A captive portal lets you control who can access your network by requiring users to authenticate before they can browse the internet. In pfSense, you can create captive portals for guest Wi-Fi networks, hotels, cafés, events, schools, and business environments where you need visibility and control over user access.

This guide shows you how to configure a captive portal in pfSense CE using local user accounts and vouchers. You’ll also learn which settings matter most, common pitfalls to avoid, and when a captive portal is the right solution.

What is a captive portal?

A captive portal intercepts web traffic from unauthenticated devices and redirects users to a login page before granting internet access. Authentication can be performed using:

  • Usernames and passwords
  • Access vouchers
  • External authentication systems such as RADIUS and LDAP

Once authenticated, users can browse normally until their session expires or is terminated.

Important: A captive portal controls network access, but it should not be considered a replacement for proper network segmentation, firewall rules, or WPA2/WPA3 wireless security.

Before you begin

This guide assumes:

  • pfSense CE is already installed and working
  • WAN and LAN interfaces are configured
  • You have administrative access to the firewall
  • You have a dedicated guest network or interface available

Tip: For most deployments, the captive portal works best when applied to a dedicated guest VLAN or guest Wi-Fi interface rather than your primary LAN. This prevents guest devices from reaching business-critical systems and reduces security risk.

Step 1: Create a captive portal user

If you’re using local authentication, start by creating a user account.

1. Navigate to:

System > User Manager > Add

how to create a captive portal user in pfsense step 1

2. Create a username (I’m using CPUser) and password, then click Save.

How to create a captive portal user in pfsense step 2

3. You’re taken back to the User Manager main page. We need to edit our user to provide it with the permissions needed to access the Captive Portal. Click the pencil icon next to the user we just created.

how to create a captive portal user in pfsense step 3

4. Under Effective Privileges, select Add.

how to create a captive portal user in pfsense step 4

5. Select User – Services: Captive Portal login from the Assigned privileges list. Without this privilege, the account cannot authenticate through the captive portal.

6. Save the changes.

How to create a captive portal user in pfsense step 6

7. You’re taken back to the User configuration page. Click Save again.

How to create a captive portal user in pfsense step 7

8. You’re taken back to the User Manager main page, where your new user is displayed in the list.

Step 2: Create a captive portal zone

1. Navigate to:

Services > Captive Portal

2. Select Add and create a new zone. A zone determines which network interfaces are protected by the captive portal.

How to create a captive portal zone in pfsense step 2

3. Enter a name and a description for your Zone. Each Zone can have its own settings and rules.

4. Click Save & Continue.

How to create a captive portal zone in pfsense step 4

5. Tick the Enable Captive Portal box. The full Captive Portal Configuration page is displayed.

How to create a captive portal zone in pfsense step 5

6. Select the interface for this Zone. If you only have a WAN and LAN interface, select LAN. If you have more LAN-type interfaces you want to add to this zone, go ahead and select them.

How to create a captive portal zone in pfsense step 6

7. Add a URL to the After authentication Redirection URL. This is where users are sent when they’ve been authenticated. In the example above, I’ve used ‘https://www.comparitech.com’. For an explanation of the other settings, see the Captive Portal documentation.

8. If you want to customize the client-facing page, scroll down to the Captive Portal Login Page and upload any images or custom CSS.

How to create a captive portal zone in pfsense step 8

Step 3: Configure authentication

1. Within the Authentication section, select:

Local Database

This allows pfSense to authenticate users against the accounts stored in User Manager.

HTTPS considerations: The captive portal can also present its login page over HTTPS. Using HTTPS is strongly recommended because it prevents browser security warnings, protects login credentials in transit, and creates a more professional user experience. However, you’ll need a valid certificate before enabling HTTPS for production use — which is beyond the scope of this tutorial.

How to configure authentication in pfsense step 1

2. Click Save.

3. You’re taken back to the Captive Portal main settings page, and we can see our Zone is displayed in the list.

How to configure authentication in pfsense step 1

Step 4: Test authentication

Our Captive Portal’s basic configuration is now complete. We’ll configure our Captive Portal to allow authentication using vouchers. But before we do that, let’s test our Captive Portal to make sure it works with username and password-based authentication, using our CPUser we created earlier.

When trying to access a webpage over a network configured to use the Captive Portal, we should end up on the default pfSense Captive Portal login page, which looks like this:

the default pfSense Captive Portal login page

If you attempt to access an HTTP page (port 80), the Captive Portal login page should display immediately. However, these days, websites that use the HTTP protocol rather than HTTPS are few and far between. Had we configured HTTPS in the above step, this would also happen with HTTPS connections. So what will happen is that your browser will display a notice that you need to authenticate yourself to use the current network. In Firefox, it looks like this:

pfSense - Captive Portal - Firefox CP

Clicking the Open network login page will take you to pfSense’s Captive Portal login page. Now let’s try to log in with our credentials.

pfSense - Captive Portal - CPUser Login

I’m granted access to the internet and redirected to comparitech.com, as specified in the settings.

comparitech.com

Captive portal tabs overview

Now we’re going to configure authentication vouchers for the Captive Portal. But before we do that, let’s just provide an overview of the other tabs within the Captive Portal settings.

MACs

You can add MAC addresses and configure and assign them bandwidth limits and other settings from the Captive Portal’s MACs tab.

pfSense - Captive Portal - MACs Tab - Click Add

Clicking Add brings up the MAC Address Rules page for configuration.

pfSense - Captive Portal - MAC Settings

Allowed IP Addresses

You can add IP addresses that will bypass Captive Portal authentication and assign them bandwidth limits and other settings from the Captive Portal’s Allowed IP Addresses tab.

pfSense - Captive Portal - Allowed IPs Tab - Click Add

Clicking Add displays the Edit Captive Portal IP Rule page for configuration.

pfSense - Captive Portal - Allowed IPs Settings

Allowed Hostnames

You can add hostnames that will bypass Captive Portal authentication and assign them bandwidth limits and other settings from the Captive Portal’s Allowed Hostnames tab.

pfSense - Captive Portal - Allowed Hostnames - Click Add

Clicking Add brings up the Captive Portal Hostname Settings page for configuration.

pfSense - Captive Portal - Allowed Hostnames Settings

High Availability

The High Availability tab allows you to define a backup Captive Portal for redundancy.

pfSense - Captive Portal - High Availability Settings

File Manager

The File Manager tab allows you to upload and manage custom HTML, CSS, images, etc., for your custom Captive Portal login page. Uploaded elements are listed on the main page.

pfSense - Captive Portal - File Manager Tab - Click Add

Clicking Add displays the File Manager Upload page.

pfSense - Captive Portal - File Manage Upload Files

Vouchers

Now we get to the Vouchers tab, where we will configure our Captive Portal to also accept vouchers for authentication. And we will generate our first roll of vouchers.

  1. From the Vouchers tab main settings page, click the Enable creation, generation, and activation of rolls with vouchers box. This displays the full list of settings on the page.
  2. Click the Generate new keys button, to generate a public/private key pair used for the encryption and decryption of vouchers.
  3. Leave the rest of the settings untouched and click Save. pfSense - Captive Portal - Configure Vouchers
  4. This reloads the Vouchers settings page and displays an Add button under the Voucher Rolls section. Click Add. The Voucher Rolls settings page is displayed. pfSense - Captive Portal - Voucher Rolls - Click Add
  5. In the Roll # field, enter a number for this roll. As this is our first roll, we’ll use 1.
  6. In the Minutes per ticket field, enter the number of minutes of internet access you want each voucher to allow. We’ll set this to 30 minutes in our example.
  7. In the Count field, enter the number of vouchers you want to generate in this run. We’ll set this to 10 in our example.
  8. Enter a description in the Comment field if you like.
  9. Click Save. This takes us back to the Vouchers main settings page. pfSense - Captive Portal - Voucher Settings
  10. The roll we just created is now displayed in the Voucher Rolls section. To actually see our vouchers, we need to export them to CSV, using the Export to CSV icon to the right of our voucher roll. pfSense - Captive Portal - Export Vouchers
  11. The resulting CSV looks as follows. We can use the vouchers displayed on lines 8 to 17 to log into our Captive Portal. Let’s test this now. pfSense - Captive Portal - Vouchers CSV

Testing voucher authentication

  1. Like before, when we attempt to access a website, we may need to click the Open network login page button (or the equivalent in your browser) for the Captive Portal login page to display. Now that we’ve enabled voucher support in our Captive Portal, the login page includes a voucher field. Enter one of the generated vouchers and click Login. pfSense - Captive Portal - Voucher Login
  2. We’re granted access and redirected to the Comparitech website. comparitech.com

Adding a widget to the dashboard

One last thing we can do is add a Captive Portal widget to our pfSense dashboard.

  1. From the dashboard, click the + sign at the top right of the UI. This displays the list of available widgets. pfSense - Captive Portal - Dashboard - Click +
  2. Select Captive Portal Status from the list. pfSense - Captive Portal - Add CP Widget
  3. The Captive Portal Status widget is added to the bottom of our dashboard. It provides information on connected users at a glance. Scrolling the widget to the right displays a trash can icon that you can use to forcibly disconnect a user.

Wrap up

pfSense makes it relatively straightforward to deploy a captive portal for guest or public internet access. For most environments, the process involves creating a user or voucher system, assigning the captive portal to a dedicated guest network, and testing authentication before deployment.

When combined with proper network segmentation and firewall policies, a captive portal can provide an effective way to manage guest access while maintaining control over network resources. While it can be useful to secure a home guest network, those who will benefit the most from a Captive Portal are businesses that provide internet access to their customers.

See also: