• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem Captive Portal pfSense 2.7 with allowed ip addresses

Captive Portal
7
26
2.7k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bendida @TbW
    last edited by Jul 16, 2023, 5:01 PM

    @TheBigWizard
    i am wonder if there is a way to add this rules (allowed ip address ) in CLI mode,
    like easyrule
    i can't find any user interface to manage the Pf and pfctrl is limited to some functionality
    ??
    we must wait for any patch or any update or we must use another firewall like OPNsense

    T 1 Reply Last reply Jul 16, 2023, 6:59 PM Reply Quote 0
    • T
      TbW @bendida
      last edited by Jul 16, 2023, 6:59 PM

      @bendida
      Having pfSense in production, replacement is not easy. And anyway I would replace it with pfSense 2.6 .
      As mentioned by @Gertjan , with pfSense+ 23.05.1 the Captive Portal with IP ADDRESSES ALLOWED works without problems. I could use the commercial version or go back to 2.6 .

      Are there other solutions?

      G 1 Reply Last reply Jul 17, 2023, 5:27 AM Reply Quote 1
      • G
        Gertjan @TbW
        last edited by Jul 17, 2023, 5:27 AM

        @TheBigWizard

        Using 23.05.1, and IMHO, 2.7.0 should / would be the same.

        I added an IP to the list : 192.168.2.6 - my phone.

        login-to-view

        Take note of the first 3 devices 192.168.2.2 to 192.168.2.4 : these are my access points for my captive portal.

        To make sure my phone using this IP, and without modifying my phone, I've set up a MAC Lease on the captive portal DHCP server :

        login-to-view

        I activated the SSID of my captive portal.
        My phone got the good, 192.168.2.6 IP (and correct DNS, gateway etc) :

        login-to-view

        Let's check the firewall :

        [23.05.1-RELEASE][root@pfSense.bhf.net]/root: pfSsh.php playback pfanchordrill
        
        ......
        
        cpzoneid_2_allowedhosts rules/nat contents:
        
        cpzoneid_2_allowedhosts/192.168.2.2_32 rules/nat contents:
        ether pass in quick proto 0x0800 l3 from any to 192.168.2.2 tag cpzoneid_2_auth dnpipe 2000
        ether pass in quick proto 0x0800 l3 from 192.168.2.2 to any tag cpzoneid_2_auth dnpipe 2001
        
        cpzoneid_2_allowedhosts/192.168.2.3_32 rules/nat contents:
        ether pass in quick proto 0x0800 l3 from any to 192.168.2.3 tag cpzoneid_2_auth dnpipe 2002
        ether pass in quick proto 0x0800 l3 from 192.168.2.3 to any tag cpzoneid_2_auth dnpipe 2003
        
        cpzoneid_2_allowedhosts/192.168.2.4_32 rules/nat contents:
        ether pass in quick proto 0x0800 l3 from any to 192.168.2.4 tag cpzoneid_2_auth dnpipe 2004
        ether pass in quick proto 0x0800 l3 from 192.168.2.4 to any tag cpzoneid_2_auth dnpipe 2005
        
        cpzoneid_2_allowedhosts/192.168.2.6_32 rules/nat contents:
        ether pass in quick proto 0x0800 l3 from any to 192.168.2.6 tag cpzoneid_2_auth dnpipe 2008
        ether pass in quick proto 0x0800 l3 from 192.168.2.6 to any tag cpzoneid_2_auth dnpipe 2009
        
        cpzoneid_2_auth rules/nat contents:
        
        cpzoneid_2_auth/192.168.2.85_32 rules/nat contents:
        ether pass in quick proto 0x0800 from 92:63:2b:ed:13:1c l3 from 192.168.2.85 to any tag cpzoneid_2_auth dnpipe 2006
        ether pass out quick proto 0x0800 to 92:63:2b:ed:13:1c l3 from any to 192.168.2.85 tag cpzoneid_2_auth dnpipe 2007
        

        The line mentionning "192.168.2.6_32" indicates that it i part of the cpzoneid_2_allowedhosts anchor : these 4 IPs are passing through.
        The last set mentioning "192.168.2.85_32" is a classic logged in, connected portal user.

        I did not have saw the captive portal login page.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        T 1 Reply Last reply Jul 17, 2023, 10:32 AM Reply Quote 0
        • T
          TbW @Gertjan
          last edited by Jul 17, 2023, 10:32 AM

          @Gertjan
          It works for you. For me after upgrading to 2.7 it no longer works. I can not figure out if it was a decision of the developers or a bug of 2.7. Is there a way to report this?

          G 1 Reply Last reply Jul 17, 2023, 11:54 AM Reply Quote 1
          • G
            Gertjan @TbW
            last edited by Gertjan Jul 17, 2023, 11:56 AM Jul 17, 2023, 11:54 AM

            @TheBigWizard said in Problem Captive Portal pfSense 2.7 with allowed ip addresses:

            Is there a way to report this?

            Developers won't show there nose because someone said : "it doesn't work".
            Start giving details.

            For example :

            pfSsh.php playback pfanchordrill
            

            How did you set up your portal ?

            Btw : I'm using the portal right now, on 23.05.1 which has the same code base as 2.7.0.
            When I have some time, I fire up a dedicated device with 2.7.0.

            edit : Knows issues and bugs where the last one to date is 'BS' (IMHO) and the before last is already resolved (see this forum).

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            T 2 Replies Last reply Jul 17, 2023, 12:56 PM Reply Quote 1
            • T
              TbW @Gertjan
              last edited by Jul 17, 2023, 12:56 PM

              @Gertjan Thanks, let me know how your test with 2.7 goes.

              1 Reply Last reply Reply Quote 0
              • G Gertjan referenced this topic on Jul 18, 2023, 7:23 AM
              • T
                TbW @Gertjan
                last edited by Jul 19, 2023, 7:08 AM

                @Gertjan
                hello, have you tested pfSense 2.7 ?

                G 1 Reply Last reply Jul 19, 2023, 7:39 AM Reply Quote 0
                • G
                  Gertjan @TbW
                  last edited by Jul 19, 2023, 7:39 AM

                  @TheBigWizard said in Problem Captive Portal pfSense 2.7 with allowed ip addresses:

                  @Gertjan
                  hello, have you tested pfSense 2.7 ?

                  Noop.
                  Haven't been able to go home yet (working for a hotel, it's high season and all that).

                  But : follow also this : Captive Portal NOT working in 2.7.0 thread.
                  It was resolved (The portal works after all) and asked a favor back : check "allowed IP addresses" please, as the test take a minute or two.

                  I've compared the 'code' between 2.7.0 and my 23.05.1 as I'm using it right now.
                  It's identical**, so I'll motivate you : Only our "local settings differ".

                  ** not the kernel - I presume the embedded name is different.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  T 1 Reply Last reply Jul 19, 2023, 8:58 AM Reply Quote 1
                  • T
                    TbW @Gertjan
                    last edited by Jul 19, 2023, 8:58 AM

                    @Gertjan Thanks!

                    G 1 Reply Last reply Jul 21, 2023, 10:19 AM Reply Quote 0
                    • G
                      Gertjan @TbW
                      last edited by Jul 21, 2023, 10:19 AM

                      @TbW

                      It has been tested : see here, the last two posts Captive Portal NOT working in 2.7.0

                      Allowed IP working and does not show up under Captive Portal since it's a bypass.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • S
                        sanrzn
                        last edited by Sep 13, 2023, 12:44 PM

                        same problem
                        Install version 2.7.0: new disk + import config from 2.5.2
                        Enabled services: DNS Resolver, Captive Portal, OpenVPN server, ntpd
                        Installed Packages: pfBlockerNG-devel (3.2.0_6), haproxy (0.63_1)
                        Others: DHCP, DNS (with forward to firewall) on domain controller

                        IPs from Captive portal’s Allowed IP Address List not have access with no authentication, but if add MAC of IP to "MAC Address Control" pass without requiring authentication.

                        PS: This configuration worked fine on version 2.5.2.

                        1 Reply Last reply Reply Quote 1
                        • T
                          TbW
                          last edited by Sep 28, 2023, 3:36 PM

                          I reinstalled pfsense 2.6 and configured ldap gsuite. Everything works perfectly. Also "allowed IP addresses" of the captive portal.

                          susobacoS 1 Reply Last reply Nov 22, 2023, 8:15 AM Reply Quote 0
                          • susobacoS
                            susobaco @TbW
                            last edited by susobaco Nov 22, 2023, 8:15 AM Nov 22, 2023, 8:15 AM

                            Same problem:

                            G 1 Reply Last reply Nov 22, 2023, 8:38 AM Reply Quote 0
                            • G
                              Gertjan @susobaco
                              last edited by Nov 22, 2023, 8:38 AM

                              @susobaco

                              As showed in the other thread I linked above, the "2.7.0" portal works just fine.

                              Some thoughts though :
                              if this gets involved :

                              @sanrzn said in Problem Captive Portal pfSense 2.7 with allowed ip addresses:

                              haproxy (0.63_1)
                              Others: DHCP, DNS (with forward to firewall) on domain controller

                              then the setup will need more attention.

                              I'm pretty sure that if the classic setup was used : pfSense is the DNS, and handles the DHCP, the portal works.
                              Now, step by step : remove DHCP, have it being handled by another DHCP server : and test (!) : it can be done. It's a question of the correct 'settings' and all devices/systems involved.
                              Next step : pfSense isn't handling the DNS anymore on the portal : that can be arranged also.
                              Another step "domain controller" : ok, why not. Things are getting way more complicated as even more things have to be checked. I never did this myself, but I presume it is possible.

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              1 Reply Last reply Reply Quote 0
                              • W
                                wtasin
                                last edited by Dec 2, 2023, 6:51 PM

                                Hi,
                                I had the same problem.

                                I found out that switching the Webconfigurator back to english language helps.

                                pfSense expects to get as direction value either "both", "from" or "to".
                                login-to-view ![alt text](image url)

                                After switching back to english, you have to edit and save the wrongly saved "Allowed IP address" entries.

                                Even if I export the configuration (with the german translated WebConfigurator) I found the translated string as value in the config.xml.

                                HTH

                                T S 2 Replies Last reply Dec 3, 2023, 7:25 PM Reply Quote 1
                                • T
                                  TbW @wtasin
                                  last edited by Dec 3, 2023, 7:25 PM

                                  @wtasin HI,

                                  so using the English language, does it work?

                                  W 1 Reply Last reply Dec 3, 2023, 8:20 PM Reply Quote 0
                                  • W
                                    wtasin @TbW
                                    last edited by Dec 3, 2023, 8:20 PM

                                    @TbW yes, the arrows are showing up and the bypass of the allowed ips also works

                                    T 1 Reply Last reply Dec 5, 2023, 5:26 PM Reply Quote 0
                                    • T
                                      TbW @wtasin
                                      last edited by Dec 5, 2023, 5:26 PM

                                      @wtasin OK thank you. I will try.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        serginho @wtasin
                                        last edited by Dec 7, 2023, 12:34 AM

                                        realmente funcionou fazendo da forma que você explicou, mas o controle de banda não funciona.

                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          TbW
                                          last edited by Dec 7, 2023, 1:58 PM

                                          @wtasin yes, it actually works in English language.
                                          @serginho bandwidth control does not work. Seems limited to 100 Mbit/s per user.

                                          G 1 Reply Last reply Dec 7, 2023, 2:49 PM Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.