Captiv portal and vouchers integration with ssid on wlc 9800
-
@johnpoz im not talking on setup any captiv portal on wlc but wlc is controller for all access points, so wlc is place where ssid is cofigured and there is policy you configure your clients to use pfsense captiv portal.
So, I dont understand if I need to have L3 configured on router, there are some details missing but dont know what? :)
What is right conf step by step? -
@Jozy who cares what setups up the wifi, doesn't matter if its a wlc that manages multiple AP, or stand alone AP or some wifi router being used as an AP.
When it comes down to it the AP is a bridge from your wifi to your wired network..
You have a network 192.168.100.0./24 -- your wifi clients are on this 192.168.100.0 network.. When they try and go to the internet via pfsense as say 192.168.100.1 pfsense captive portal says hey need to auth.
That is all there is too it.. The whatever that gets your wifi client on this network is not part of this process..
Yes you need to have an L3 on pfsense - how else would it route traffic for your wifi clients?? That are on this network..
If you want devices to use pfsense as the captive portal - they should use pfsense as their gateway, and dns most likely too. if pfsense is not the gateway off this whatever network it has zero to do with controlling any thing else on the network.. It can only control who can talk to it to go to some other network.. So yes it needs an L3, and these clients need to be on this same L2/L3 network if you expect to use pfsense as a captive portal.
-
@johnpoz I have configured DHCP on pfsense and clients get ip address from that range "10.223.160.0/24".
When trying ping outside from that interface i cant, pictures below.
From other interfaces it works fine:
Whatever NAT or rule I configure it doesnt have access to outside.Second thing is:
When PC gets IP address over DHCP it can go to captiv portal is case I manually type URL of Captiv Portal but when tyring to connect to CP over WiFi it is not working.
Anyway, when I remove redirections from the WLC and try to connect to WiFI it doesnt redirects me to CP anymore.
WiFi on pfsense - 10.223.160.229
DCHP for clients and Gateway is as well 10.223.160.229?
-
@Jozy are your clients using pfsense as dns? Did you create rules on your interface to allow internet? What nat rules - did you edit your outbound nat to not be auto?
First thing I would do is make sure your connection is working before attempting to enable captive portal
That redirection sure doesn't look correct - where did that 192.0.2.1 come from? You still trying to redirect in wlc - that sure doesn't look like pfsense captive portal setup.
-
@johnpoz Yes, after chnaning NAT rule to below it started pinging outside.
Hybrid Outbound NAT rule generation.
(Automatic Outbound NAT + rules below)Anyway, when I get IP address over WiFi on my cell phone or PC over DHCP from pfsense I can not ping 10.223.160.229 whic is interface for WiFi configured on pfSense, but when I get ip address over DHCP on wired network I can ping 10.223.160.229.
Btw, i cant ping deafulr gateway as well for even if I can ping 8.8.8.8 form the LAN interface.
regarding 192.0.2.1 it is mandatory since if I dont configure it it redirects me to WLC captiv portal
It is very weird that I have to use redirection on WLC to pfSense Captiv Portal. Shouldn't pfSense be one who will do it if DHCP is configured there? -
@Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:
It is very weird that I have to use redirection on WLC to pfSense Captiv Portal.
YOU DON'T! You should not set any web auth anything on this ssid you setup in wlc.
If your client that gets and IP on this network you have can not ping pfsense IP on that interface - what are the rules you setup on that interface in pfsense?
-
@johnpoz
Rules below
I disabled web adn can see that there is no redirection
"You said - You should not set any web auth anything on this ssid you setup in wlc. " Yes, I know but in case I dont set any web auth it redirects to nowhere.
I dont know if it is possible to setup to work, since Cisco maybe has itself rules or incompatibility with ?
If you know anyone who already did this ??
-
What / why is this ?
Btw : don't use things (devices) or rules like this that no one else has ever tried.
Use proven methods. -
@Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:
I dont know if it is possible to setup to work, since Cisco maybe has itself rules or incompatibility with ?
nonsense - it can clearly setup a SSID that just connects to the network with no auth - just an open network.
Normally when you run a captive portal the connection to the wifi is open, and the user auths with the captive portal.
maybe this would be a good video for you to watch
And with @Gertjan why would you setup a port forward???
-
@johnpoz this is just basic video of how to configure basic/initial things.
I agree with you that is should be just setup ssid and connect to network.
I get dhcp address on both PC and wirelles, PC works on somw and wifi not.
Not sure why cant ping over wifi my pfsense lan address but over wired network it works. There must be some other rule or permission on wlc or somwhere whic dont send echo replay or something.
Im tired, seems will look for some other solution -
@Jozy again what rules do you have on this pfsense interface? What makes more sense wlc doing some odd firewalling thing when its just a AP when comes down to it or you have no rule to allow icmp on pfsense which when you create a new interface zero rules are on it.
Create you simple wifi setup and do not enable captive portal on pfsense yet for this network. Make sure you have rules on this interface that allows what you want. I would start with any any rule.
Make sure that works, you can ping pfsense IP, you can surf the internet, etc..
Then enable the captive portal.
to pfsense there is zero difference between a wireless client or a wired client - because to pfsense they come in on a wire.
-
@johnpoz this is what I sent earlier is interface OPT1 with any any
It is the same, with or without captiv portal enabled.
The thing is as you said I deal with you that wlc have some restictions and should bypass it, but what -
@Jozy so your saying you can browse the internet through pfsense, but it doesn't answer ping?
And those are the only rules you have for this interface - do you have any rules in floating?
On your client when you try and ping pfsense IP, do you see the mac in the arp table?
Do you have some ACLs set on your WLC - why would you block icmp??
If your mac shows up and you say you can get internet through pfsense.. I would do a simple packet capture on that opt1 interface while you pinging.. If you do not see the ping - they yeah you have something blocking it between the client and pfsense. If you see the pings but just no answer than points to a floating rule in pfsense blocking it.. Or some weirdness with mask or something, but seems unlikely that internet through pfsense would work then.
-
@johnpoz I have following situation.
Ping from OPT1 to 8.8.8.8 is working
Ping from PC to 8.8.8.8 and resolving you can see below
I can not ping gateway from the PC but can ping lan ip address
arp table below
why default gateway is offline?? hm
30938951-b264-4337-af02-ce8a88001278-image.pngFloating rules
Wan rules
OPT1 rules where is network for wifi and im testing wired as well
NAT rules
It is wierd I get captiv portal page but dont get internet even if I can ping and resolve it
On port group on vmware for WLC I found missing vlan id 1160 which im using in network and dhcp and I have added it.
First have to figure out why I dont get internet over OPT1 network even if Captiv portal is showing up. -
@Jozy if this is pfsense IP
Why would .13 be saying it can not get there and be answering? That is your client device?
What is pfsense IP address on opt1, this network your wireless device is on??? is it that 160.1 address - if so then pfsense doesn't even know its own mac address?
From that I would say pfsense IP on opt1 is the .229 address - why are you trying to ping 160.1 ???
Why are you using manual nat - which doesn't have this 10.223.160 network even?? Why would you have outbound nat set for your lan interface? Why would you use a source of any?
No wonder you are having issue - this is a complete and utter train wreck!
Set your outbound nat to auto..
Show the configuration of this opt1 network, lets see the output of ipconfig /all on your client.
You understand if pfsense IP is this .229, that would be the gateway of anything on the 10.223.160.0/24 network you setup on the opt1 interface.. What do you think this 160.1 address is - that is not pfsense, that that some other device on your network that you want to use to get off the network, ie a gateway.. Well pfsense can't even get a mac for this - so clearly its not actually on the network even..
Here as example this is a lan side interface of pfsense - its IP is .253, see how my client on this network points to that .253 address as its gateway
this is typical sort of outbound nat you would have have
Those are all my lan side of pfsense networks, pfsense has an IP in all of those networks.. The pfsense IP on those networks is the gateway for the devices on those network.. All my IPs on pfsense end in .253, .253 is the gateway for all the devices on the different networks..
Devices on my 192.168.3 would use pfsense IP on that network 192.168.3.253, devices on my 192.168.0/24 network would use pfsense IP on that network 192.168.6.253, etc..
Where and why would a device be using this 10.223.160.1 as a gateway? If some device is using that 160.1 as a gateway it sure is not going to send any traffic to pfsense, nor would it ever be able to use pfsense as a captive portal.
-
@johnpoz I dont get it anymore. You said above "What nat rules - did you edit your outbound nat to not be auto?" now why "Set your outbound nat to auto.." hm
I would like to thank you for your time, but now definitely I give up :)
-
@Jozy good luck with that mess.. I asked if you had messed with your outbound nat, I didn't say set it to manual..
Auto is the default - all of this would work with clicky, clicky with pfsense out of the box - the only reason it wouldn't is you messed with the defaults, etc..
Or you not even using pfsense as the gateway.. Which it seems your not.. ugggh..