How to Set Up a Captive Portal Using pfSense

PfSense provides an easy way to set up a captive portal for your network. Using the portal allows you to direct the users on your network to a specific web page before they are allowed to access the internet. The web page can be a simple page with instructions and terms of use, or a page that requires a username and password for authentication.

Captive portals are most commonly used for wireless hotspots. If you've ever used the wireless network at a hotel or airport then you have most likely clicked through a portal before you were able to go online. They can also be used on wired connections for business centers, internet Cafés, or your home!

Once the portal has been enabled any computer that points to the pfSense router as the gateway will be automatically redirected to the portal landing page.

Basic Portal Without Authentication

First I'm going to show you how to set up a basic portal without any authentication. Clients connecting to the network will be redirected to an HTML page of your choice. This page can display any message or image that you wish. They must click through the portal by clicking the continue button before they will be granted access to the network.

1. Enable the captive portal - To enable the portal click on captive portal which is found in the services menu of pfSense. Select the check box "Enable captive portal"

2. Select the interface - Most users will select the LAN interface. The captive portal can only run on one interface at a time and pfSense is not able to act as a reverse portal.

Enable the captive portal and select the interface it will run on.
Enable the captive portal and select the interface it will run on.

3. Upload a portal page - You must upload an HTML/PHP file to use as a landing page for clients connecting to the portal.

In the section called "Portal page contents" click the "Choose File" button and select the HTML page you want to use. When you are finished click the save button at the bottom of the page to apply the changes.

To verify that your HTML file was successfully uploaded click on the "view current page" button directly below the HTML file upload box.

Upload an HTML file to serve as the portal page.
Upload an HTML file to serve as the portal page.
If the captive portal is working users should be directed to the landing page when they first connect to the internet.
If the captive portal is working users should be directed to the landing page when they first connect to the internet.

4. Testing the Basic Portal - To make sure everything is working simply try to access a webpage from a computer on the network.

If everything is functioning correctly the browser will be redirected to the landing page. Once you click continue the browser should continue to the originally requested URL.

Troubleshooting Tips

  • If the portal page does not load verify the HTML file was uploaded correctly.
  • If the captive portal is running on a VLAN interface make sure the parent VLAN is not assigned to another interface.

When authentication is enabled users must enter a username and password to access the network.
When authentication is enabled users must enter a username and password to access the network.

Using Authentication

Another popular reason for using captive portals is to provide a system for authenticating users before they are granted access to the internet.

Users that do not have a valid username and password will not be granted access to the network.

Local Database vs Radius

The simplest way to set up authentication is to use the local user database on pfSense. If you have a lot of users to manage I would recommend using radius authentication since it is much more flexible.

You can configure the captive portal to point to a remote radius server or you could install the FreeRadius package directly on pfSense. Radius integrates well with existing authentication systems such as active directory, etc.

Initial Setup

To get started follow the steps in the previous section above to enable the captive portal and select an interface.

Modifying the HTML

In order for this to work you will need to use a slightly different HTML landing page that has username and password fields. You can check out my sample HTML page and modify it to suit your needs. Follow the instructions in step 4 of the previous section to upload the page.

For these examples I'm demonstrating pretty basic landing pages but I'll show you how to customize them later.

Enabling Authentication

To enable authentication select either local or radius authentication on the main captive portal settings page. Click on the save button to activate the changes.

Select either local or RADIUS as an authentication type.
Select either local or RADIUS as an authentication type.

Creating Local Users

If you selected local user manager as your method of authentication then you'll need to create some users. If you plan on setting up a large amount of users I would recommend using radius, LDAP, or active directory instead of the local database.

If you don't expect to set up many accounts then this option works well because it's so simple. In some cases you might want to let users share a common username and password, and that's a perfectly valid option too.

To create users in pfSense open the user manager which is found under the system menu. Then simply click on the plus symbol to create a new user.

The pfSense user manager can be used to create local accounts for the captive portal.
The pfSense user manager can be used to create local accounts for the captive portal.

Configuring the User Account

To create a simple user you only need to enter a username and password. There are a few other useful options worth checking out though.

Expiration Date - This option allows you to define a date that the account will automatically expire. So if you know the account is temporary this will save you the trouble of having to manually disable the account. If you leave this field blank the account will always be active.

Group Membership - Groups are handy for organizing your users. Groups can be assigned access to administrate certain parts of the pfSense web GUI. For the purposes of the portal groups really aren't that useful.

Setting up users is pretty straight forward.  You need a username and a password, that's it!
Setting up users is pretty straight forward. You need a username and a password, that's it!
The portal landing page can be customized with images and PHP.
The portal landing page can be customized with images and PHP.

Customizing the Portal Page

If you want to make the portal landing page look a bit nicer you can add your own images and custom PHP code.

To upload an image click on the file manager tab in the captive portal settings. In order for files to be used by the portal they must have a prefix of "captiveportal-" in the filename.

You can then reference the files using standard HTML image tags. To see an example download the HTML page with an image link I created.

Other settings and Performance Hints

On the main captive portal page there are a number of other settings you can adjust to customize how the portal functions. Below are the descriptions for some of the settings I think are useful.

Idle timeout - If a user is idle for a certain number of minutes they will be automatically disconnected. I recommend setting an idle timeout to keep resources from getting tied up on your pfSense system. You don't want to set the timeout to be too low or your users will be frustrated, even setting it to something like 8 hours will help.

Redirection URL - By default users will continue to the web page they originally requested after passing through the portal. This setting allows you to force clients to be directed to a page of your choice after connecting. Users can then enter a new URL and browse the web normally.

Concurrent user logins - Enabling this setting will allow only one connection to the portal per user. This will prevent users from making multiple connections using the same username and password.

Improving Performance

If you are running a captive portal system then you are most likely sharing a single internet connection with multiple users. If so then I recommend configuring pfSense to act as a transparent proxy server to conserve internet bandwidth.

You might also want to consider setting up traffic shaping to further improve the performance of your shared connection. Traffic shaping can prevent users downloading files from abusing the bandwidth.

© 2011 Sam Kear

More by this Author

Comments 18 comments

Gean Paul Tura profile image

Gean Paul Tura 5 years ago from Philippines

Another useful hub coming from a Pfsense expert! This is very useful especially when setting up a wireless service for Internet cafe's! I'm so happy your a part of the hub pages community! Good job Sam keep it up!

skear profile image

skear 5 years ago from Kansas City Author

Paul, Thank you for the positive comments and encouragement! There are more pfSense articles coming in the near future.

Kevin Wong 5 years ago

Thanks for the info. One question: is it possible to have the landing page to redirect to a sign up/login page served by a separate web server (accessible before login of course)? After the sign up process, it just somehow logged in automatically by redirecting to some local page?

skear profile image

skear 5 years ago from Kansas City Author

Hey Kevin,

Yes, you can have users be directed to a separate page for authentication if you wish. Basically you will need to configure the Pre-Auth URL setting and setup a portal exception for the website.

There is a post on the pfSense forums that goes into a bit more detail of the steps to do this.

Kevin Wong 5 years ago

Thanks for your pointers. However, it seems to be that whenever I put something as Pre-Auth URL, pfsense replaces the original request URL with Pre-Auth URL in $PORTAL_REDIRECT$. Does it mean that I can't send the client to its original request URL after my custom authentication?

oki 2 years ago

I have the captive portal working with radius authentication.Can I protect an ftp server on the intranet network that use that captive portal? thank you dude

soulou 2 years ago

Hi Skear, I remerci you for the tutorial you did. I use pfsense to manage my network and I would like that I can access pfsense outside my network since the weekend, I would like to monitor my network from my house for example.

Thank you in advance for your answer.

Best regards.

kouloud 2 years ago

Hi Skear, i followed all the steps of this tutorial to configure a captive portal with authentification . From LAN, when i try to accede to internet, my HTML page appears, but when i set my login and my password , it take s me to an error page and refuses to authentificate. i can't understand the raison of my problem comes.

Angeltech2014 2 years ago

Hello Sir any idea how to add user management that can add remove or update accounts for Hotspot without entering to main pfsense interface?

I'm thinking of separate software that utilize database of users in pfsense.

Djmax Mv profile image

Djmax Mv 2 years ago from Hermosillo, Sonora

Hi can i have a remot hotspot whit captive portal. like the servre in my office whit AP and take a second AP to my house and have the same captive portal connected remotly but use my house internet.

and use the same user and password.

sorryfor my english not my first lenguage

Sekrit Skworl 18 months ago

PLEAAAASE create a YouTube video on the topic!!!

There are NO YouTube video with English spoken instructions on the matter.

Thank You for your consideration.

nana 15 months ago

very useful. thanks

Tom VDV 5 months ago

Have been searching the web for hours, glad to have come across this tutorial. Great. Will need to set up a captive portal for guest WIFI network in my B&B. However, I'd prefer to do this on Apple equipment, but can't seem to find anything that'll work. Any advice?

Vivek 2 months ago

Hello good guys ,

Firstly, thanks to all here for contributing the knowledge. Its been great to see you all sharing valuable knowledge here.

Secondly, I am running a captiveportal on my network LAN, I am connecting android devices to the network via a wifi router ( it has DHCP redirect set to my pfsense machine)

As soon as I connect device to the network, the login page does not appear,

I have to manually open the browser and try to open a website in order to get logged-in.

Is there a way, that once a android client is connecting to wifi network, the browser is automatically opened to login page.? Please help.


How can ad on sms feature in hot spot

David 6 weeks ago

Greetings Sam,

I believe I am nearly done with my setup. Your detailed tutorials have been instrumental in my success. I have one final hurdle.

I have 2 workstations and 11 to 13 users at any given time using either machine. Each user has been assigned to a group in the User Manager on the pfSense Server.

How might I monitor the users' individual web activity?

skear profile image

skear 6 weeks ago from Kansas City Author


To monitor their usage you'll probably want to implement a proxy server. With pfSense you can enable a Squid Proxy in transparent mode which will give you the added benefits of a caching proxy server and logs of the URLs being accessed.

Since most sites now use HTTPS you may also want to consider configuring decryption otherwise you will not be able to monitor the HTTPS traffic.

David 5 weeks ago

Thank you for the speedy response! That was just the solution I needed! A thank you is simply not enough. May I buy you a beer, or a coffee? Please point me to your donation page.

I volunteered to build the network (my very first of which will not affect my GPA) for a non-profit using donated computers and on a shoestring budget. In less than 24 from now, we will go live!

Your tutorials are excellent! Great work!

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.

    Click to Rate This Article