Captivo
Start Free
All posts
June 3, 2026 6 minpfSenseCaptive PortalSetup

Setting Up a Captive Portal with pfSense: Step-by-Step Guest WiFi

pfSense is a powerful, free firewall for guest networks. In this guide we walk through, step by step, how to set up a captive portal on pfSense that welcomes your guests, authenticates them, and keeps compliant logs.

Prerequisites

  • A working pfSense installation (CE or Plus)
  • A dedicated interface/VLAN for guest traffic (e.g. GUEST)
  • An access point (AP) serving the guest network
  • A RADIUS server for authentication (Captivo provides this)
Why RADIUS? For the captive portal to verify and record "who connected," it needs central authentication. RADIUS lets you manage methods like SMS/voucher/room-number from one place.

1. Prepare the guest interface

Define a dedicated interface or VLAN for guest traffic on pfSense (Interfaces). Give it a separate DHCP range. Isolate the guest network from your internal (LAN) network with firewall rules — guests should only reach the internet, not internal resources.

2. Define the RADIUS server

Under System → User Manager → Authentication Servers, add a new RADIUS server. Enter the server address, authentication port and shared secret from your Captivo panel. This is the source the portal authenticates guest logins against.

3. Enable the Captive Portal zone

Under Services → Captive Portal, create a new zone and bind it to the guest interface. Key settings:

  • Idle/Hard timeout: per your session policy
  • Authentication: RADIUS — the server you just defined
  • Concurrent connections: per-device connection limit

4. Upload the branded login page

pfSense lets you upload your own HTML login page for the captive portal (Portal page contents). This is where Captivo makes it easy:

  1. Design the portal in the Captivo panel with your logo and colors.
  2. Choose the login method (SMS verification, voucher or hotel room-number).
  3. Download the ready HTML template.
  4. Upload it into "Portal page contents" on pfSense.

You get a mobile-friendly, branded welcome screen without writing any code.

5. Test and go live

Connect a device to the guest network. The portal should open automatically, let you log in with your chosen method (e.g. phone + SMS code), and get you online after verification. You can see active sessions under Status → Captive Portal on pfSense.

Common issue: If login appears successful but you can't reach the internet, it's usually a RADIUS shared-secret mismatch or firewall rules. Check the RADIUS details and the guest interface's outbound rules.

The legal part you shouldn't skip

Setting up the captive portal solves the technical side; but for Law No. 5651 compliance you must keep connection records time-stamped and retain them for two years. Captivo keeps these records automatically — encrypted and audit-ready — with no manual work.

Summary

With pfSense + Captivo your guest WiFi becomes both secure and compliant: an isolated guest network, RADIUS authentication, a branded portal and automatic logging. For details, see our pfSense integration page or get started free. Using OPNsense? Our OPNsense guide is ready too.

Make your guest WiFi legal and modern

Try the compliant captive portal — free.

Start Free