Authentication page doesn't appear. Only passthrough MAC
-
Hallo to everybody.
I have an issue with Captive Portal Authenication (PFSense 2.3.3)Target: I simply want that local users login with their credential
Problem:
I set-up Captive Portal Service with only the following settings:Interface: "LAN network"
Idle timeout: "120 minutes"
Authentication method "Local User Manager/Vauchers"I didn't modify the welcome page settings "HTML page Content" section.
Than I set up some MAC address in the "MACs" tab that will by-pass the authentication.
The problem is that if a user connects to the network, the captive portal login page will not show-up…
On the other side, authorized MACs can access without problems.How can I show up authomatically the Login Page?
Thanks
-
Some good test info can be found here : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
-
I'm having the exact same problem after changing which interface the captive portal is on.
It used to work on igd2 but no longer does after changing to igd3 on vlan 10I'm currently investigating. I'm not sure if a allow rule needs to be put in the rules for the interface.
-
I'm currently investigating. I'm not sure if a allow rule needs to be put in the rules for the interface.
You NEED one or more an allow rules, if not, nothing passes.
And let me guess : when you drop the vlan stuff everything start to work ? ;)btw : If the captive portal does work on one interface but not the other, the only issue could be : copy setting from one to the other interface.
-
If I disable the captive portal, then yea, all traffic moves as the captive portal is no longer capturing the traffic.
I'll be able to confirm later today if putting in a allow rule to 127.0.0.1 gets captive portal working again.
Strange thing was I didn't have a allow rule on the original interface. -
OK, I tried it today. Setup a port forward for ports 8000 to 8002 to 127.0.0.1 on that interface. No change. Any device that tries to do any web surfing gets the scrolling wheel of death. Everything just stops.
maybe I should make my own thread but I figured since this thread is exactly what was happening to me I'd post on it.
Anyone have any ideas? I've checked the logs and I don't see any traffic going to the FW being blocked. just DNS responses being blocked. I've done traffic sniffing and I don't see anything being redirected to the firewall. It seems to me that captive portal is broke.
-
…. just DNS responses being blocked.
Ah …. as stated here : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
It seems to me that captive portal is broke.
Don't worry.
I can make it work in a couple of minutes starting from scratch.
The Captive Portal works for thousands or multiples of that.
It's your setup. -
I don't disagree that it's my setup and obviously starting from scratch it'll work. It worked before just fine. The question remains why it worked on one interface and doesn't work on another when changed.
DNS works just fine, everything resolves when CP is turned off but nothing moves when CP is turned on. Everything goes into the hole and CP doesn't respond and give the page so the user can accept the eula agreement and start surfing.
So basically, the page is not coming up.
-
OK, I figured it out. PfBlocker put a custom entry in the "Custom options" under the DNS forwarder. You have to delete this option, save and apply. Once done DNS responds properly, the redirect happens and captive portal will answer.
Bottom line is it is a DNS resolution issue. If you are having problems with your captive portal coming up check your DNS resolver or forwarder. Disable one and test with the other. See if it comes up then.
-
Well tested it on the bench and the test worked.
Went to the site and CP still will not work. I thought that maybe it was the guest interface trying to resolve to the LAN interface so I disabled all the blocks. Still no go. I do a ping to pfsense via DNS and it tries to resolve to the LAN.
I moved the Guest interface to a physical NIC, still no go. I moved it back to the VLAN on that same physical NIC, no go.CP is buggy. I'm thinking I'm going to have to wipe and reload. I don't think CP likes moving to new interfaces.
-
OK, just wiped the firewall today, onsite and restored the config. I can make it work on the bench but it seems I can't make it work at the site. If I click the "view" in the captive portal it will come up but the firewall is not responding on the interface. I even put captive portal directly on igd1 and it just will not answer. I tried connecting with my phone and after it times out it shows in the address bar that it was trying to connect to 172.16.0.1 but there was no answer, it timed out.
So I'm going to try it again on the bench when i have a chance and if I get it working on the bench I'm going to swap their hard drive for mine since it will carry the configuration.
I have no idea why CP is being such a PITA and I've gotten no help from anyone in troubleshooting it on this forum. I'm half tempted to call the tech support number and pay to have them work on it. It sure would be nice to see if it was a configuration issue that I'm not seeing.
-
Just use common troubleshooting techniques.
Prior to logging in to the portal:
Does the client get DHCP? Does it get the proper address, gateway, and DNS servers that will allow DNS before portal authentication?
Can the client resolve DNS names?
Can the client curl http://10.10.10.10/ ?? Does the client get the portal page?
Can the client curl http://www.google.com/ ?? Does the client get the portal page?CP really does not care what interface it is on.
-
I completely agree.
To answer your questions
DHCP, Yes
DNS, with captive portal off yes, with carp on, no
client can ping the gateway but does not get a answer from captive portal
DNS won't respond, traffic stops with captive portal on. With captive portal off everything works.Edit: Changed Carp to Captive Portal as I'm talking about captive portal
-
So you have a CARP/HA problem, not a Captive Portal problem. That is a completely different thing. You'll need to take a look at exactly what IP addresses are involved and sort that out.
Nowhere near enough information to make a recommendation. I don't even know what "with carp on, with carp off" even means.
(Or does carp there really mean CP?) hard to say.
What are the DNS servers being assigned to the clients? Are they the pfSense interface CP is running on or something else? Your DNS servers need to be passed using Allowed IP addresses if they are being given anything other than the pfSense interface as a DNS server.
-
Crap, sorry, meant captive portal.
DNS is handled by the firewall. Clients pull DNS IP from the firewall
Only DNS is the gateway address 172.16.0.1. PfSense has 6 DNS addresses to resolve against using the PfSense DNS resolver.
When I tried to connect to the captive portal, after it timed out it showed it was trying to connect to 172.16.0.1, the address ending in index.php
I've also checked the firewall logs to see if anything on that interface was being blocked by rules. Nothing showed up.
-
Hard to say without more details what you are doing wrong. Start testing all those things, copying, and pasting I guess.
I just turned up a captive portal and it worked fine. Had to pass 8.8.8.8 if the clients were configured to use that for DNS. Did not have to pass the local interface address in the CP.
Note that the traffic has to pass both CP and the interface rules to work.
Concentrate on DNS. figure out why users cannot resolve names unless CP is off.
