If we use Captive Portal with the untagged LAN, it works as expected but as soon as we add it to a SSID with a VLAN assigned, it doesn’t prompt and the user has no Internet. If we set the Captive Portal to ‘none’, the device gets an IP on the VLAN network with no issue. With Captive Portal, they still get an IP but no Internet because the portal isn’t prompting. This is happening on Android and Win 10. Thanks for any suggestions.
John
Hi John,
Not sure if this is your case but from my experience Captive Portal on Wifi only works fine when enabling DNS Proxy in Network Settings.
If that option is not enabled then there are problems with the Portal such as the ones you describe.
Kind regards,
Sven
Thanks Sven. I was so excited hoping that was it but that’s already enabled. 
So I’ve tried two different ways and I have the same issue. First is to include the Balance with the AP’s. With this we add the VLAN in InControl, make sure our switches tag that traffic to the LAN port on the Balance. Everything works just fine without a captive portal. The Balance handles DHCP, endpoints get an IP and can surf the web. Add Captive Portal and it connects, get IP and can ping and resolve but no HTTP internet traffic and no portal page prompt.
2nd way is to not include the Balance but just add the VLAN to our firewall, switches and the AP’s. Endpoint connects, gets IP from firewall and can surf just fine. But as soon as we add Captive Portal, same issue…no portal page prompt so again connected but no Internet surfing.
Really need some help to get this going. I keep thinking maybe something with the actual firewall between the AP’s and the Balance which is why I thought just taking out the Balance and only having the VLAN on the AP’s to the firewall (so no tagged vlan going through the firewall) would work…but the results are the same.
Thanks,
John
Hi John,
Do you apply the captive Portal on SSID level or on VLAN level ? Or maybe you tried both ?
Kind regards,
Sven
Hello @jgranade,
Can you confirm your model number and firmware version?
We have found setting up the Captive Portal (including with VLANs) works best when you use the Peplink InControl2 platform.
Have a look at this guide to get you started:
Or for a more comprehensive approach including VLANs, see this previous post
Happy to Help,
Marcus 
Only SSID level so far as it says that’s preferred.
@mldowling Macus, thanks for the assist. Yes, I have gone through all those articles many times. The one thing I don’t see in any is a mention of a firewall in the mix (not the Peplink Balance firewall but I separate firewall like Sophos XG). Not sure if that’s related, but tomorrow I’m going to try to really log traffic to see if I can figure anything out. The AP’s are AP One Rugged with firmware 3.6.2 build 1938 when we do “AP only” (letting the firewall handle DHCP). When we use the Balance it’s a Balance 305 HA pair running firmware 8.1.1 build 5006 with an AP One AC Mini with firmware 3.6.2 build 1938.
I feel like I have the VLAN’s configured correctly as with either method (Balance with AP or just AP’s) we get IP’s from DHCP native to that VLAN and internet traffic flows just fine…until we add the Captive Portal to the SSID.
John
Hello John @jgranade,
Where in your network is your firewall setting, depending on where the firewall is sitting will have different effects on the Captive Portal. Is there anything specifically you need in the third part firewall that the internal firewall can not do?
Happy to Help,
Marcus
@mldowling The firewall is between the LAN and the Balance. It’s doing content filtering, virus protection, etc. and integrates in with AD for both reporting on user activity and to link AD groups to content filtering rules. This is a pretty standard install for us with the Balance bringing in the multiple ISP’s and PepVPN traffic with a firewall “below” it before hitting the core switch.