Personal tools

Captive Portal

From PFSenseDocs

Jump to: navigation, search

The Captive Portal function in pfSense allows you to secure a network by requiring a username and password (or just a click through), entered on a portal page.

If you are using authentication, this can be performed using pfSense's built-in user management, or an external authentication server such as a RADIUS server.

The best source of captive portal information can be found in the pfSense book.

There are several tabs available for the captive portal setup, each described below:

Captive Portal Tab

General management of captive portal setup and authentication. Each option is described in detail on the page

Pass-Through MAC Tab

Allows you to manage a list of MAC addresses which are allowed to bypass the portal.

When specified by MAC address in this way, the client's IP address may change and they will still be allowed through. However, the client will still be disconnected after the captive portal timeout period has elapsed.

Allowed IP addresses

Allows you to manage a list of IP addresses which can either:

  • Always connect from behind the portal (clients)
  • Always allow clients to an IP address (external servers)

These IP addresses will bypass the portal authentication in the direction specified.


One-time use portal access codes, described in more detail in: Captive Portal Vouchers.

File Manager

Lets you manage the files which can be used to make up the contents of the captive portal authentication/click-through page.


On pfSense 2.1, Captive Portal zones allow for the creation of separate, independent portals that operate on one or more separate interfaces. For example, there could be a zone for Wireless and a zone for Wired. Each zone has a completely isolated set of pages, configuration, users, etc.

One zone may by used by multiple interfaces, but only one zone may be used per interface.