[Solved] Challenges with screen mirroring with active captive portal
-
Hello, how are you?
I am currently using Captive Portal in a school environment, and it works perfectly for everything I need. However, I am facing some difficulty in enabling the protocols used for screen mirroring. Currently, each classroom has a router, a tablet, and an Intelbras TV Box, all of which have their MAC addresses allowed in the captive portal and have internet access, allowing me to browse websites normally. However, the teachers use the tablet to mirror the screen to the TV Box, and this mirroring does not work with Captive Portal active. When trying to mirror via the Google Home app or Google Chrome's screen mirroring, the device doesn't even appear for mirroring. If I disable the Captive Portal, the device reappears.
I am using pfSense version 2.6.0 (I didn't upgrade to the latest version because the Captive Portal didn't work in 2.7.0). Currently, the rooms have a firewall rule to allow all traffic: Protocol: Any, Source: Any, and Destination: Any. I also use VLANs, with each room having IPs like 192.168.100.1, 192.168.102.1, etc... The Captive Portal is enabled for all of them, with the following IPs allowed in the "Allowed IP address" option:
⇄ 200.20.186.76 NTP
⇄ 200.160.7.186 Time service - a.st1.ntp.br
⇄ 200.186.125.195 NTP
⇄ 201.49.148.135 NTP
⇄ 224.0.0.0 /4 Multicast
⇄ 224.0.0.251 mDNS: used for, for example, Chromecast and Bonjour
⇄ 239.0.0.0 /10 Multicast for private networks
⇄ 239.255.255.250 Windows network neighborhood discovery: uses SSDP, NetBIOS-NS, and NetBIOS-SS
⇄ 40.119.6.228 NTPWhat can I do to ensure that screen mirroring always works? I don't want to have to disable Captive Portal every time I need to use screen mirroring.
Thank you very much for your attention :)
-
Be ware that your question can't be resolved easily.
Portal experts using 2.6.0 or even 2.7.0 are very hard to find, you might be the only one. That is, there might be others, but unknown here on the forum.The actual pfSense version is 2.7.2 for a year now.
The captive portal works, as I've been using it for a while up until the moment I switched to the Plus version.I've been using 2.6.0 for a hotel, which is a a simple straightforward setup.
If your portal is setup correctly, be aware of one thing : Client isolation.
This can be an option on a Microsoft Windows OS : it's the question you were asked if your network is "public" or "private".
The public mode tells Windows to talk to the gateway only, and not accepting (neither "seeing") any other devices in the (portal) network.
Client isolation is also an access point option, not allowing any Wifi connected devices to talk to each other, only to the gateway (pfSense).You are using vlans. Great. Be ware it adds a layer of complexity, and you probably us 'smart' switches which can add their pile of issues.
If the "router, a tablet, and an Intelbras TV Box" are all on the same network (the portal network)
and Client Isolation is ruled out
and VLAN issues are rules out,
then know that pfSense doesn't 'see' or 'firewall' any traffic between these devices : the traffic doesn't even reach pfSense.I'm not sure what "mirroring" is, but I presume that it's one device, the tablet, sending info (screen info) to another device, the TV, on the same network.
-
Oh, that’s unfortunate. I thought a lot of people were using the captive portal in this version.
About "screen mirroring," sorry, I didn’t specify it well. Here in Brazil, we use this term to refer to sending information from a device to a TV.
I even tried using version 2.7.2; it was on my list of possible solutions, but that doesn’t seem to be the problem. I’m 99% sure the issue is with some protocol that this Intelbras box device uses. Here at the school, I have two models of this same brand, and both were having the same issue. After allowing multicast IPs, one of these models started working normally, but the other only works when I disable the captive portal.
So, I came to the forum to see if anyone knew of an IP to add to the allow list or something that would allow everything a device needs.
I’m out of ideas
If nothing works, I’ll swap these devices or create a VLAN without a captive portal just for them.
Again, thank you for your help, Gertjan!
-
@EwertonSteve said in Challenges with screen mirroring with active captive portal:
Oh, that’s unfortunate. I thought a lot of people were using the captive portal in this version.
I hope not.
"Security" is still a thing. pfSense got updated from the now ancient FreeBSD 12 to FreeBSD 15, PHP got renewed, OpenSSL has evolved, OpenVPN changed a lot. New stuff got added.
Even the GUI color has changed !How is your captive portal set up ? You use a access point ? If so, have you checked the access point if Client Isolation is activated , If so, you've found your issue.
can you confirm that the TV, Tablet and all other devcies are on the same network ? Like all on 192.168.2.1/24 ? If so, then the isue can't be pfSense as the traffic doesn't flow through pfSEnse.
You use a TV set .... a TV set that is VLAN aware ? That's rare .. bnever saw that.
Or do you use a L3 smart switch to handle the VLAN to LAN traffic ? Does that switch pass all traffic ? No every devices handles stuff like broadcast or anycast well. -
@Gertjan said in Challenges with screen mirroring with active captive portal:
Você usa um aparelho de TV... um aparelho de TV que é compatível com VLAN?
No, I used the term "TV" just as an example, in each room there are four pieces of equipment: Router, Intelbras Box, Tablet and projector. I even left the projector out because it is only used to show the image from the Intelbras box and is connected by cable.
@Gertjan said in Challenges with screen mirroring with active captive portal:
Espero que não.
"Segurança" ainda é uma coisa. O pfSense foi atualizado do antigo FreeBSD 12 para o FreeBSD 15, o PHP foi renovado, o OpenSSL evoluiu, o OpenVPN mudou muito. Novas coisas foram adicionadas.
Até a cor da GUI mudou!You're right, I said it more to the effect that it's a shame that no one can give me any advice if they've already been through this.
@Gertjan said in Challenges with screen mirroring with active captive portal:
Como seu portal cativo está configurado? Você usa um ponto de acesso? Se sim, você verificou o ponto de acesso se o Client Isolation está ativado? Se sim, você encontrou seu problema.
The captive portal settings I configured are as simple as possible. In the Settings tab:
-Interfaces: I selected all VLANs
-Idle timeout (Minutes): 1440
-Preserve users database: Yes
-Concurrent user logins: Last Login
-Per-user bandwidth restriction: 15 Mbps Upload and Download
-Authentication Method: GSuite and Local Database
-Local Authentication Privileges: Yes
-MACs Tab: I added the MAC addresses of the tablets, TV boxes, and routers.Allowed IP Addresses:The IPs that I sent in the first question.
All rooms have an AP, and client isolation is disabled.@Gertjan said in Challenges with screen mirroring with active captive portal:
você pode confirmar que a TV, Tablet e todos os outros dispositivos estão na mesma rede? Como todos em 192.168.2.1/24? Se sim, então o problema não pode ser o pfSense, pois o tráfego não flui pelo pfSEnse.
Each room uses a VLAN, for example:
Room 10: Uses: Vlan_Room10
IP: 192.168.110.1/27
Equipment: Tablet, Box, and specific router for Room 10Room 09: Uses: Vlan_Room09
IP: 192.168.109.1/27
Equipment: Tablet, Box, and specific router for Room 09I didn’t want to implement a VLAN for each room, but it became necessary. We were having issues where students would take the teacher’s tablet and mirror its screen throughout the school.
@Gertjan said in Challenges with screen mirroring with active captive portal:
Ou você usa um switch inteligente L3 para lidar com o tráfego de VLAN para LAN? Esse switch passa todo o tráfego? Nem todos os dispositivos lidam bem com coisas como transmissão ou anycast.
I am using two Dell PowerConnect 2824 switches. The connection comes from the pfSense server to the switch in rack 1, and from there, it goes to the other switch in rack 2, which then distributes to the classrooms. But if this were the issue, the transmission wouldn’t work even with the captive portal disabled, right? The problem only occurs when the captive portal is enabled and only on devices that use an unknown protocol.
-
@EwertonSteve
Como você é brasileiro, tomei a liberdade de responder em português.Minha primeira suspeita ou dica, que já foi citada, seria quanto a access points e configuração de "client isolation", se isso estiver ligado, realmente pode atrapalhar esse uso entre dispositivos para espelhar tela.
Na sua configuração do Captive Portal, vi que você usa limitação de banda. Certa vez ajudando um amigo com uma outra questão de Captive Portal, ele comentou que até certa versão do pfSense isso era meio "bugado" e não funcionava bem, e só depois de certa versão passou a funcionar ok. Pena que não recordo as versões envolvidas. Mas eu sugeriria atualizar para a 2.7.2, onde com boa certeza tudo deve ser melhor suportado. Isso foi só um ponto extra que lembrei, mas não deve influir no caso de espelhamento de tela, pois para espelhar tela a comunicação deve ocorrer diretamente entre os dispositivos na mesma rede/VLAN, sem passar pelo pfSense.
Em um certo cliente, quando eu coloquei Captive Portal em pfSense 2.6.0, tinha um bug quanto a pacotes UDP, foi necessário aplicar um patch via System Patches para corrigir. No 2.7.2 isso já está corrigido.
-
Yes, be sure to have applied the recommended patches from the system patches package in 2.6.0. You could very well be hitting that bug.
-
This post is deleted! -
Good morning, everyone!
Sorry for the delay in getting back to you I had a health issue last week.
My last attempt worked! However, the sad news is that I didn’t do anything different. The only thing I did was create a new VLAN. My plan was to isolate the devices that weren’t mirroring and run some tests, but they started working as soon as I placed them in the new VLAN. Maybe they were conflicting with some other device in the school?
Anyway, I don’t think this will help anyone reading this post in the future looking for a solution to their problem, if they have one
That said, I created the VLAN with the IP 192.168.206.1.
For MAC filtering, I allowed the tablets, routers, and TV box. The rest was as I mentioned in my previous posts.Thank you to everyone who replied to me!
@Gertjan @stephenw10 @wasimtariq23@marcelobeckmann , como vi todas as perguntas em inglês achei que seria mais fácil achar uma resposta perguntando em inglês, muito obrigado.
Now, how do you close the post ?
-
There's no formal way to close/solve it but I can mark it solved if you consider it so?
-
@stephenw10 yes, thank you