1
General Discussion / Captive portal -> private LAN
« on: June 07, 2024, 11:03:40 am »
Dear Forum,
we have an extended setup in our company with many VLANs and some routers (until now NOT opnsense)
Now my goal is to create 3 new networks, everyone with a captive portal. I struggled with coovachilli and so on (I reached the same as described below but setup is really annoying) and found opnsense and want to give it a try by now.
My first - testing setup is:
Internet <-> company main LAN (10.1.111.x/24 Router is 10.1.111.71) <-> OPNSENSE (10.1.111.75) <NAT> First Internal Guest LAN with captive portal (172.25.x.y/16) OPNSENSE 172.25.255.254.
What is working:
Clients getting an IP a 172.25.x.y IP and can login without credentials (as I not entered any Server) and through the NAT I can reach the Internet and start surfing with the public IP from the 10.1.111.71s router. But - I can not reach any 10.1.111.x Addresses even the firewall is set to allowed to all and NAT is also natting everything (so it must be masquaraded as 10.1.111.75).
WHY this way?
This captive portal should be a 2nd authenticator after the WPA3 enterprise certificate based authentication to our main LAN. Users should be able to login certificate based to the wifi and in the 2nd step open a captive portal and enter their AD credentials.
Please no discussion why so and not other.
The OPNSENSE directly can ping 10.1.111.x addresses and do (and forward) DNS requests. But I think there are hidden security options in the captive portal to block forwarding to private IP addresses.
As I am new to opnsense pls, if I can modify it, tell me where.
EDIT:
After disabling captive portal there is no change. Surfing is possible, pinging into the LAN where the next hop is, is impossible
EDIT:
solved, was an routing metric problem on the client devices, an wireguard interface was interferencing. THX
Thx
D
we have an extended setup in our company with many VLANs and some routers (until now NOT opnsense)
Now my goal is to create 3 new networks, everyone with a captive portal. I struggled with coovachilli and so on (I reached the same as described below but setup is really annoying) and found opnsense and want to give it a try by now.
My first - testing setup is:
Internet <-> company main LAN (10.1.111.x/24 Router is 10.1.111.71) <-> OPNSENSE (10.1.111.75) <NAT> First Internal Guest LAN with captive portal (172.25.x.y/16) OPNSENSE 172.25.255.254.
What is working:
Clients getting an IP a 172.25.x.y IP and can login without credentials (as I not entered any Server) and through the NAT I can reach the Internet and start surfing with the public IP from the 10.1.111.71s router. But - I can not reach any 10.1.111.x Addresses even the firewall is set to allowed to all and NAT is also natting everything (so it must be masquaraded as 10.1.111.75).
WHY this way?
This captive portal should be a 2nd authenticator after the WPA3 enterprise certificate based authentication to our main LAN. Users should be able to login certificate based to the wifi and in the 2nd step open a captive portal and enter their AD credentials.
Please no discussion why so and not other.
The OPNSENSE directly can ping 10.1.111.x addresses and do (and forward) DNS requests. But I think there are hidden security options in the captive portal to block forwarding to private IP addresses.
As I am new to opnsense pls, if I can modify it, tell me where.
EDIT:
After disabling captive portal there is no change. Surfing is possible, pinging into the LAN where the next hop is, is impossible
EDIT:
solved, was an routing metric problem on the client devices, an wireguard interface was interferencing. THX
Thx
D