Mikrotik + Pfsense as captive portal

celin07 · January 9, 2024, 12:51pm

Hi guys, i don’t know much about network configuration at all, thats my first timing setting a a captive portal and i found some troubles.

On the company network, I have a MikroTik as the default gateway, which is connected to a switch where devices are wired and receive IP addresses via DHCP from the MikroTik in the 192.168.1.0/24 network. For Wi-Fi, I use pfSense with a captive portal.

The pfSense has the IP address 192.168.1.204, its WAN interface is in the 192.168.1.0/24 network, and its LAN interface is in the 192.168.50.0/24 network. PfSense assigns IP addresses via DHCP to clients connected to Wi-Fi.

The networks can communicate with each other, but there is a significant drop in speed when traffic goes from the 192.168.1.0 to the 192.168.50.0 network. Additionally, network discovery does not work correctly. Printers and Wi-Fi cameras cannot be discovered by devices connected directly to the MikroTik, and when configured manually, they work but with extremely low speed.

Firewall rules are configured directly on the MikroTik, with pfSense used solely as a captive portal and for logging user activity.

Any ideas why this happen?

vingjfg · January 9, 2024, 2:14pm

Can you post a network diagram and your MT config?

Regarding network discovery, what protocol is used?

celin07 · January 9, 2024, 2:49pm

Thanks for your reply

The protocol used is mDNS

Follows the basic diagram of the network

vingjfg · January 9, 2024, 4:59pm

First issue is the local routing: from 192.168.0/24, you likely go to the default gateway before going to the pfsense in order to reach 192.168.50.0/24.

That works but depending on rules and conn tracking and things, this can result in delays. To try, add a route to 192.168.50.0/24 via the pfsense 192.168.1.204. If that confirms it, the idea is to create a transit between pfsense and the MT on a different subnet.

Edit: the route goes on a wired endpoint, of course.

Ah. mDNS is normally a local subnet protocol and not supposed to go through routers. I think MT doesn’t have an mDNS reflector, pfsense I don’t know off the top of my head but will search.

vingjfg · January 9, 2024, 5:01pm

Pfsense has an mdns reflector, in the package avahi.

gotsprings · January 10, 2024, 11:52am

Aren’t the 2 subnets supposed to be served by the pfense to make mDNS work.

Your system sounds like router behind router.

vingjfg · January 10, 2024, 8:38pm

Well, they are, and not in the way the OP thinks of it. I redrew slightly based on the explanation, the OP’s diagram being wrong and misleading. So technically, once Avahi is installed on the pfsense and enabled on both interfaces, the devices will be visible, but probably not reachable: all the machines on the 192.168.1.0/24 will go through the Mikrotik to access the devices on 192.168.50.0/24, and that’s not going to play well with conn tracking and all the joyful things given that the pfsense will send the responses directly to the end device.

thiscase.drawio.png