Step-by-step instructions on how to set up a routing tunnels-based captive portal with PfSense and Cloudi-Fi for user authentication.
1. Get Cloudi-Fi required information
Go to your Cloudi-Fi administration interface and get the VPN ID and VPN key that will be used to create the VPN Tunnel.
Go to Location Menu
-
Select a location
-
Click on Edit Location
2. Networking
Create a VLAN interface
Go to Interfaces Vlans and add new.
-
Parent interface: LAN interface (or a dedicated interface for the guests)
-
Vlan: 10, for example
-
Priority: 0 by default
-
Description: VLAN Interface for the guests
Interface assignment
Go to Interface Assignments. Interface assignments
General Configuration
- Check to enable the interface
- Description: give it a name (VPN Guest, for example)
- IPv4 configuration type: Static IPv4
Static IPv4 Configuration
- We choose a 192.168.5.1/24 subnet
- IPv4 Address: 192.168.5.1
- IPv4 Upstream gateway adds new One
Create a DHCP server (Optional if you use an external DHCP server)
We configured the PfSense firewall to act as a DHCP Server
-
Go to Services DHCP Server VPN Guest interface
-
Check "Enable DHCP on VPN Guest Interface"
-
Deny unknown clients: Allow All clients
-
Range: From 192.168.5.2 to 192.168.5.253
-
3. IPsec configuration
Go to VPN IPsec Tunnels
Phase 1
General Information
-
Key Exchange version: IKEv2
-
Internet Protocol: IPv4
-
Interface: WAN
-
Remote Gateway: Zscaler VPN remote gateway
Phase 1 Proposal (Authentication)
-
Authentication Method: Mutual PSK
-
My identifier: User distinguished name
-
VPN Id gave by Cloudi-fi
-
-
Peer Identifier:IP Address
-
Zscaler VPN remote gateway
-
-
Pre-Shared key: VPN Key given by Cloudi-fi
Phase 1 Proposal (Encryption Algorithm)
-
Encryption Algorithm:
-
Algorithm: AES
-
Key length: 256 bits
-
Hash: SHA256
-
DH Group: 2(1024 bits)
-
Expiration and Replacement
-
Life Time: 43200
Phase 2
-
General Information
-
Mode: Tunnel IPv4
-
Local Network: VPN Guest subnet
-
Nat/BINAT translation: None
-
Remote Network: Network
-
0.0.0.0./0
-
-
-
Phase 2 Proposal (SA/Key Exchange)
-
Protocol: ESP
-
Encryption Algorithms: AES (Auto)
-
Hash Algorithms: MD5
-
PFS key group: 2 (1024 bits)
-
-
Expiration and Replacement
-
Life Time: 43200
Go to Status IPsec to check the tunnel status:
4. Firewalling
Go to Firewall Rules VPN Guest and add a new
-
Edit Firewall Rule
-
Action: Pass
-
Interface: VPN Guest
-
Address Family: IPv4
-
Protocol: Any
-
-
Source: VPN Guest Net
-
Destination: Any