Captive Portal not working, think NAT rule is missing.

yoogie

Hi there,

I have again a problem with Captive Portal.
I now want to have Captive Portal presenting a static site, explaining how to setup the proxy. Squid is running on port 3128. I am using the current RELEASE (1.01).

Captive Portal is running on port 8000 and I have the rule allowing access to LAN address on this port.

Well, initially it worked, but now it doesn't. I wont get redirected to port 8000 any more when opening a page.

All I did in the meantime is install a proxy server (squid) and set in to listen on the LAN address on port 3128.

How must the NAT rule look in order to install it by hand?

Hope you can help me.

Thanks,
Manuel

fxp0 = external,
xl0 = internal

pfctl -sn
----------------------------------
nat-anchor "pftpx/*" all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on fxp0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin
nat on ng0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin
nat on fxp0 inet from 192.168.0.0/24 to any -> (ng0) round-robin
nat on ng0 inet from 192.168.0.0/24 to any -> (ng0) round-robin
rdr-anchor "pftpx/*" all
rdr-anchor "slb" all
rdr-anchor "miniupnpd" all

pfctl -sr
----------------------
scrub all no-df random-id max-mss 1452 fragment reassemble
anchor "ftpsesame/*" all
anchor "firewallrules" all
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
anchor "loopback" all
pass in quick on lo0 all label "pass loopback"
pass out quick on lo0 all label "pass loopback"
anchor "packageearly" all
anchor "carp" all
anchor "dhcpserverlan" all
pass in quick on xl0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server on LAN"
pass in quick on xl0 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps label "allow access to DHCP server on LAN"
pass out quick on xl0 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc label "allow access to DHCP server on LAN"
block drop in log quick on fxp0 inet proto udp from any port = bootps to 192.168.0.0/24 port = bootpc label "block dhcp client out wan"
block drop in log quick on ng0 inet proto udp from any port = bootps to 192.168.0.0/24 port = bootpc label "block dhcp client out wan"
pass in quick on fxp0 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
pass in quick on ng0 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
block drop in on ! xl0 inet from 192.168.0.0/24 to any
block drop in inet from 192.168.0.1 to any
block drop in on xl0 inet6 from fe80::206:5bff:fea7:fcf1 to any
anchor "spoofing" all
block drop in log quick on fxp0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block drop in log quick on ng0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block drop in log quick on fxp0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block drop in log quick on ng0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block drop in log quick on fxp0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block drop in log quick on ng0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block drop in log quick on fxp0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
block drop in log quick on ng0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
anchor "limitingesr" all
block drop in quick from <virusprot>to any label "virusprot overload table"
pass out quick on ng0 all keep state label "let out anything from firewall host itself"
anchor "firewallout" all
pass out quick on fxp0 all keep state label "let out anything from firewall host itself"
pass out quick on ng0 all keep state label "let out anything from firewall host itself"
pass out quick on xl0 all keep state label "let out anything from firewall host itself"
anchor "anti-lockout" all
pass in quick inet from 192.168.0.0/24 to 192.168.0.1 keep state label "anti-lockout web rule"
block drop in log proto tcp from <sshlockout>to any port = ssh label "sshlockout"
anchor "ftpproxy" all
anchor "pftpx/*" all
pass in quick on fxp0 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE: SSH Admin"
pass in quick on ng0 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE: SSH Admin"
pass in quick on fxp0 proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: Web Admin"
pass in quick on ng0 proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: Web Admin"
pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on xl0 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow DNS"
pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow HTTP (Squid)"
pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 3128 flags S/SA keep state label "USER_RULE: Allow Squid"
pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 8000 flags S/SA keep state label "USER_RULE: Allow Captive Portal"
block drop in log quick on xl0 inet from any to 192.168.0.1 label "USER_RULE: Block everything to Firewall"
block drop in log quick on xl0 inet from any to 84.176.175.174 label "USER_RULE: Block everything to Firewall"
pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on ng0 inet proto tcp from any port = ftp-data to (ng0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
anchor "miniupnpd" all
block drop in log quick all label "Default block all just to be sure."
block drop out log quick all label "Default block all just to be sure."</sshlockout></virusprot></snort2c></snort2c> 

yoogie

It looks like the creation process of the ruleset has a problem.

I have edited some rules and rebooted, without success. Then I had a look at /tmp/rules.debug but my changes are not in there.

I don't know, maybe I should use the latest beta.

It's really frustrating me.

sullrich

Yes, we fixed a number of bugs that will not turn on captive portal correctly without a reboot.

Justinw

I'm sure we could figure out how to add the rule by hand, but is there a reason you want/need to?  Everytime you reboot or save changes in certain areas of the gui, the conf file you changed will be written right over the top of.  All you should have to do is install squid, configure, status > services check to see its running.  Then start the CP, try it with the local user manager first.  The most important thing though, is that your have the PFsense box set to be your DNS server.  Make sure you don't have it set to something else statically and that pfsense isn't giving out different DNS servers in the dhcp settings.  I have also found that if you have bad code in your portal page it can cause some headache, I would try it with the default page first.

jeroen234

squid will not work on a old pfsense 1.0.1 version
so then he will need to install a snapshot anyway

Justinw

Honestly the squid package now actuallyworked for me on 1.0…but I agree that he should be as up to date as possible.

yoogie

Well, setting up squid or captive portal in general is not a problem at all.

Captive portal worked for me, but after some fiddling around (only in the web-conf) absolutely no firewall rule was commited to the current configuration. Even after a reboot I wasn't able any more to change a single rule. I assumed that the problem with the NAT rule of captive portal relied on that problem.

So I installed the latest snapshot (03-08-2007) but there is another problem now. I cannot connect to the internet.

I use PPPoE with a german telco provider but it won't connect. I can see in the syslog:

mpd.conf:8: Unknown command: 'set bundle authname'. Try "help".
mpd.conf:9: Unknown command: 'set bundle password'. Try "help".

So this is probably a bug report…

Cheers,
Manuel

hoba

Please upgrade again. We tried using a newer mpd which didn't work so we reverted back. Current snapshots use the "old" mpd again which works just fine.

yoogie

Ok, but when I look here ( http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ ), the newest snapshot is from 03-08-2007, so where can I find the most current one?

Thanks in advance,
Manuel

sullrich

Look at the date.  That files is rebuilt hourly but we only bump the version weekly or so.