Yes, it's feasible to let users select from various DHCP ranges via the captive portal in pfSense.
Yes, it's feasible to let users select from various DHCP ranges via the captive portal in pfSense.
Right now the setup directs certain clients through a VPN while others stay on the regular network. The DHCP range 192.168.2.11–192.168.2.254 always goes over the VPN, and 192.168.2.2–192.168.2.10 stays local. Everything works because devices can connect directly and pfSense sees them as one client. Now I want to switch to bridge mode for a mesh of nodes that offers better Wi-Fi but sometimes drops internet, causing it to restart. I’d like pfSense to manage routing automatically—perhaps using a captive portal to decide at connection time whether a device should join via VPN or not, and adjust the DHCP ranges accordingly (for example, 192.168.2.11–200 with VPN, 192.168.2.101–200 with VPN). That way, I don’t have to manually set IPs for each device. Any suggestions on how this could be implemented?
This would require custom scripting, though it seems feasible. I think you’d likely need the captive portal to set up DHCP reservations for those ranges from .2 to .10. DHCP servers usually only handle options, not assigning specific ranges within the same subnet. It might be better to redirect users to a different VLAN depending on their choice, especially if you’re not using enterprise networking gear. A handy tip: if you want meaningful IP addresses in a subnet, segment them using bits rather than decimal numbers. For example, instead of .2-.10, use .2-.15 so hosts with 0000xxxx in the last octet fit that range. You could also try .16-.31, isolating 0001xxxx addresses, and keep .128–.254 for standard clients. If you need more IPs, expand to 64-254, then use 01xxxxxx or 1xxxxxxx as your client zone. It may seem complicated at first, but it’s a simpler alternative compared to full VLANs. I’ve used this approach on smaller professional networks—it helped distinguish between wired, wireless, and printer devices without complex VLANs.