Would it be possible to allow users to choose from multiple dhcp ranges using captive portal pfSense?

[Mnky313]

So currently I have it set up to send certain clients over a VPN and others not.

Basically the dhcp range is 192.168.2.11 - 192.168.2.254 which are all sent over a VPN, 192.168.2.2-192.168.2.10 are not sent over the VPN.

This has worked fine because all of my devices can connect directly and be sent over the VPN while everyone else uses our old router (which has it's own network) and is seen by pfSense as one client. (192.168.2.2).
The problem is I'm planning on setting it to bridge mode (because it's a group of mesh nodes that provide better wifi coverage but keeps randomly not connecting to the internet requiring it to be rebooted (idk why it does this, no other devices on the pfSense router have any issues)) and have pfSense handle all the routing.

Ideally I want to be given an option through something like captive portal for if I want this device to connect over a VPN or not when joining the network & depending on the response chose the dhcp range accordingly (for example I could make 192.168.2.11 - 192.168.2.100 no VPN and 192.168.2.101 - 192.168.2.200 with the VPN)

if anyone has any input on how this could be done that would be awesome.

I'm trying to avoid just having to manually specify and IP from all of my devices that I want to connect over a VPN.

[sphbecker]

This would take custom scripting, but probably possible. I suspect you would probably need the captive portal to create DHCP reservations for addresses .2-.10. DHCP servers do have policies, but those typically only allow for setting DHCP options, not choose between ranges on the same subnet. It is probably better to move the user to a different vlan based on their answer, but that may be impossible if you are not working with enterprise networking hardware.

 

Random tip that makes things like this easier...if you are going to make IP addresses within a subnet meaningful, then I typically suggest segmenting them using bits (like 1111 1100), not decimal numbers (like 10-20). It may not be as pretty to a human, but will work better for IP based rules. What I mean, is instead of using .2-.10 as a special range, make it .2-.15, that way you know any host with 0000xxxx in the last octet is in that range. Honestly, you would probably want to use .16-.31 instead...making 0001xxxx that range, that leaves .1 alone. Then if you want to be pure, you would make your normal DHCP range .128 - .254, so that you know anything with a 1xxxxxxx address is a normal client. If you need more addresses, then make 64-254, then 01xxxxxx or 1xxxxxxx are both your client range.

 

It might sound confusing to setup, but it is basically a poor-man's vlan. I have done this on smaller professional networks, so that it was very easy see the different between a wired client, wireless client, and a printer without having to deploy vlans.

[Mnky313]

1 minute ago, sphbecker said:

vlan based on their answer, but that may be impossible if you are not working with enterprise networking hardware.

yeah, vlans aren't really possible rn. I might ned up getting switches/APs that are capable of this in the future but not rn.

as for the other suggestions, I'll look into it. thanks!