How to Set Up a Captive Portal Using pfSense

Updated on January 15, 2018
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

PfSense provides an easy way to set up a captive portal for your network. Using the portal allows you to direct the users on your network to a specific web page before they are allowed to access the internet. The web page can be a simple page with instructions and terms of use, or a page that requires a username and password for authentication.

Captive portals are most commonly used for wireless hotspots. If you've ever used the wireless network at a hotel or airport then you have most likely clicked through a portal before you were able to go online. They can also be used on wired connections for business centers, internet Cafés, or your home!

Once the portal has been enabled any computer that points to the pfSense router as the gateway will be automatically redirected to the portal landing page.

Basic Portal Without Authentication

First I'm going to show you how to set up a basic portal without any authentication. Clients connecting to the network will be redirected to an HTML page of your choice. This page can display any message or image that you wish. They must click through the portal by clicking the continue button before they will be granted access to the network.

1. Enable the captive portal - To enable the portal click on captive portal which is found in the services menu of pfSense. Select the check box "Enable captive portal"

2. Select the interface - Most users will select the LAN interface. The captive portal can only run on one interface at a time and pfSense is not able to act as a reverse portal.

Enable the captive portal and select the interface it will run on.
Enable the captive portal and select the interface it will run on.

3. Upload a portal page - You must upload an HTML/PHP file to use as a landing page for clients connecting to the portal.

In the section called "Portal page contents" click the "Choose File" button and select the HTML page you want to use. When you are finished click the save button at the bottom of the page to apply the changes.

To verify that your HTML file was successfully uploaded click on the "view current page" button directly below the HTML file upload box.

Upload an HTML file to serve as the portal page.
Upload an HTML file to serve as the portal page.

4. Testing the Basic Portal - To make sure everything is working simply try to access a webpage from a computer on the network.

If everything is functioning correctly the browser will be redirected to the landing page. Once you click continue the browser should continue to the originally requested URL.

Troubleshooting Tips

  • If the portal page does not load verify the HTML file was uploaded correctly.
  • If the captive portal is running on a VLAN interface make sure the parent VLAN is not assigned to another interface.

If the captive portal is working users should be directed to the landing page when they first connect to the internet.
If the captive portal is working users should be directed to the landing page when they first connect to the internet.

Using Authentication

Another popular reason for using captive portals is to provide a system for authenticating users before they are granted access to the internet.

Users that do not have a valid username and password will not be granted access to the network.

Local Database vs Radius

The simplest way to set up authentication is to use the local user database on pfSense. If you have a lot of users to manage I would recommend using radius authentication since it is much more flexible.

You can configure the captive portal to point to a remote radius server or you could install the FreeRadius package directly on pfSense. Radius integrates well with existing authentication systems such as active directory, etc.

Initial Setup

To get started follow the steps in the previous section above to enable the captive portal and select an interface.

Modifying the HTML

In order for this to work you will need to use a slightly different HTML landing page that has username and password fields. You can check out my sample HTML page and modify it to suit your needs. Follow the instructions in step 4 of the previous section to upload the page.

For these examples I'm demonstrating pretty basic landing pages but I'll show you how to customize them later.

Enabling Authentication

To enable authentication select either local or radius authentication on the main captive portal settings page. Click on the save button to activate the changes.

When authentication is enabled users must enter a username and password to access the network.
When authentication is enabled users must enter a username and password to access the network.

Creating Local Users

If you selected local user manager as your method of authentication then you'll need to create some users. If you plan on setting up a large amount of users I would recommend using radius, LDAP, or active directory instead of the local database.

If you don't expect to set up many accounts then this option works well because it's so simple. In some cases you might want to let users share a common username and password, and that's a perfectly valid option too.

To create users in pfSense open the user manager which is found under the system menu. Then simply click on the plus symbol to create a new user.

Select either local or RADIUS as an authentication type.
Select either local or RADIUS as an authentication type.
The pfSense user manager can be used to create local accounts for the captive portal.
The pfSense user manager can be used to create local accounts for the captive portal.

Configuring the User Account

To create a simple user you only need to enter a username and password. There are a few other useful options worth checking out though.

Expiration Date - This option allows you to define a date that the account will automatically expire. So if you know the account is temporary this will save you the trouble of having to manually disable the account. If you leave this field blank the account will always be active.

Group Membership - Groups are handy for organizing your users. Groups can be assigned access to administrate certain parts of the pfSense web GUI. For the purposes of the portal groups really aren't that useful.

Setting up users is pretty straight forward.  You need a username and a password, that's it!
Setting up users is pretty straight forward. You need a username and a password, that's it!

Customizing the Portal Page

If you want to make the portal landing page look a bit nicer you can add your own images and custom PHP code.

To upload an image click on the file manager tab in the captive portal settings. In order for files to be used by the portal they must have a prefix of "captiveportal-" in the filename.

You can then reference the files using standard HTML image tags. To see an example download the HTML page with an image link I created below.

The portal landing page can be customized with images and PHP.
The portal landing page can be customized with images and PHP.

Other settings and Performance Hints

On the main captive portal page there are a number of other settings you can adjust to customize how the portal functions. Below are the descriptions for some of the settings I think are useful.

Idle timeout - If a user is idle for a certain number of minutes they will be automatically disconnected. I recommend setting an idle timeout to keep resources from getting tied up on your pfSense system. You don't want to set the timeout to be too low or your users will be frustrated, even setting it to something like 8 hours will help.

Redirection URL - By default users will continue to the web page they originally requested after passing through the portal. This setting allows you to force clients to be directed to a page of your choice after connecting. Users can then enter a new URL and browse the web normally.

Concurrent user logins - Enabling this setting will allow only one connection to the portal per user. This will prevent users from making multiple connections using the same username and password.

Improving Performance

If you are running a captive portal system then you are most likely sharing a single internet connection with multiple users. If so then I recommend configuring pfSense to act as a transparent proxy server to conserve internet bandwidth.

You might also want to consider setting up traffic shaping to further improve the performance of your shared connection. Traffic shaping can prevent users downloading files from abusing the bandwidth.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2011 Sam Kear


    0 of 8192 characters used
    Post Comment
    • profile image

      Waruna Kuruppu 

      5 months ago


      We have configured a captive portal for coworking users.

      I need to allow users to check their quota usage using their Pfsense user portal.

      Is it possible to do this with Pfsense?

      Please advise?



    • profile image

      Kenny Hendrick 

      18 months ago

      Can pfsense's captive portal work without the internet? I would like to create a new free connection to the immediate neighbors but not have any connections to the internet. Can this be done? (*basically I'd like to form a private network that is free to anyone passing by or living in the area).

    • profile image

      2 years ago

      HOW TO AUTO DELETE USED WIFI CODES ?? is there any possible way?

    • profile image


      2 years ago

      hi i have a problem with my configuration in pfsense because every time i configure my router at first it needs voucher but once you put a voucher all gadgets now can connect freely please help me thanks

    • profile image

      Miner 36 

      2 years ago

      how can you disable it?

    • profile image

      Pipat Eamsherangkoon 

      2 years ago

      Has anyone integrate pfsense captive portal with Fidelio (Opera) for hotel Wifi Service? I am using mainly vouchers for hotel guests but would like to use automatic generation of Room/Lastname login/password from Opera for customer's convenience.

    • profile image

      Anita Yadav 

      2 years ago

      I am new for Pfsense just want to know that what is the futures available in Pfsense...........

    • profile image

      Koffi NASSAR 

      2 years ago

      How can I set up https access to pfsense captive portal for customers

    • profile image


      3 years ago

      Hi, i am trying to configure a captive portal on a vmware, but it does not work , and i think the problem is because the DHCP is not enabled. how can i enable it on pfsense 2.3.4?

    • profile image


      3 years ago

      I'm trying to configure authentication with ldap but when i authenticate with the via the diagnostic option i don't a get a group to name to it , I'm unable to figure it . A little help would be appreciated

    • profile image

      Leonardo R Silva 

      3 years ago

      Hello, guys !!

      I'm current using PFSense to authenticate the user in the network but I still have a problem:

      I have been spending a lot of time trying to use the pre-authentication method but without success.

      I checked this post here from the PFSense forum and I'm not able to make it works yet.

      There is someone how was able to use pre-auth?

      Thanks a lot !!

    • profile image


      3 years ago

      Hello, Thanks you! Nice post! I have a question. Its posible to authenticate using oauth protocol? You know any other product to do it? o to append to pfsense?

    • profile image

      ahmet mecid 

      3 years ago

      Hello there; Can I run a radius server on different interfaces in PFSense? Should I add a code to index.php in the captive portal file?

    • profile image


      3 years ago


      I uploaded a user name/password page for captive portal, and used the file manager to upload the background image but the background image doesn't show when I click "view current page".

      This is the code I used for the background "body background="captiveportal-recovery_homes_background.jpg"

      Thank you

    • profile image

      Prabhav Kudalkar 

      3 years ago

      This information was very useful for me.But just wanted to know something more on this. What if the user are connected through pfSense login page,and disconnected in few min..(for example:i am logged in , and some how i just disconnected through portal due to network problem ,and tried again after i receive the network again, am not able to reconnect fast.Any solution for this?? why this happens and how to over come this problem?) is there any mistake/ problem with pfSence portal..???

      please help....

      Sam Kear

    • profile image


      3 years ago

      Thank you for the speedy response! That was just the solution I needed! A thank you is simply not enough. May I buy you a beer, or a coffee? Please point me to your donation page.

      I volunteered to build the network (my very first of which will not affect my GPA) for a non-profit using donated computers and on a shoestring budget. In less than 24 from now, we will go live!

      Your tutorials are excellent! Great work!

    • skear profile imageAUTHOR

      Sam Kear 

      3 years ago from Kansas City


      To monitor their usage you'll probably want to implement a proxy server. With pfSense you can enable a Squid Proxy in transparent mode which will give you the added benefits of a caching proxy server and logs of the URLs being accessed.

      Since most sites now use HTTPS you may also want to consider configuring decryption otherwise you will not be able to monitor the HTTPS traffic.

    • profile image


      3 years ago

      Greetings Sam,

      I believe I am nearly done with my setup. Your detailed tutorials have been instrumental in my success. I have one final hurdle.

      I have 2 workstations and 11 to 13 users at any given time using either machine. Each user has been assigned to a group in the User Manager on the pfSense Server.

      How might I monitor the users' individual web activity?

    • profile image


      3 years ago

      How can ad on sms feature in hot spot

    • profile image


      3 years ago

      Hello good guys ,

      Firstly, thanks to all here for contributing the knowledge. Its been great to see you all sharing valuable knowledge here.

      Secondly, I am running a captiveportal on my network LAN, I am connecting android devices to the network via a wifi router ( it has DHCP redirect set to my pfsense machine)

      As soon as I connect device to the network, the login page does not appear,

      I have to manually open the browser and try to open a website in order to get logged-in.

      Is there a way, that once a android client is connecting to wifi network, the browser is automatically opened to login page.? Please help.

    • profile image

      Tom VDV 

      4 years ago

      Have been searching the web for hours, glad to have come across this tutorial. Great. Will need to set up a captive portal for guest WIFI network in my B&B. However, I'd prefer to do this on Apple equipment, but can't seem to find anything that'll work. Any advice?

    • profile image


      4 years ago

      very useful. thanks

    • profile image

      Sekrit Skworl 

      5 years ago

      PLEAAAASE create a YouTube video on the topic!!!

      There are NO YouTube video with English spoken instructions on the matter.

      Thank You for your consideration.

    • Djmax Mv profile image

      Djmax Mv 

      5 years ago from Hermosillo, Sonora

      Hi can i have a remot hotspot whit captive portal. like the servre in my office whit AP and take a second AP to my house and have the same captive portal connected remotly but use my house internet.

      and use the same user and password.

      sorryfor my english not my first lenguage

    • profile image


      5 years ago

      Hello Sir any idea how to add user management that can add remove or update accounts for Hotspot without entering to main pfsense interface?

      I'm thinking of separate software that utilize database of users in pfsense.

    • profile image


      5 years ago

      Hi Skear, i followed all the steps of this tutorial to configure a captive portal with authentification . From LAN, when i try to accede to internet, my HTML page appears, but when i set my login and my password , it take s me to an error page and refuses to authentificate. i can't understand the raison of my problem comes.

    • profile image


      5 years ago

      Hi Skear, I remerci you for the tutorial you did. I use pfsense to manage my network and I would like that I can access pfsense outside my network since the weekend, I would like to monitor my network from my house for example.

      Thank you in advance for your answer.

      Best regards.

    • profile image


      6 years ago

      I have the captive portal working with radius authentication.Can I protect an ftp server on the intranet network that use that captive portal? thank you dude

    • profile image

      Kevin Wong 

      8 years ago

      Thanks for your pointers. However, it seems to be that whenever I put something as Pre-Auth URL, pfsense replaces the original request URL with Pre-Auth URL in $PORTAL_REDIRECT$. Does it mean that I can't send the client to its original request URL after my custom authentication?

    • skear profile imageAUTHOR

      Sam Kear 

      8 years ago from Kansas City

      Hey Kevin,

      Yes, you can have users be directed to a separate page for authentication if you wish. Basically you will need to configure the Pre-Auth URL setting and setup a portal exception for the website.

      There is a post on the pfSense forums that goes into a bit more detail of the steps to do this.

    • profile image

      Kevin Wong 

      8 years ago

      Thanks for the info. One question: is it possible to have the landing page to redirect to a sign up/login page served by a separate web server (accessible before login of course)? After the sign up process, it just somehow logged in automatically by redirecting to some local page?

    • skear profile imageAUTHOR

      Sam Kear 

      8 years ago from Kansas City

      Paul, Thank you for the positive comments and encouragement! There are more pfSense articles coming in the near future.

    • Gean Paul Tura profile image

      Gean Paul Tura 

      8 years ago from Philippines

      Another useful hub coming from a Pfsense expert! This is very useful especially when setting up a wireless service for Internet cafe's! I'm so happy your a part of the hub pages community! Good job Sam keep it up!


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)