IP Attribute GUEST - 10.1.0.1

Click Save and click Add. Configure the secondary server with:

Name guestrad2
Type RADIUS
Protocol PAP
Hostname *insert radius_server2 here*
Shared Secret *insert radius_secret here*
Services offered Authentication and Accounting
Authentication Port 1812
Accounting Port 1813
Authentication Timeout 5
RADIUS NAS IP Attribute GUEST - 10.1.0.1

Click Save.

Captive Portal

Click Services > Captive Portal on the top menu. Click Add and configure with:

Zone name guestwifi

Click Save and Continue and configure with:

Enable Captive Portal Yes
Interface GUEST
Pre-authentication URL *insert access_url here*
After authentication URL *insert redirect_url here*
Use custom captive portal page Yes
Portal page contents Upload this file - click here
Authentication Method Use as Authentication backend
Authentication Server guestrad1
Secondary Authentication Server guestrad2
NAS Identifier Enter the MAC address from the GUEST interface you noted earlier.
Session Timeout Yes - Use RADIUS
Traffic quota Yes - Use RADIUS
Per-user bandwidth restrictions Yes - Use RADIUS
MAC address format IETF
RADIUS Yes - Send RADIUS accounting packets
Accounting Server guest1
Send interim updates Interim

Click Save. Next, click the Edit icon beside the newly created Captive Portal profile. Click the Allowed Hostnames tab and then Add. Add the required domains. Please refer to this list.

Configuration Complete

The configuration is now complete.

Share online:
Was this article helpful?
0 out of 0 found this helpful