• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Captive portal & external DNS Server - not redirecting

Captive Portal
captiveportal captive portal dns resolver dnsbl
2
5
659
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sazanof
    last edited by Oct 18, 2023, 12:03 PM

    Hello everyone!

    Next rules:
    x.x.144.1 - PF
    x.x.144.10 - Win Srv (DC, DNS, DHCP roles)

    Tell me, I set up captive portal (dhcp, dns resolver) on pf and enabled
    Enable HTTPS login option.

    I checked, everything works, opens the authorization page and it passes successfully.

    I want to use a DNS server on DC (there is also DHCP sevice on it).

    Well, I turn off the PfSense DHCP server, turn on DHCP on the domain controller, in the DCHP options I specify the DNS server PF (144.1) - it works well.

    I changed the address of the DNS server to another one (144.10) in the DHCP parameters (which is raised on the domain controller) + I added this IP 144.10 in the portal's captive settings in allowed ips, then redirection does not work 😠 , sites open without authorization.
    The authorization page opens manually (copy-paste).

    How can I force captive portal to redirect if clients use another DNS server (on my DC)? I want to use one DNS server with 144.10 on DC instead of DNS PfSense.

    Please, help!

    In addition, I use DNSBL to perform a Safe Search

    G 1 Reply Last reply Oct 18, 2023, 7:15 PM Reply Quote 0
    • G
      Gertjan @sazanof
      last edited by Oct 18, 2023, 7:15 PM

      @sazanof

      What about this one : on the DHCP server you use, tell it to send your 144.10 server as the DNS server.

      Now, get a device, activate the wifi - or wire, and connect to the portal ntwork. Do not loggin.
      Check on that device with ipconfig /all ( or equivalent) what IP, gateway and DNS it received.

      The pf portal will, of course, block this 144.10 IP, so you have to add it to the "allowed IPs" list on the portal.

      Now : without using the captive portal login page - no browser nothing, ; can you do a dig or nslookup on the device connected to the portal network ?
      Does it use the 114.10 device ?
      Can you see the DNS request coming in on that DNS 144.10 ? And the answer ?

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      S 1 Reply Last reply Oct 19, 2023, 5:38 AM Reply Quote 1
      • S
        sazanof @Gertjan
        last edited by Oct 19, 2023, 5:38 AM

        @Gertjan hello! Yes, of course I did all of this:

        On my DHCP server option 006 is 144.10

        ipconfig /all - shows DNS Server 144.10 on client

        nslookup google.com - also shows DNS Server 144.10 on client

        nslookup google.com
        Tõ¨òõ¨:  UnKnown
        Address:  192.168.128.10
        google.com
        Addresses:  2a00:1450:4010:c0e::66
                  2a00:1450:4010:c0e::8a
                  2a00:1450:4010:c0e::65
                  2a00:1450:4010:c0e::8b
                  142.250.150.101
                  142.250.150.102
                  142.250.150.113
                  142.250.150.138
                  142.250.150.139
                  142.250.150.100
        

        OR

        nslookup lipsum.com
        Tõ¨òõ¨:  UnKnown
        Address:  192.168.128.10
        
        Lü :     lipsum.com
        Address:  34.85.243.109
        

        In the diagnostics section "Packet Capture", I noticed that the packets go to port 53 of address 192.168.1.1 (???). But there is no such address in my test network.

        I decided to look into the properties of the DNS server on windows server and the server 192.168.1.1 was listed in the forwarding server. I fixed it to 144.1 (pf).

        So now, when client open for ex. lipsum.com or someone else - the portal page opens, but there is no redirection for a very long time (about 20 seconds). If you open an IP address with some kind of web interface in the browser, then redirection to the portal page occurs instantly. Why?

        @Gertjan said in Captive portal & external DNS Server - not redirecting:

        The pf portal will, of course, block this 144.10 IP, so you have to add it to the "allowed IPs" list on the portal.

        Yes, I read the troubleshooting guide for the portal, and the first thing I did was register IP 144.10 in the portal settings "allowed IPs".
        And if I do this, there is no redirection to the portal page, all sites open without requiring authorization. Why?

        And I understand that most likely this is another topic, but nevertheless, it may be related: DNSBL on pfBlockerNG not work. There is no redirect on "access denied page". =(

        The SafeSearch section and the rules in DNS Resolver for safe search work, but if I open blacklisted site in the browser, it will open without redirect to DNSBL error page. It's also unclear what went wrong.

        G 1 Reply Last reply Oct 19, 2023, 7:19 AM Reply Quote 0
        • G
          Gertjan @sazanof
          last edited by Oct 19, 2023, 7:19 AM

          @sazanof said in Captive portal & external DNS Server - not redirecting:

          So now, when client open for ex. lipsum.com or someone else - the portal page opens, but there is no redirection for a very long time (about 20 seconds). If you open an IP address with some kind of web interface in the browser, then redirection to the portal page occurs instantly. Why ?

          What a device, the OS actually, should have to do: as soon as DHCP negotiation finishes, it will send a http (not https !) request to a build in URL. For Apple device, this "http://captive.apple.com/hotspot-detect.html". If this does not return (click on the link to see the answer) "Success", then the OS knows there is no direct Internet connection. So, maybe a captive portal ? It will spin up a default web browser with the same URL again.
          This "any IP destination, destination port 80 => redirect to IP of the portal interface, port 8002" action, a firewall rule, will produce not "Success" but our login page.

          No why this does not happens on your device : ask your device ? 😊

          For instance, most browsers want to out smart us by totally ignoring system's DNS, and use their own DOH or whatever .... and yeah, that will hit the wall ... portal.

          Keep in mind also that the portal is the server (web server) and you have the client.
          The portal page isn't send or pusched to you.
          You see it when you (the browser or the system) asks for it.

          Why your device doesn't ask for it ? Dono.

          Btw : when the portal login page opens, and you validate that page with a valid login, the IP & MAC of your device are added to the OK-table in the firewall. And then, as a result if the POST (to login) of your browser, it will receive a URL redirect to the original URL it wanted to visit initially.

          What I do : I redirect the user to a well known site, that shows up fast, and proofs that the user is connected :

          login-to-view

          From there on, they will know what to do.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          S 1 Reply Last reply Oct 19, 2023, 7:28 AM Reply Quote 1
          • S
            sazanof @Gertjan
            last edited by Oct 19, 2023, 7:28 AM

            @Gertjan

            Yes, it turns out a whole trip to the theater.😊
            Also, it turns out that the problem is solved, the solution (in my case) is found, published. Maybe it will help someone.

            Thank you very much!

            As for DNSBL - perhaps I will create a new topic.

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.