No CP from fixed LAN IP, dhcp scoop only?

d4rg0 · Jul 19, 2008, 2:48 PM

Hi

I'll admit, I must have done something wrong but fail to figure it out myself.
I can't get a stable Captive Portal service running.
Or this might be just as it should be for all that I know.

The Captive Portal only captures my browser when my LAN client is on the DHCP scoop.
As soon as a fixed IP client (outside the dhcp scoop) tries to go online, all he get is the timeout of the page he tries to reach.
Only random and once in a while the users hits the captive portal. This is the same for both Firefox and IE on Windows XP.

Since I do have some clients on fixed IP's (due to services running on the client that needs to be reached from outside too), am I supposed to add these to the allowed IP addresses, or mac pass-through?
If so, they don't need to authenticate for now against the user manager, but later against freeradius.
I would like them to authenticate for getting logs etc.
Any solution to this scenario?

My settings
System -> General Setup, webGUI is set to http.
Services -> DNS forwarder, is enabled.
Services -> DHCP server, it's enabled and a range is set (192.168.1.100-150) and the IP (192.168.1.1) is set as the Gateway.
Captive Portal -> Enabled, Interface is LAN, idle=30, hard=60, popup enabled, Concurrent users disabled, mac filtering disabled, authentication by local user manager.

There was no default captive portal webpage, so I copied the login form on the settings page and uploaded it as index.html

My platform is a pentium 4 @ 2.6GHz with 512MB ram
re0 is the LAN nic, RealTek 8169SB/8110SB Gb eth.
bge0 is the WAN nic, Broadcom BCM5705 A3, ASIC rev. 0x3003
pfSense is 1.2 stable

Kind regards

GruensFroeschli · Jul 19, 2008, 4:50 PM

Did you make sure that your clients with a static IP have the pfSense DNS-forwarder as primary DNS?

d4rg0 · Jul 20, 2008, 1:28 AM

Hi

That was indeed the fault.
So they can't use the wan provided dns, but must use 192.168.1.1 (the gateway) as primary dns?
Well, thank you, it fixed my problem. No reason to dwell any longer on this.

Now I'm off to explore this pfSense world :)

Kind regards

GruensFroeschli · Jul 27, 2008, 10:27 AM

Yes, because otherwise pfSense has no way to redirect the connecting clients to the authenticatio-page.

buraglio · Jul 27, 2008, 1:58 PM

you can usy external DNS servers if you add them to the ip passthrough if you are so inclined.

GruensFroeschli · Jul 27, 2008, 2:27 PM

This wont work.
You have to use the dns forwarder so pfSense can hijack an outgoing connection and redirect it to the captive portal.

If you set a different DNS you can resolve the IP, but wont be able to get past pfSense, since you never authenticated your MAC/IP pair.

buraglio · Jul 27, 2008, 2:48 PM

It works fine, I do it on all of my installs.

GruensFroeschli · Jul 27, 2008, 3:37 PM

Hmmm.
This is new and interesting for me.

I guess i need to reread the CP docu and play a bit with it :)
Thanks for the info.

buraglio · Jul 27, 2008, 7:54 PM

No problem. If it can be done with the CP, I've probably done it. =P