Go to Cloudi-Fi
All Collections
Deployment
Enable Cloudi-Fi captive portal using PfSense - Routing (tunnels) deployment

Enable Cloudi-Fi captive portal using PfSense - Routing (tunnels) deployment

This article describes how to enable Cloudi-Fi Captive portal in PfSense Firewall using VPN Tunnels
Mahfoud avatar
Written by Mahfoud
Updated over a week ago

Summary:

  1. Get Cloudi-Fi required information

  2. Networking

  3. IPsec configuration

  4. Firewalling

Testing enviromment:

Integration tested on 2.5.0-RELEASE using a virtual machine

1) Get Cloudi-Fi required information

Go to your Cloudi-Fi administration interface and guet the VPN Id and VPN key that will be used to create the VPN Tunnel.

Go to Location Menu

  • Select a location

  • Click on Edit Location

2) Networking

A) Create a Vlan Interface

Go to Interfaces > Vlans and add new

  • Parent interface: LAN interface (or a dedicated interface for the guests)

  • Vlan: 10 for example

  • Priority: 0 by default

  • Description: Vlan Interface for the guests

B) Interface Assignment

Go to Interface > Assignments > Interface assignments

  • General Configuration

    • Check enable interface

    • Description: give it a name (VPN Guest for example)

    • IPv4 configuration type: Static IPv4

  • Static IPv4 Configuration

    We choose a 192.168.5.1/24 subnet

    • IPv4 Address: 192.168.5.1

    • IPv4 Upstream gateway add new One

C) Create a DHCP server (Optional if you use an external DHCP server)

We configured the PfSense firewall to act as a DHCP Server

  • Go to Services > DHCP Server > VPN Guest interface

    • Check "Enable DHCP on VPN Guest Interface"

    • Deny unkown clients: Allow All clients

    • Range: From 192.168.5.2 to 192.168.5.253

3) IPsec Configuration

Go to VPN > IPsec > Tunnels

  • Phase 1

    • General Information

      • Key Exchange version: IKEv2

      • Internet Protocol: IPv4

      • Interface: WAN

      • Remote Gateway: Zscaler VPN remote gateway (165.255.76.35 for Paris)

    • Phase 1 Proposal (Authentication)

      • Authentication Method: Mutual PSK

      • My identifier: User distinguished name

        • VPN Id gived by Cloudi-fi

      • Peer Identifier:IP Address

        • Zscaler VPN remote gateway (165.255.76.35 for Paris)

      • Pre-Shared key:VPN Key gived by Cloudi-fi

    • Phase 1 Proposal (Encryption Algorithm)

      • Encryption Algorithm:

        • Algorithm: AES

        • Key length: 256 bits

        • Hash: SHA256

        • DH Group: 2(1024 bits)

    • Expiration and Replacement

      • Life Time: 43200

  • Phase 2

    • General Information

      • Mode: Tunnel IPv4

      • Local Network: VPN Guest subnet

      • Nat/BINAT translation: None

      • Remote Network: Network

        • 0.0.0.0./0

    • Phase 2 Proposal (SA/Key Exchange)

      • Protocol: ESP

      • Encryption Algorithms: AES (Auto)

      • Hash Algorithms: MD5

      • PFS key group: 2 (1024 bits)

    • Expiration and Replacement

    • Life Time: 43200

Go to Status > IPsec, in order to check the tunnel status:

4) Firewalling

Go to Firewall > Rules > VPN Guest and add new

  • Edit Firewall Rule

    • Action: Pass

    • Interface: VPN Guest

    • Address Family: IPv4

    • Protocol: Any

  • Source: VPN Guest Net

  • Destination: Any

Go to Firewall > Rules > IPsec and add new

  • Edit Firewall Rule

    • Action: Pass

    • Interface: IPsec

    • Address Family: IPv4

    • Protocol: Any

  • Source: Any

  • Destination: Any

Did this answer your question?