Help Needed!. Captive portal not working ( No login page )

yogi_en

@viragomann I don't see these options, as I haven't enabled the below option 'Use custom captive portal page' .

Do I need to enable this?

If I enable this option, I can see the section called 'HTML Page Contents', but I still do not see 'Live View'. See below.

What am I missing?. Thanks for your help.

viragomann

@yogi_en
No, this option is only for custom login page. If you don't upload any, pfSense provides its default login page.
Didn't know that the view button is hidden if no custom login page is used.

When you connect a device to the respective network segment it should recognize that there is CP active and open the login page. Even if you've set the Authentication method to none, it is required for a client to hit the login button at the page to get access.
But presumably your laptop don't realize the CP.

Typically CP is provided on wifi networks. I never tried with a wired. Possibly that behaves different.
Maybe you can try it on a wifi AP or with another client device.

yogi_en

@viragomann Thanks. Initially I tried with wireless and had the same issue. To simplify things further ( wireless was on VLAN and want to avoid complications with this), I just directly connected my laptop to the switch ( ethernet and no VLAN ) on LAN2 and had the same issue. I will try wireless again on a different network.

One question. Will ping work when CP is enabled?. I cannot ping to router 192.168.1.1 from my laptop when CP is enabled.

viragomann

@yogi_en
No, it doesn't work without login.
The device must be shown up in Status > Captive Portal.

However you can try to call the login page manually in a browser and check the login button for testing with
http://192.168.2.1:8002?zone=<zone name>

yogi_en

@viragomann said in Help Needed!. Captive portal not working ( No login page ):

http://192.168.2.1:8002?zone=<zone name>

Yeah. This works well with LAN2!. Thanks for that. Not sure why this login page is not appearing automatically. I will try with another wifi.

Gertjan

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

One question. Will ping work when CP is enabled?

'nothing will work'.
But, there are two exceptions, you already found the first one :
DHCP will work.
And DNS requests directed to the LAN IP (for you : LAN2) of the portal interface will also work.

For a portal to captive portal to work :
Your device : remove the network work cable if it has one.
If you are a wifi user : use the option to 'forget' (details) about that wifi connection.

No, enable the connection (put the cable back) or activate the wifi, and select the portal wifi SSID.

Now comes the trick that very few known about : the OS you use** is "captive portal aware" !!
It will, default, as soon as the interface comes up, fire up a DHCP negotiation.
Then the magic kicks : it will through out a 'hidden' http:// request.
If the connection has a direct connection to the Internet, a web page comes back with 6 letters : "Success".

An Apple device uses this http (not https::/ !!!) request : http://captive.apple.com/hotspot-detect.html - click on the link and you see what happens.
You will find log lines like this in the GUI log :

If the device is behind a captive portal, the word (page) "Success" isn't shown.
Something else will get shown : the captive portal's login page.

The OS, being smart, known now it is behind a captive portal, and restart with the same URL, but this time within a web browser so the user can see what comes back.
The user now sees the captive portal.
He can login.

Upon login, the captive portal's login page could be a simple Ok button, or a voucher code or a user name + password (this is what the default 'Netgate' login page uses), the IP and MAC address of his device gets added to the firewall, and from now on, all traffic flows through.
The captive portal('s GUI firewall rules (your LAN2) are still applied, though.

** every modern OS.
If tested all Windows versions since XP, and all Apple OS versions.
Other brands : they should work also, as I see many of hem in my captive portal's user history (captive portal logs)

yogi_en

@gertjan Thanks for the informative reply!. Will try this some time today.

yogi_en

@gertjan I tried this again today using wifi.

I enabled the captive portal on 192.168.10.1 network after that used the option "forget' for that wifi from my laptop.

I tried to connect the same wifi again. Entered the password and tried to connect to some website. The connection times out.

However clicking the link http://captive.apple.com/hotspot-detect.html provides the text 'Success' as. you mentioned.

I can also connect to captive portal manually by entering the url like below.

http://192.168.10.1:8002/?zone=Portal10 (Portal10 is the zone name ). This works fine.

Gertjan

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

I tried to connect the same wifi again.

As soon as you select the SSID, several things happen.
The first terminates with a DHCP sequence.
Did you get an IP : 192.168.10.x, a gateway : 192.168.10.1 and DNS 192.168.10.1 network /24 ?
The the hidden "http" request kick in.
Did you have to do anything to have a browser popped up, and shawing you the captive portal page ?

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

Entered the password

At that moment, what did you sa in the Status > System Logs > Authentication > Captive Portal Auth log page ?

You should see this :

where 202 is your use name. Your IP and MAC will be the one of your device of course.

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

http://192.168.10.1:8002/?zone=Portal10 (Portal10 is the zone name ). This works fine.

True.
I never have to use that URL directly.
Me, as an admin of pfSense, I know that URL exists.
But lamba portal users will never be able to type in that URL exactly.
An they don't have to.

On the pfSense side of the captive portal, there are two things that need to work :
First : DNS must work. This will be the case if you use vanilla default settings.
Second : on the 192.168.10.1 interface, start with a IPv4 pass any rule. The one you found on LAN when you booted pfSense the first time will do just fine :

pfSense, on the captive portal interafce, will initially redirect (hidden firewall rules !) all TCP port 80 traffic internally to 127.0.0.1.
Over there, a web server instance (nginx, the same as the GUI) will redirect traffic 'from' http://a.b.c..d/whateveryoururlwas, like "http://captive.apple.com/hotspot-detect.html" to http://192.168.10.1/whateveryoururlwas
Keep in mind : only http can be redirected like that, https will not work.

The hidden firewall rule :

# Captive Portal
.....
rdr on igc1 inet proto tcp from any to ! <cpzoneid_2_cpips> port 80 tagged cpzoneid_2_rdr -> 192.168.10.1 port 8002

This says : for my "igc1 " interface, my captive portal, all TCP with any destination port 80 traffic gets redirected to 192.168.10.1 port 8002.

Then, on 192.168.10.1, port 8002 :
The portal nginx web server config file : /var/etc/nginx-xxxxxxxxCaptivePortal.conf :

		if ($cp_redirect = '') {
			rewrite	^ /index.php?zone=cpzone1&redirurl=$request_uri break;
		}

this is where the "request_uri " gets replaced with "?zone=cpzone1" where cpzone1 is your zone name identifier. The original URI is passed as a "redirurl" parameter.

On the device side :
If, for example, a device uses a hard coded (static) DNS IP, like 8.8.8.8, hen it will be game over. On the client side, DHCP must be active.

yogi_en

@gertjan Appreciate the help!.

DHCP is working fine and I am getting an IP 192.168.10.102 for my device. I didn't get any pop browser or captive portal login.

DNS server is my router 192.168.1.1 ( which I cannot ping when CP is enabled ).

I even tried a local url http://192.168.5.25:5000 which is a local server in home with out https. No redirection happens automatically.

My firewall rules are correct as you mentioned. Not sure what is wrong. Will do some more debugging.

Gertjan

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

I didn't get any pop browser or captive portal login.

Ah, I'm curious.
What OS / what device ?

When you buy a device from here it works, and as far as I know you, as a user, can't do a thing to stop this process. As Apple checks accepting an app on their platform.
Other brands : they care less ?

Windows : I've tested 10 'home', 'pro', 11 home (burk) and 'pro'.
I even debloated them (see Youtube about that) and portals are recognized. That is, you still have to spot the tray notification message and act upon it.

I've seen people using some high end (consumer high end that is) firewalls/antivirus and they had set up : "only trust my home wifi network" so now their security was great ..... and moments later they want to use their device on my wifi network ....
Yeah, that was a fail .... as the device was following the original instruction : do not trust / use 'other' networks. So they went for the Hall 200 problem : do not give automates conflict instructions, as they will bite (the example : kill) you.

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

I even tried a local url http://192.168.5.25:5000

Portal firewall rules will redirect port '80' and port 443 if you use https.
So port "5000" : you hit the wall.

Use these :

to test the portal web server.

Or, when connected to the captive portal network, as soon as you received an IP (DNS, gateway, network) : use http://192.168.10.1:8002/index.php?zone=ZONE

where ZONE is your zone ID.

Btw : http://captive.apple.com/hotspot-detect.html should also work as this is a http thus port '80' TCP request.

@yogi_en said in Help Needed!. Captive portal not working ( No login page ):

DNS server is my router 192.168.1.1 ( which I cannot ping when CP is enabled ).

I have to shave-up your definition of a captive portal.
A captive portal allows minimal interaction with itself.
If 19.168.10.1 is your captive portal pfSense interface, you can :
Do DHCP
Do DNS requests on port 53, UDP and TCP.
Port 80 (http) listens to you.
Port 443 (443) listens to you - if you've activated that
Ping the captive portal pfSense IP
You can NOT go to some other network, and that includes your local networks like 192.168.5.x

So, right, the portal works : no ping or whatever to 192.168.5.x

I just tested :
I've connected my phone to the captive portal (as the stupid thing does not accept the wifi connection without a login first).
With an phone app I launched a 100 times ping to the portal interface, that was 192.168.2.1 for me.
It replies constantly.
Then, in the pfSense dashboard GUI, I removed my phone's connection.

The ping app in my phone continued to send pings to 192.168.2.1, and 192.168.2.1 continues to reply. Or, at that moment, from a captive portal firewall point of view, my phone was disconnected.