How to use the pfsense name instead of the IP address in http?

goldsoft

@Gertjan I want to give multiple clients, each with a PfSense firewall. However, filling in my domain name and configuring certificates on each router will only increase the complexity of maintenance and increase the failure rate. http://pfsense:8002***** The reason for adopting this approach is to prevent unauthorized connection of downstream routers to the network. I have tested it and found that pinging PfSense fails on the downstream routers, which effectively blocks them.

Gertjan

@goldsoft said in How to use the pfsense name instead of the IP address in http?:

filling in my domain name and configuring certificates on each router will only increase the complexity of maintenance and increase the failure rate.

I use a domain name, and the only "admin" part is : I have to pay for it every year.

The rest : certificates renewal etc etc is is handled automatically (see the pfSense acme.sh package).
It works well for years now.
My pfSense captive portal doesn't need my time.

For reasons, I prefer not to use (show to the client) things like "http", with an IPv4 address.
Btw : soon to be IPv6 : you'll scare the client now ;)

Use a host name.

Look at the /var/etc/nginx-YOURZONENAME-CaptivePortal.conf file.
You'll see :

....
		if ($http_host ~* 192.168.2.1) {
			set $cp_redirect no;
...

so the IPv4 (yours is 192.168.1.1) is hard coded.
Maybe you can change this into a host name ( I guess its possible) ???

@goldsoft said in How to use the pfsense name instead of the IP address in http?:

The reason for adopting this approach is to prevent unauthorized connection of downstream routers to the network. I have tested it and found that pinging PfSense fails on the downstream routers, which effectively blocks them

Blocking routers ? I guess I understand your reasons, the question has been asked before.
The answer will be : you can't block easily "router" devices.
How would you (pfSense) know that IPv4 (example) 192.168.1.51 using MAC aa:bb:cc:dd:ee:ff is a router and not an iPhone ? (MAC will be spoofed !)

goldsoft

After restarting the service, the hostname will automatically change to IP 192.168.0.1, and the file nginx-pass-CaptivePortal.conf has been automatically rewritten.

Gertjan

Because :

@Gertjan said in How to use the pfsense name instead of the IP address in http?:

is hard coded

so editing the nginx config is useless, as pfSense re creates that config file every time it starts nginx.

It's here : https://github.com/pfsense/pfsense/blob/3b2e7ed25c84eb80cc3588e97e7b0d8414e3c1fc/src/etc/inc/system.inc#L1778

When you look at your own file at /etc/inc/system.inc, you'll find it around line 1331 (the github version is ahead - more recent).

Instead of

$cp_hostcheck .= "\t\tif (\$http_host ~* $cpint_ip) {\n";

you change that to

$cp_hostcheck .= "\t\tif (\$http_host ~* pf.home.arpa) {\n";

goldsoft

@Gertjan
After modifying the /etc/inc/system.inc file, the nginx-pass-CaptivePortal.conf file can correctly display the domain pf.home.arpa, and it still displays after restarting the service, indicating that the modification is successful. However, the login page has not changed and still appears in the form of an IP address, http://192.168.0.1:8002/index.php?zone=pass&redirurl=http%3A%2F%2Fqq.com%2F.

Gertjan

@goldsoft

I just tested the http login .... and yes, I saw also "192.168.2.1".

So more work needs to be done.
The story continues here /etc/inc/captiveportal.inc locate function portal_reply_page() around line 1811.

Four lines lower, you'll see
$ourhostname = portal_hostname_from_client_ip($clientip);

That function return the IP if http was chosen, the domain name if otherwise (https).

A solution might be : locate function portal_hostname_from_client_ip($cliip) :
After $ifip = portal_ip_from_client_ip($cliip);
Add on a new line :
$ifip = false;

Like this :

but take note : this is messy.
Its always easier to do what the entire planet does : use https, as it is the future

FSC830

And keep in mind that after each update you need to make this changes again.
So I do with my changes for printing QR codes for voucher access.

Regards

goldsoft

@Gertjan
The IP address has been successfully transformed into a domain name, but it also caused a deadlock. How can this be resolved

http://pfsense.home.arpa:8002/index.php?zone=pass&redirurl=http%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fqq.com

goldsoft

@Gertjan

Gertjan

@goldsoft said in How to use the pfsense name instead of the IP address in http?:

How can this be resolved

By undoing what you did, so you'll get the stable situation back.
Its (not) clear to me that more has to be changed.
Sorry, can't do more here.

goldsoft

This post is deleted!

goldsoft

@Gertjan Thank you very much for your guidance.

goldsoft

@goldsoft said in How to use the pfsense name instead of the IP address in http?:

@Gertjan
The IP address has been successfully transformed into a domain name, but it also caused a deadlock. How can this be resolved

http://pfsense.home.arpa:8002/index.php?zone=pass&redirurl=http%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fpfsense.home.arpa%3A8002%2Fhttp%3A%2F%2Fqq.com

I hope someone can help me solve this problem because I really need this functionality.

Gertjan

@goldsoft

Try this :
Force redirect to preset URL :

I know, not a real solution, but it would break the recursive redirection.

goldsoft

@Gertjan The user has been authenticated and can access the internet. Further redirection would be meaningless

Gertjan

@goldsoft

I get it.
Consider this : when you visit the captive portal's IP or host name manually, the request will get handled by the nginx (the web server handling the captive pirtal login page) : the used host name will be stored in the redirect parameter.
Or, the url (host name) is the host name of the web server itself.
After a valid login, you will get redirected to this 'redirected url'.
Which was ... the same page.
And from now on, this goes in circles : you saw what happens.

Simple solution : never enter or use the captive portal's host name, as the portal will auto redirect to this url anyway.

To break this redirect loop, I proposed the 'https://www.whatver.tld' solution.

johnwilliams1

@goldsoft To change the URL, you can follow these steps:

Access your router settings.
Look for the configuration related to the URL or redirection.
Replace "http://192.168.1.1" with "http://pfsense" in the configuration.
Save the changes.

This should update the URL as you want. If you need more detailed instructions, please specify your router model for further assistance. Also, consider using the essay writing service at for academic help.

Marsh35

@johnwilliams1 Thanks for info!

VinzzB

I've managed to get CP working with a custom dns name, a valid LE certificate and running on the native http(s) ports 80/443.

First make sure you have registered a domain name for use in CP (eg login-guests.mydomain.com)

Setup:

• Captive portal on GuestNetwork - 192.168.10.1)
• Configure Dns resolver. Resolve login-guests.mydomain.com to 192.168.10.1
• configure domain name in CP config (SSL domain name)
• Configure ACME for trusted SSL cert on CP login page. Bind this certificate in the CP configuration pages.

Run CP on native http/https ports:

1. Create your CP config in the GUI using the default ports (>8000).
2. Change the pfsense config.xml and add the following two lines under the captiveportal element. Save the file and reboot the router.

<captiveportal>
    <guest_network>
        ...
        <listenporthttps>443</listenporthttps>
        <listenporthttp>80</listenporthttp>

3. Edit the captiveportal.inc file, go to the function 'captiveportal_init_webgui_zone' and comment or remove the 2 calls to system_generate_nginx_config(). This will disable the re-creation of the nginx config files for CP!
4. Explicitly add interface IP to nginx file. Under /var/etc edit the file nginx-[name]-CaptivePortal-SSL.conf. Add the interface IP in the 'listen' command. (eg: listen 192.168.10.1:443; ). I've disabled the IPv6 ([::]:443) listener.
5. Start the CP service.

This seems to work well. Users are redirected to the domain on port 443 (https).
There is one thing to keep in mind: This configuration may be lost when updating/upgrading pfsense!

Gertjan

@VinzzB said in How to use the pfsense name instead of the IP address in http?:

Edit the captiveportal.inc file, go to the function 'captiveportal_init_webgui_zone' and comment or remove the 2 calls to system_generate_nginx_config(). This will disable the re-creation of the nginx config files for CP!

Not regenerating the nginx config will have side effects, like not putting the new certificates in place when they are are renewed.

I'm using the captive portal for more then a decade now, and never had to do all this.

My setup :
I'm using the LAN for my own 'private' network, this is my trusted network, and a second LAN (OPT) interface for the non trusted users, the captive portal network, on 192.168.2.1/24.
My pfSense host name is called pfsense. The domain is my-domiain.tld
The portal interface host name is defined as portal.my-domiain.tld
This domain, my-domain.tld, is renewed by the acme pfSense package every 60 days.

My captive portal web server has two (multiple) instances, one for http (port 8002) and one for https (port 8003) : (the port 80/443 is the GUI instance )

[24.11-RELEASE][root@pfSense.domain.tld]/root: sockstat -4 | grep 'nginx'
root     nginx      40295 5   tcp4   *:8003                *:*
root     nginx      40257 5   tcp4   *:8003                *:*
root     nginx      38709 5   tcp4   *:8002                *:*
root     nginx      38563 5   tcp4   *:8002                *:*
root     nginx      36734 5   tcp4   *:443                 *:*
root     nginx      36734 8   tcp4   *:80                  *:*
root     nginx      36532 5   tcp4   *:443                 *:*
root     nginx      36532 8   tcp4   *:80                  *:*

Keep in mind that current ( 2024 ) browsers dislike port 80 (http) usage. It a protocol from the past. They will emit warnings. It's all https these day.

The fact that port 8002 or port 8003 is used isn't an issue. These days, every device is portal aware and will get redirected to the correct port. Portal users will never have to enter the captive portal login URL to get and use the login page. If they have to do this, your portal setup is 'broken'.

So, afaik, the captive portal works out of the box, as advertised.
No need to change anything outside of the portal GUI settings.