Sam works as a network analyst for an algorithmic trading firm. He obtained his bachelor's degree in information technology from UMKC.
What Does pfSense Do?
Captive portals are most commonly used for wireless hotspots. If you've ever used the wireless network at a hotel or airport then you have most likely clicked through a portal before you were able to go online. They can also be used on wired connections for business centers, internet cafés, or your home!
Once the portal has been enabled any computer that points to the pfSense router as the gateway will be automatically redirected to the portal landing page.
How to Set Up a Basic Portal Without Authentication
First I'm going to show you how to set up a basic portal without any authentication. Clients connecting to the network will be redirected to an HTML page of your choice. This page can display any message or image that you wish. They must click through the portal by clicking the continue button before they will be granted access to the network.
1. Enable the captive portal: To enable the portal click on captive portal which is found in the services menu of pfSense. Select the check box "Enable captive portal"
2. Select the interface: Most users will select the LAN interface. The captive portal can only run on one interface at a time and pfSense is not able to act as a reverse portal.
3. Upload a portal page: You must upload an HTML/PHP file to use as a landing page for clients connecting to the portal.
In the section called "Portal page contents" click the "Choose File" button and select the HTML page you want to use. When you are finished click the save button at the bottom of the page to apply the changes.
To verify that your HTML file was successfully uploaded click on the "view current page" button directly below the HTML file upload box.
4. Test the basic portal: To make sure everything is working simply try to access a webpage from a computer on the network.
If everything is functioning correctly the browser will be redirected to the landing page. Once you click continue the browser should continue to the originally requested URL.
- If the portal page does not load verify the HTML file was uploaded correctly.
- If the captive portal is running on a VLAN interface make sure the parent VLAN is not assigned to another interface.
Another popular reason for using captive portals is to provide a system for authenticating users before they are granted access to the internet.
Users that do not have a valid username and password will not be granted access to the network.
Local Database vs Radius
The simplest way to set up authentication is to use the local user database on pfSense. If you have a lot of users to manage I would recommend using radius authentication since it is much more flexible.
You can configure the captive portal to point to a remote radius server or you could install the FreeRadius package directly on pfSense. Radius integrates well with existing authentication systems such as active directory, etc.
To get started follow the steps in the previous section above to enable the captive portal and select an interface.
Modifying the HTML
In order for this to work you will need to use a slightly different HTML landing page that has username and password fields. You can check out my sample HTML page and modify it to suit your needs. Follow the instructions in step 4 of the previous section to upload the page.
For these examples I'm demonstrating pretty basic landing pages but I'll show you how to customize them later.
To enable authentication select either local or radius authentication on the main captive portal settings page. Click on the save button to activate the changes.
Creating Local Users
If you selected local user manager as your method of authentication then you'll need to create some users. If you plan on setting up a large amount of users I would recommend using radius, LDAP, or active directory instead of the local database.
If you don't expect to set up many accounts then this option works well because it's so simple. In some cases you might want to let users share a common username and password, and that's a perfectly valid option too.
To create users in pfSense open the user manager which is found under the system menu. Then simply click on the plus symbol to create a new user.
Configuring the User Account
To create a simple user you only need to enter a username and password. There are a few other useful options worth checking out though.
- Expiration Date: This option allows you to define a date that the account will automatically expire. So if you know the account is temporary this will save you the trouble of having to manually disable the account. If you leave this field blank the account will always be active.
- Group Membership: Groups are handy for organizing your users. Groups can be assigned access to administrate certain parts of the pfSense web GUI. For the purposes of the portal groups really aren't that useful.
How to Customize the Portal Page
If you want to make the portal landing page look a bit nicer you can add your own images and custom PHP code.
To upload an image click on the file manager tab in the captive portal settings. In order for files to be used by the portal they must have a prefix of "captiveportal-" in the filename.
You can then reference the files using standard HTML image tags. To see an example download the HTML page with an image link I created below.
Other Settings and Performance Hints
On the main captive portal page there are a number of other settings you can adjust to customize how the portal functions. Below are the descriptions for some of the settings I think are useful.
- Idle timeout: If a user is idle for a certain number of minutes they will be automatically disconnected. I recommend setting an idle timeout to keep resources from getting tied up on your pfSense system. You don't want to set the timeout to be too low or your users will be frustrated, even setting it to something like 8 hours will help.
- Redirection URL: By default users will continue to the web page they originally requested after passing through the portal. This setting allows you to force clients to be directed to a page of your choice after connecting. Users can then enter a new URL and browse the web normally.
- Concurrent user logins: Enabling this setting will allow only one connection to the portal per user. This will prevent users from making multiple connections using the same username and password.
If you are running a captive portal system then you are most likely sharing a single internet connection with multiple users. If so then I recommend configuring pfSense to act as a transparent proxy server to conserve internet bandwidth.
You might also want to consider setting up traffic shaping to further improve the performance of your shared connection. Traffic shaping can prevent users downloading files from abusing the bandwidth.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2011 Sam Kear
Waruna Kuruppu on February 05, 2020:
We have configured a captive portal for coworking users.
I need to allow users to check their quota usage using their Pfsense user portal.
Is it possible to do this with Pfsense?
Kenny Hendrick on January 10, 2019:
Can pfsense's captive portal work without the internet? I would like to create a new free connection to the immediate neighbors but not have any connections to the internet. Can this be done? (*basically I'd like to form a private network that is free to anyone passing by or living in the area).
G on June 27, 2018:
HOW TO AUTO DELETE USED WIFI CODES ?? is there any possible way?
cloud on December 18, 2017:
hi i have a problem with my configuration in pfsense because every time i configure my router at first it needs voucher but once you put a voucher all gadgets now can connect freely please help me thanks
Miner 36 on October 21, 2017:
how can you disable it?
Pipat Eamsherangkoon on October 06, 2017:
Has anyone integrate pfsense captive portal with Fidelio (Opera) for hotel Wifi Service? I am using mainly vouchers for hotel guests but would like to use automatic generation of Room/Lastname login/password from Opera for customer's convenience.
Anita Yadav on September 11, 2017:
I am new for Pfsense just want to know that what is the futures available in Pfsense...........
Koffi NASSAR on July 28, 2017:
How can I set up https access to pfsense captive portal for customers
laert on June 15, 2017:
Hi, i am trying to configure a captive portal on a vmware, but it does not work , and i think the problem is because the DHCP is not enabled. how can i enable it on pfsense 2.3.4?
divneet on May 21, 2017:
I'm trying to configure authentication with ldap but when i authenticate with the via the diagnostic option i don't a get a group to name to it , I'm unable to figure it . A little help would be appreciated
Leonardo R Silva on May 09, 2017:
Hello, guys !!
I'm current using PFSense to authenticate the user in the network but I still have a problem:
I have been spending a lot of time trying to use the pre-authentication method but without success.
I checked this post here from the PFSense forum https://forum.pfsense.org/index.php?topic=34148.0 and I'm not able to make it works yet.
There is someone how was able to use pre-auth?
Thanks a lot !!
Nahuel on April 13, 2017:
Hello, Thanks you! Nice post! I have a question. Its posible to authenticate using oauth protocol? You know any other product to do it? o to append to pfsense?
ahmet mecid on April 05, 2017:
Hello there; Can I run a radius server on different interfaces in PFSense? Should I add a code to index.php in the captive portal file?
Gs850L on March 25, 2017:
I uploaded a user name/password page for captive portal, and used the file manager to upload the background image but the background image doesn't show when I click "view current page".
This is the code I used for the background "body background="captiveportal-recovery_homes_background.jpg"
Prabhav Kudalkar on January 11, 2017:
This information was very useful for me.But just wanted to know something more on this. What if the user are connected through pfSense login page,and disconnected in few min..(for example:i am logged in , and some how i just disconnected through portal due to network problem ,and tried again after i receive the network again, am not able to reconnect fast.Any solution for this?? why this happens and how to over come this problem?) is there any mistake/ problem with pfSence portal..???
David on September 15, 2016:
Thank you for the speedy response! That was just the solution I needed! A thank you is simply not enough. May I buy you a beer, or a coffee? Please point me to your donation page.
I volunteered to build the network (my very first of which will not affect my GPA) for a non-profit using donated computers and on a shoestring budget. In less than 24 from now, we will go live!
Your tutorials are excellent! Great work!
Sam Kear (author) from Kansas City on September 15, 2016:
To monitor their usage you'll probably want to implement a proxy server. With pfSense you can enable a Squid Proxy in transparent mode which will give you the added benefits of a caching proxy server and logs of the URLs being accessed.
Since most sites now use HTTPS you may also want to consider configuring decryption otherwise you will not be able to monitor the HTTPS traffic.
David on September 14, 2016:
I believe I am nearly done with my setup. Your detailed tutorials have been instrumental in my success. I have one final hurdle.
I have 2 workstations and 11 to 13 users at any given time using either machine. Each user has been assigned to a group in the User Manager on the pfSense Server.
How might I monitor the users' individual web activity?
INDRASEN SRIVASTAVA on September 01, 2016:
How can ad on sms feature in hot spot
Vivek on August 26, 2016:
Hello good guys ,
Firstly, thanks to all here for contributing the knowledge. Its been great to see you all sharing valuable knowledge here.
Secondly, I am running a captiveportal on my network LAN, I am connecting android devices to the network via a wifi router ( it has DHCP redirect set to my pfsense machine)
As soon as I connect device to the network, the login page does not appear,
I have to manually open the browser and try to open a website in order to get logged-in.
Is there a way, that once a android client is connecting to wifi network, the browser is automatically opened to login page.? Please help.
Tom VDV on May 08, 2016:
Have been searching the web for hours, glad to have come across this tutorial. Great. Will need to set up a captive portal for guest WIFI network in my B&B. However, I'd prefer to do this on Apple equipment, but can't seem to find anything that'll work. Any advice?
nana on July 21, 2015:
very useful. thanks
Sekrit Skworl on April 10, 2015:
PLEAAAASE create a YouTube video on the topic!!!
There are NO YouTube video with English spoken instructions on the matter.
Thank You for your consideration.
Djmax Mv from Hermosillo, Sonora on October 21, 2014:
Hi can i have a remot hotspot whit captive portal. like the servre in my office whit AP and take a second AP to my house and have the same captive portal connected remotly but use my house internet.
and use the same user and password.
sorryfor my english not my first lenguage
Angeltech2014 on September 04, 2014:
Hello Sir any idea how to add user management that can add remove or update accounts for Hotspot without entering to main pfsense interface?
I'm thinking of separate software that utilize database of users in pfsense.
kouloud on August 21, 2014:
Hi Skear, i followed all the steps of this tutorial to configure a captive portal with authentification . From LAN, when i try to accede to internet, my HTML page appears, but when i set my login and my password , it take s me to an error page and refuses to authentificate. i can't understand the raison of my problem comes.
soulou on August 20, 2014:
Hi Skear, I remerci you for the tutorial you did. I use pfsense to manage my network and I would like that I can access pfsense outside my network since the weekend, I would like to monitor my network from my house for example.
Thank you in advance for your answer.
oki on March 04, 2014:
I have the captive portal working with radius authentication.Can I protect an ftp server on the intranet network that use that captive portal? thank you dude
Kevin Wong on October 05, 2011:
Thanks for your pointers. However, it seems to be that whenever I put something as Pre-Auth URL, pfsense replaces the original request URL with Pre-Auth URL in $PORTAL_REDIRECT$. Does it mean that I can't send the client to its original request URL after my custom authentication?
Sam Kear (author) from Kansas City on September 15, 2011:
Yes, you can have users be directed to a separate page for authentication if you wish. Basically you will need to configure the Pre-Auth URL setting and setup a portal exception for the website.
There is a post on the pfSense forums that goes into a bit more detail of the steps to do this.
Kevin Wong on September 13, 2011:
Thanks for the info. One question: is it possible to have the landing page to redirect to a sign up/login page served by a separate web server (accessible before login of course)? After the sign up process, it just somehow logged in automatically by redirecting to some local page?
Sam Kear (author) from Kansas City on September 03, 2011:
Paul, Thank you for the positive comments and encouragement! There are more pfSense articles coming in the near future.
Gean Paul Tura from Philippines on September 03, 2011:
Another useful hub coming from a Pfsense expert! This is very useful especially when setting up a wireless service for Internet cafe's! I'm so happy your a part of the hub pages community! Good job Sam keep it up!