Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Captive Portal - Guest Access and Authentication

pfSense Captive Portal - Guest Access and Authentication

Captive Portal in pfSense intercepts HTTP requests from clients on a designated interface and redirects them to an authentication page before granting network access. The mechanism operates at the firewall level: until a client successfully authenticates, all traffic is blocked by pf rules except for explicitly allowed addresses and hostnames. Upon successful authentication, the client’s IP and MAC addresses are added to the allowed table, and traffic flows according to configured bandwidth restrictions.

Common Captive Portal deployment scenarios include guest networks in hotels and airports, public Wi-Fi hotspots in cafes and coworking spaces, corporate networks requiring mandatory user authentication, and educational institutions enforcing student access controls. Each scenario typically requires a dedicated zone with its own authentication parameters, timeout values, and traffic limitations.

pfSense supports multiple concurrent Captive Portal zones, each bound to one or more network interfaces. A single interface can belong to only one zone. Zones are fully isolated from each other: each maintains its own authentication configuration, portal page, set of allowed addresses, and session management parameters. Note that Captive Portal is incompatible with IPv6 and does not support reverse portal operation for authenticating inbound traffic from the internet.

In This Section

  • Captive Portal Setup - creating zones, authentication methods, portal customization, bandwidth limits, MAC passthrough, and troubleshooting
Last updated on