Welcome to Purple Support

pfSense Firewall

  • Updated

Open a web browser and log in to your pfSense Firewall interface.

Step 1 - Guest Interface

Click Interfaces > Assignments on the top menu.

If you do not already have an interface for guest usage, create a new interface named GUEST with the available network port.

Take note of the MAC address of this interface; you'll need it later in this config. Click in to the GUEST interface to bring up the configuration screen. If this is an existing interface you may skip, else configure with:

Enable
Yes
IPv4 Configuration Type
Static IPv4
IPv6 Configuration Type
None
IPv4 Address
10.1.0.1 / 18

Click Save to save.

Step 2 - Rules

Click Firewall > Rules on the top menu. Select the GUEST interface tab.

In order to allow pre-authentication traffic two rules must be created. Click the first Add button and configure with:

Action
Pass
Interface
GUEST
Address Family
IPv4
Protocol
TCP/UDP
Source
GUEST net
Destination
GUEST address
Destination Port Range
From DNS (53) to DNS (53)
Desciption
Allow Guest DNS

Click Save. Add another rule and configure with:

Action
Pass
Interface
GUEST
Address Family
IPv4
Protocol
Any
Source
GUEST net
Destination
Invert match - GUEST net
Destination Port Range
From DNS (53) to DNS (53)
Desciption
Allow Guest Traffic

Click Save.

Step 3 - DNS Resolver

Click Services > DNS Resolver on the top menu. Ensure that the DNS resolver is enabled for the Network and Outgoing Network interfaces (either the GUEST interface or All interfaces) as the guest service requires this. Save and Apply if required.

Step 4 - DHCP Server

Click Services > DHCP Server on the top menu. Under the GUEST tab, configure with:

Enable
Yes
Range
10.1.0.2 to 10.1.63.250

Click Save.

Step 5 - RADIUS Servers

Click System > User Manager on the top menu. Under the Authentication Servers tab, click Add and configure with:

Name
guestrad1
Type
RADIUS
Protocol
PAP
Hostname
*insert radius_server here*
Shared Secret
*insert radius_secret here*
Services offered
Authentication and Accounting
Authentication Port
1812
Accounting Port
1813
Authenticaton Timeout
5
RADIUS NAS IP Attribute
GUEST - 10.1.0.1

Click Save and click Add. Configure with:

Name
guestrad2
Type
RADIUS
Protocol
PAP
Hostname
*insert radius_server2 here*
Shared Secret
*insert radius_secret here*
Services offered
Authentication and Accounting
Authentication Port
1812
Accounting Port
1813
Authenticaton Timeout
5
RADIUS NAS IP Attribute
GUEST - 10.1.0.1

Click Save.

Step 6 - Captive Portal

Click Services > Captive Portal on the top menu. Click Add and configure with:

Zone name
guestwifi

Click Save and Continue and configure with:

Enable Captive Portal
Yes
Interface
GUEST
Pre-authentication URL
*insert access_url here*
After authentication URL
*insert redirect_url here*
Use custom captive portal page
Yes
Portal page contents
Upload this file - click here
Authentication Method
Use as Authentication backend
Authentication Server
guestrad1
Secondary Authentication Server
guestrad2
NAS Identifier
Enter the MAC address from the GUEST interface you noted earlier.
Session Timeout
Yes - Use RADIUS
Traffic quota
Yes - Use RADIUS
Per-user bandwidth restrictions
Yes - Use RADIUS
MAC address format
IETF
RADIUS
Yes - Send RADIUS accounting packets
Accounting Server
guest1
Send interim updates
Interim

Click Save. Next, click the Edit icon beside the newly created Captive Portal profile. Click the Allowed Hostnames tab and then Add. Add the required domains. Please refer to this list.

 

The configuration is now complete.

 

Share online:
Was this article helpful?
0 out of 0 found this helpful