Captive Portal - Change Default Gateway

uggiz

Hello,

I have a working captive portal, redirecting to the portal page and everything is working as it should..

BUT.. I need to change the default gateway of the firewall, and when I do this, the users are no longer getting redirected to the login page.

I believe that it has something to do with DNS (Its always DNS...), but I cant seem to find the problem..

Anyone who has done this and know what to do?

Gertjan

@uggiz said in Captive Portal - Change Default Gateway:

Anyone who has done this

Can you tell why you would have to do this ?

On a test device on your portal, check : using ipconfig /all for example, the details of the DHCP lease received :
The IP,
The network,
The DNS, should be pfSEnse portal interface !
The gateway. What is the IP ?

The DNS IP should be the ione of pfSense.
So DNS should work. Test, using for example nslookup.

But I'm still puzzled. If the pfSense portal interface isn't the gateway, this gateway isn't pfSense (wow, this makes sense) . So it ins't firewalled - no portal is protecting that gateway, as it isn't pfSense.
So the device could use it to go out ..... without ever noticing the portal ....

uggiz

@Gertjan

I think that I left something out from my problem (Sorry),

On my test device all the IP settings are correct, the FW is the gateway. And DNS is the firewall..

But when I change this:

To another wan gateway (That I know is working), the portal stops redirecting.

Gertjan

@uggiz

Aaah, a WAN fail over.
I can't test that myself.

IMHO, a portal is, initially, just like any other LAN interface.
Do you have a dedicated LAN, for your trusted network users, and a captive portal for you non trusted network users ? And if so, LAN still works if the fail-over happens, and the portal users loose internet ?

Can you show your LAN firewall rules and portal firewall rules ?

For my own curiosity : Is Starlink loosing the connection that often that that you have to second connection("VSat" probably geo satellite so $$ and metered) to back it up ?

EDaleH

@uggiz
Changing the default gateway involves two changes. The first under Interfaces, Wan where you set the IP and IP4 Upstream Gateway.

It is easy to miss the second change: On the WebConfig page, click pfSense in the upper LH corner. If you do not have the Gateways Widget, add it. Then click on the word Gateways in the Upper Left Hand Corner of the Widget. That will bring up a Gateways Screen. Click on the "Related Settings" icon in the upper RH corner. It looks like 3 horizontal lines with arrows on them. That will bring up a similar screen but at the bottom of that screen you set the Default Gateway. If you have two gateways defined in your system, you will have to change both locations to change the Gateway and get WAN working again. Don't forget to hit Save.

This should not normally impact the login screen but you indicated you were changing the gateway so I suggest you get that working first and test it from a LAN connection to verify internet connectivity. You can always ping google.com through Diagnostics, Ping. Your DNS problems could be related to internet connectivity.

Gertjan

@EDaleH said in Captive Portal - Change Default Gateway:

It is easy to miss the second change: On the WebConfig page, click pfSense in the upper LH corner. If you do not have the Gateways Widget, add it. Then click on the word Gateways in the Upper Left Hand Corner of the Widget. That will bring up a Gateways Screen. Click on the "Related Settings" icon in the upper RH corner. It looks like 3 horizontal lines with arrows on them. That will bring up a similar screen but at the bottom of that screen you set the Default Gateway. If you have two gateways defined in your system, you will have to change both locations to change the Gateway and get WAN working again. Don't forget to hit Save.

Is this : System > Routing > Gateways ?
and you see this :

?

EDaleH

@EDaleH
Same screen, alternate route to it in the menu. The Gateways must match the one(s) set in Interfaces, Wan. when changing the Gateway. I do this all the time when I restore a Production Server to the Lab setup, the gatweay setup always changes. Lately I have gotten lazy and edit the config.xml file before restoring it, as follows:

<interfaces>
<wan>
<enable></enable>
<if>igc0</if>
<blockpriv></blockpriv>
<blockbogons></blockbogons>
<descr><![CDATA[WAN]]></descr>
<ipaddr>192.168.123.111</ipaddr>
<subnet>24</subnet>
<gateway>WANGW</gateway>
<spoofmac></spoofmac>
</wan>
and:
<defaultgw4>WANGW</defaultgw4>
<defaultgw6>-</defaultgw6>
</gateways>

By editing config first, it enables internet access sooner for the package installs and that is less likely to time out during the restore if you don't edit it fast enough. I do go an get a coffee though so it has the side effect of more coffee consumption.