Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal not working, think NAT rule is missing.

    Captive Portal
    5
    10
    5.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yoogie
      last edited by

      Hi there,

      I have again a problem with Captive Portal.
      I now want to have Captive Portal presenting a static site, explaining how to setup the proxy. Squid is running on port 3128. I am using the current RELEASE (1.01).

      Captive Portal is running on port 8000 and I have the rule allowing access to LAN address on this port.

      Well, initially it worked, but now it doesn't. I wont get redirected to port 8000 any more when opening a page.

      All I did in the meantime is install a proxy server (squid) and set in to listen on the LAN address on port 3128.

      How must the NAT rule look in order to install it by hand?

      Hope you can help me.

      Thanks,
      Manuel

      fxp0 = external,
      xl0 = internal

      
      pfctl -sn
      ----------------------------------
      nat-anchor "pftpx/*" all
      nat-anchor "natearly/*" all
      nat-anchor "natrules/*" all
      nat on fxp0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin
      nat on ng0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin
      nat on fxp0 inet from 192.168.0.0/24 to any -> (ng0) round-robin
      nat on ng0 inet from 192.168.0.0/24 to any -> (ng0) round-robin
      rdr-anchor "pftpx/*" all
      rdr-anchor "slb" all
      rdr-anchor "miniupnpd" all
      
      
      
      pfctl -sr
      ----------------------
      scrub all no-df random-id max-mss 1452 fragment reassemble
      anchor "ftpsesame/*" all
      anchor "firewallrules" all
      block drop quick from <snort2c>to any label "Block snort2c hosts"
      block drop quick from any to <snort2c>label "Block snort2c hosts"
      anchor "loopback" all
      pass in quick on lo0 all label "pass loopback"
      pass out quick on lo0 all label "pass loopback"
      anchor "packageearly" all
      anchor "carp" all
      anchor "dhcpserverlan" all
      pass in quick on xl0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server on LAN"
      pass in quick on xl0 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps label "allow access to DHCP server on LAN"
      pass out quick on xl0 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc label "allow access to DHCP server on LAN"
      block drop in log quick on fxp0 inet proto udp from any port = bootps to 192.168.0.0/24 port = bootpc label "block dhcp client out wan"
      block drop in log quick on ng0 inet proto udp from any port = bootps to 192.168.0.0/24 port = bootpc label "block dhcp client out wan"
      pass in quick on fxp0 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
      pass in quick on ng0 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
      block drop in on ! xl0 inet from 192.168.0.0/24 to any
      block drop in inet from 192.168.0.1 to any
      block drop in on xl0 inet6 from fe80::206:5bff:fea7:fcf1 to any
      anchor "spoofing" all
      block drop in log quick on fxp0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      block drop in log quick on ng0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      block drop in log quick on fxp0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      block drop in log quick on ng0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      block drop in log quick on fxp0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      block drop in log quick on ng0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      block drop in log quick on fxp0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
      block drop in log quick on ng0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
      anchor "limitingesr" all
      block drop in quick from <virusprot>to any label "virusprot overload table"
      pass out quick on ng0 all keep state label "let out anything from firewall host itself"
      anchor "firewallout" all
      pass out quick on fxp0 all keep state label "let out anything from firewall host itself"
      pass out quick on ng0 all keep state label "let out anything from firewall host itself"
      pass out quick on xl0 all keep state label "let out anything from firewall host itself"
      anchor "anti-lockout" all
      pass in quick inet from 192.168.0.0/24 to 192.168.0.1 keep state label "anti-lockout web rule"
      block drop in log proto tcp from <sshlockout>to any port = ssh label "sshlockout"
      anchor "ftpproxy" all
      anchor "pftpx/*" all
      pass in quick on fxp0 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE: SSH Admin"
      pass in quick on ng0 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE: SSH Admin"
      pass in quick on fxp0 proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: Web Admin"
      pass in quick on ng0 proto tcp from any to any port = https flags S/SA keep state label "USER_RULE: Web Admin"
      pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow DNS"
      pass in quick on xl0 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow DNS"
      pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow HTTP (Squid)"
      pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 3128 flags S/SA keep state label "USER_RULE: Allow Squid"
      pass in quick on xl0 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 8000 flags S/SA keep state label "USER_RULE: Allow Captive Portal"
      block drop in log quick on xl0 inet from any to 192.168.0.1 label "USER_RULE: Block everything to Firewall"
      block drop in log quick on xl0 inet from any to 84.176.175.174 label "USER_RULE: Block everything to Firewall"
      pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
      pass in quick on ng0 inet proto tcp from any port = ftp-data to (ng0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
      anchor "miniupnpd" all
      block drop in log quick all label "Default block all just to be sure."
      block drop out log quick all label "Default block all just to be sure."</sshlockout></virusprot></snort2c></snort2c> 
      
      1 Reply Last reply Reply Quote 0
      • Y
        yoogie
        last edited by

        It looks like the creation process of the ruleset has a problem.

        I have edited some rules and rebooted, without success. Then I had a look at /tmp/rules.debug but my changes are not in there.

        I don't know, maybe I should use the latest beta.

        It's really frustrating me.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          Yes, we fixed a number of bugs that will not turn on captive portal correctly without a reboot.

          1 Reply Last reply Reply Quote 0
          • J
            Justinw
            last edited by

            I'm sure we could figure out how to add the rule by hand, but is there a reason you want/need to?  Everytime you reboot or save changes in certain areas of the gui, the conf file you changed will be written right over the top of.  All you should have to do is install squid, configure, status > services check to see its running.  Then start the CP, try it with the local user manager first.  The most important thing though, is that your have the PFsense box set to be your DNS server.  Make sure you don't have it set to something else statically and that pfsense isn't giving out different DNS servers in the dhcp settings.  I have also found that if you have bad code in your portal page it can cause some headache, I would try it with the default page first.

            1 Reply Last reply Reply Quote 0
            • J
              jeroen234
              last edited by

              squid will not work on a old pfsense 1.0.1 version
              so then he will need to install a snapshot anyway

              1 Reply Last reply Reply Quote 0
              • J
                Justinw
                last edited by

                Honestly the squid package now actuallyworked for me on 1.0…but I agree that he should be as up to date as possible.

                1 Reply Last reply Reply Quote 0
                • Y
                  yoogie
                  last edited by

                  Well, setting up squid or captive portal in general is not a problem at all.

                  Captive portal worked for me, but after some fiddling around (only in the web-conf) absolutely no firewall rule was commited to the current configuration. Even after a reboot I wasn't able any more to change a single rule. I assumed that the problem with the NAT rule of captive portal relied on that problem.

                  So I installed the latest snapshot (03-08-2007) but there is another problem now. I cannot connect to the internet.

                  I use PPPoE with a german telco provider but it won't connect. I can see in the syslog:

                  
                  mpd.conf:8: Unknown command: 'set bundle authname'. Try "help".
                  mpd.conf:9: Unknown command: 'set bundle password'. Try "help".
                  
                  

                  So this is probably a bug report…

                  Cheers,
                  Manuel

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Please upgrade again. We tried using a newer mpd which didn't work so we reverted back. Current snapshots use the "old" mpd again which works just fine.

                    1 Reply Last reply Reply Quote 0
                    • Y
                      yoogie
                      last edited by

                      Ok, but when I look here ( http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ ), the newest snapshot is from 03-08-2007, so where can I find the most current one?

                      Thanks in advance,
                      Manuel

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        Look at the date.  That files is rebuilt hourly but we only bump the version weekly or so.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.