Logging in
Open a web browser and log in to your pfSense Firewall interface.
Guest Interface
Click Interfaces > Assignments on the top menu.
If you do not already have an interface for guest usage, create a new interface named GUEST with the available network port.
Take note of the MAC address of this interface; you'll need it later in this config. Click into the GUEST interface to bring up the configuration screen. If this is an existing interface you may skip, else configure with:
| Enable | Yes |
| IPv4 Configuration Type | Static IPv4 |
| IPv6 Configuration Type | None |
| IPv4 Address | 10.1.0.1 / 18 |
Click Save to save.
Firewall Rules
Click Firewall > Rules on the top menu. Select the GUEST interface tab.
In order to allow pre-authentication traffic, two rules must be created. Click the first Add button and configure with:
| Action | Pass |
| Interface | GUEST |
| Address Family | IPv4 |
| Protocol | TCP/UDP |
| Source | GUEST net |
| Destination | GUEST address |
| Destination Port Range | From DNS (53) to DNS (53) |
| Description | Allow Guest DNS |
Click Save. Add another rule and configure with:
| Action | Pass |
| Interface | GUEST |
| Address Family | IPv4 |
| Protocol | Any |
| Source | GUEST net |
| Destination | Invert match - GUEST net |
| Destination Port Range | From DNS (53) to DNS (53) |
| Description | Allow Guest Traffic |
Click Save.
DNS Resolver
Click Services > DNS Resolver on the top menu. Ensure that the DNS resolver is enabled for the Network and Outgoing Network interfaces (either the GUEST interface or All interfaces) as the guest service requires this. Save and Apply if required.
DHCP Server
Click Services > DHCP Server on the top menu. Under the GUEST tab, configure with:
| Enable | Yes |
| Range | 10.1.0.2 to 10.1.63.250 |
Click Save.
RADIUS Servers
Click System > User Manager on the top menu. Under the Authentication Servers tab, click Add and configure with:
| Name | guestrad1 |
| Type | RADIUS |
| Protocol | PAP |
| Hostname | *insert radius_server here* |
| Shared Secret | *insert radius_secret here* |
| Services offered | Authentication and Accounting |
| Authentication Port | 1812 |
| Accounting Port | 1813 |
| Authentication Timeout | 5 |
| RADIUS NAS IP Attribute | GUEST - 10.1.0.1 |
Click Save and click Add. Configure the secondary server with:
| Name | guestrad2 |
| Type | RADIUS |
| Protocol | PAP |
| Hostname | *insert radius_server2 here* |
| Shared Secret | *insert radius_secret here* |
| Services offered | Authentication and Accounting |
| Authentication Port | 1812 |
| Accounting Port | 1813 |
| Authentication Timeout | 5 |
| RADIUS NAS IP Attribute | GUEST - 10.1.0.1 |
Click Save.
Captive Portal
Click Services > Captive Portal on the top menu. Click Add and configure with:
| Zone name | guestwifi |
Click Save and Continue and configure with:
| Enable Captive Portal | Yes |
| Interface | GUEST |
| Pre-authentication URL | *insert access_url here* |
| After authentication URL | *insert redirect_url here* |
| Use custom captive portal page | Yes |
| Portal page contents | Upload this file - click here |
| Authentication Method | Use as Authentication backend |
| Authentication Server | guestrad1 |
| Secondary Authentication Server | guestrad2 |
| NAS Identifier | Enter the MAC address from the GUEST interface you noted earlier. |
| Session Timeout | Yes - Use RADIUS |
| Traffic quota | Yes - Use RADIUS |
| Per-user bandwidth restrictions | Yes - Use RADIUS |
| MAC address format | IETF |
| RADIUS | Yes - Send RADIUS accounting packets |
| Accounting Server | guest1 |
| Send interim updates | Interim |
Click Save. Next, click the Edit icon beside the newly created Captive Portal profile. Click the Allowed Hostnames tab and then Add. Add the required domains. Please refer to this list.
Configuration Complete
The configuration is now complete.