Can't get Active Portal to Work on LAN Interface

dcnconsult · Dec 13, 2011, 5:51 PM

DHCP enabled, DNS Forwarder Enabled, WAN and Gatyeway setup. Set test rules to allow all traffic everywhere to eliminate firewall. Authentication set to local user to test access.

Captive Portal up on LAN interface only, all clients on LAN pass right through without any redirection. Client's MAC's show in dhcp table and are handed Lan IP for DNS.

Test portal page from WebConfigurator is successful and adds my WAN host ip to the captive portal list. Cannot get clients to prompt for captive portal authentication and no errors in any logs.

Anyone have any ideas?

dcnconsult · Dec 22, 2011, 4:25 PM

Can I assume that captive portal does not work in 2.X? I have all updates applied, read every post, applied all troubleshooting techniques, and yet all clients pass through LAN and VLAN direcly to Internet without being prompted for logon. DHCP is verified, DNS Forwarding is working anc configured correctly, Firewall rules opened up wide to make sure they do not trip things up. I an considering ditching and finding a commercial product.

dhatz · Dec 22, 2011, 5:04 PM

The captive portal does work in 2.0

It's hard to troubleshoot your particular problem without more info, but have you by any chance installed transparent squid on that same machine?

dcnconsult · Dec 22, 2011, 5:31 PM

Yes, I recently installed it but the results were the same with or without. All VLAN clients are using the machine to access Internet, and nothing is being blocked. All clients get DHCP from PFSense, with VLAN IP as the DNS and gateway. Active portal is on VLAN interface only with local user authentication and portal page tests correctly from webconfig but clients never get request to authenticate nor redirect to page defined in Post Authentication or Error page, they just pass straight through firewall.

dhatz · Dec 22, 2011, 6:36 PM

Ideally the output of the following commands (at shell prompt) would be necessary to troubleshoot:

ipfw show
ipfw table all list
sysctl net.inet.pfil
ifconfig
cat /tmp/rules.debug
cat /conf/config.xml

You can start by checking if lighttpd is listening on port 8000 and if ipfw is forwarding connections to it
ipfw show | fgrep fwd

dcnconsult · Dec 22, 2011, 10:42 PM

OK, I will list the output of the basics, it does appear that ipfw is set to forward to a loopback address on port 8000. No sessions going to port 8000 according to netstat

$ ipfw show
00002 204 52673 allow ip from any to any MAC 00:22:5f:60:f1:3e any
00003 127 12018 allow ip from any to any MAC any 00:22:5f:60:f1:3e
00004 164 38282 allow ip from any to any MAC 00:22:5f:60:f1:f5 any
00005 279 35360 allow ip from any to any MAC any 00:22:5f:60:f1:f5
65291 0 0 allow pfsync from any to any
65292 0 0 allow carp from any to any
65301 410 15486 allow ip from any to any layer2 mac-type 0x0806
65302 0 0 allow ip from any to any layer2 mac-type 0x888e
65303 0 0 allow ip from any to any layer2 mac-type 0x88c7
65304 0 0 allow ip from any to any layer2 mac-type 0x8863
65305 0 0 allow ip from any to any layer2 mac-type 0x8864
65306 0 0 allow ip from any to any layer2 mac-type 0x888e
65307 581 24492 deny ip from any to any layer2 not mac-type 0x0800
65310 3102 550970 allow ip from any to { 255.255.255.255 or 192.168.199.2 } in
65311 1405 412994 allow ip from { 255.255.255.255 or 192.168.199.2 } to any out
65312 0 0 allow icmp from { 255.255.255.255 or 192.168.199.2 } to any out icmptypes 0
65313 0 0 allow icmp from any to { 255.255.255.255 or 192.168.199.2 } in icmptypes 8
65314 0 0 allow ip from table(3) to any in
65315 0 0 allow ip from any to table(4) out
65316 0 0 pipe tablearg ip from table(5) to any in
65317 0 0 pipe tablearg ip from any to table(6) out
65318 0 0 allow ip from any to table(7) in
65319 0 0 allow ip from table(8) to any out
65320 0 0 pipe tablearg ip from any to table(9) in
65321 0 0 pipe tablearg ip from table(10) to any out
65322 0 0 allow ip from table(1) to any in
65323 0 0 allow ip from any to table(2) out
65531 16 1724 fwd 127.0.0.1,8000 tcp from any to any in
65532 41 3599 allow tcp from any to any out
65533 94 8139 deny ip from any to any
65534 0 0 allow ip from any to any layer2
65535 0 0 allow ip from any to any

$ ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:1b:21:b8:d5:3b
inet6 fe80::21b:21ff:feb8:d53b%em0 prefixlen 64 scopeid 0x1
inet 192.168.99.228 netmask 0xffffff00 broadcast 192.168.99.255
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=1209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter>ether 00:1b:21:b8:d5:ab
inet6 fe80::21b:21ff:feb8:d5ab%em1 prefixlen 64 scopeid 0x2
inet 192.168.250.124 netmask 0xffffff80 broadcast 192.168.250.127
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
nd6 options=3 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
pflog0: flags=100 <promisc>metric 0 mtu 33200
enc0: flags=0<> metric 0 mtu 1536
em1_vlan99: flags=108843 <up,broadcast,running,simplex,multicast,ipfw_filter>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:1b:21:b8:d5:ab
inet6 fe80::21b:21ff:feb8:d53b%em1_vlan99 prefixlen 64 scopeid 0x8
inet 192.168.199.2 netmask 0xffffff00 broadcast 192.168.199.255
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 99 parent interface: em1
ipfw0: flags=8801 <up,simplex,multicast>metric 0 mtu 65536

$ ipfw table all list
–-table(3)---
216.165.129.158/32 0
216.170.153.146/32 0
---table(4)---
216.165.129.158/32 0
216.170.153.146/32 0
---table(7)---
216.165.129.158/32 0
216.170.153.146/32 0
---table(8)---
216.165.129.158/32 0
216.170.153.146/32 0

$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.99.228.80 192.168.100.1.9370 ESTABLISHED
tcp4 0 0 192.168.99.228.2301 91.227.27.66.80 TIME_WAIT
tcp4 0 0 192.168.99.228.80 192.168.100.1.9356 ESTABLISHED
tcp4 0 0 192.168.99.228.80 192.168.100.1.9340 TIME_WAIT
tcp4 0 0 *.8000 . LISTEN
tcp4 0 0 *.80 . LISTEN
tcp6 0 0 *.53 . LISTEN
tcp4 0 0 *.53 . LISTEN
tcp4 0 0 127.0.0.1.3128 . LISTEN
tcp4 0 0 192.168.199.2.3128 . LISTEN
udp4 0 0 *.67 .
udp6 0 0 *.3576 .
udp4 0 0 *.31661 .
udp6 0 0 *.53 .
udp4 0 0 *.53 .
udp4 0 0 *.514 .
udp6 0 0 *.514 .
udp4 0 0 . .
udp4 0 0 . .
udp4 0 0 *.3401 .
udp4 0 0 *.4827 .
udp4 0 0 *.57679 .
udp4 0 0 . .
udp4 0 0 . .
udp4 0 0 127.0.0.1.6969 .
icm4 0 0 . .</up,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast,ipfw_filter></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast>

dcnconsult · Dec 22, 2011, 10:46 PM

$ cat /tmp/rules.debug
#System aliases

loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em1 }"
OPT1 = "{ em1_vlan99 }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot># User Aliases

Gateways

GWWAN = " route-to ( em0 192.168.99.254 ) "

set loginterface em1
set optimization normal
set limit states 341000
set limit src-nodes 341000

set skip on pfsync0

scrub in on $WAN all fragment reassemble
scrub in on $LAN all fragment reassemble
scrub in on $OPT1 all fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules

Subnets to NAT

tonatsubnets = "{ 192.168.250.0/25 192.168.199.0/24 127.0.0.0/8 }"
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 192.168.99.228/32 port 500
nat on $WAN from $tonatsubnets to any -> 192.168.99.228/32 port 1024:65535

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"
table <negate_networks>{ 192.168.99.0/24 192.168.250.0/25 192.168.199.0/24 }

Setup Squid proxy redirect

rdr on em1_vlan99 proto tcp from any to !(em1_vlan99) port 80 -> 127.0.0.1 port 3128

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

Block all IPv6

block in quick inet6 all
block out quick inet6 all

Snort package

block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

webConfigurator lockout

block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
pass in log quick on { em1_vlan99 } proto tcp from any to { 192.168.199.2 } port { 8000 8001 } keep state(sloppy)
pass out log quick on { em1_vlan99 } proto tcp from any to any flags any keep state(sloppy)
antispoof for em0

allow our DHCP client out to the WAN

pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

Not installing DHCP server firewall rules for WAN which is configured for DHCP.

antispoof for em1
antispoof for em1_vlan99

allow access to DHCP server on OPT1

pass in quick on $OPT1 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $OPT1 proto udp from any port = 68 to 192.168.199.2 port = 67 label "allow access to DHCP server"
pass out quick on $OPT1 proto udp from 192.168.199.2 port = 67 to any port = 68 label "allow access to DHCP server"

loopback

pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 192.168.99.254 ) from 192.168.99.228 to !192.168.99.0/24 keep state allow-opts label "let out anything from firewall host itself"

User-defined rules follow

anchor "userrules/*"
pass in log quick on $WAN reply-to ( em0 192.168.99.254 ) proto tcp from any to any port 8000 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN reply-to ( em0 192.168.99.254 ) proto tcp from 192.168.100.0/24 to 192.168.99.228 flags S/SA keep state label "USER_RULE: support access"
pass in log quick on $LAN proto tcp from 192.168.250.124 to 192.168.199.2/24 flags S/SA keep state label "USER_RULE"
pass in quick on $LAN from 192.168.250.0/25 to any keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on $OPT1 proto udp from 192.168.199.2/24 to 192.168.199.2 port 53 keep state label "USER_RULE"
pass in log quick on $OPT1 proto tcp from 192.168.199.2/24 to 192.168.199.2 port 8000 flags S/SA keep state label "USER_RULE"
pass in log quick on $OPT1 proto tcp from 192.168.199.2/24 to 192.168.250.124 port 8000 flags S/SA keep state label "USER_RULE"
pass in quick on $OPT1 from any to !192.168.99.0/24 keep state label "USER_RULE: No Access to WAN "

VPN Rules

anchor "tftp-proxy/*"

Setup squid pass rules for proxy

pass in quick on em1_vlan99 proto tcp from any to !(em1_vlan99) port 80 flags S/SA keep state
pass in quick on em1_vlan99 proto tcp from any to !(em1_vlan99) port 3128 flags S/SA keep state</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>

dhatz · Dec 22, 2011, 11:29 PM

It is recommended that you don't use VLAN tagged traffic (VLAN 99) and untagged traffic (LAN) on the same physical interface (em1).

dcnconsult · Dec 23, 2011, 12:46 AM

Trust me, I have done my homework and maybe a newbie to thsi forum but have 25 years of networking experience. I tried it with just putting the LAN interface in the switch with same subnet as clients and it did not work either.
Several posts said use VLANS, so that is where I am now. Some say use Squid, some say not. I am frustrated as ther is nothing special about the configuration and have reloaded from factory many times without any success. The only time I ever got an authintcation request is testing the page from Webconfig.
I think this version is bunk, as I see many other information that mirrors my frustration. I have literally tried every configuration possible and don't see how all LAN traffic can pass through the firewall and access Internet without ever once being captive.

dhatz · Dec 23, 2011, 1:02 AM

Well, I have done extensive testing of pfsense's CP in various configurations and it works.

Anyway, try disabling the following rule:

pass in quick on em1_vlan99 proto tcp from any to !(em1_vlan99) port 80 flags S/SA keep state

and test again …

cmb · Dec 31, 2011, 2:47 AM

It's very widely used in 2.0.x (10,000+ hotel rooms, at least several dozen WISPs, and lots more - and that's just those I know of, a lot more that I don't), it works perfectly.

Really isn't much to it, for a start you can just enable it without filling anything in configuration-wise. This of course assuming you don't have some other device as your default gateway where you're getting out to the Internet. Don't use Squid, I believe with transparent proxying you can bypass the portal. Doesn't matter whether or not you use VLANs.

mibovrd · Mar 16, 2012, 2:31 AM

@cmb:

It's very widely used in 2.0.x (10,000+ hotel rooms, at least several dozen WISPs, and lots more - and that's just those I know of, a lot more that I don't), it works perfectly.

Really isn't much to it, for a start you can just enable it without filling anything in configuration-wise. This of course assuming you don't have some other device as your default gateway where you're getting out to the Internet. Don't use Squid, I believe with transparent proxying you can bypass the portal. Doesn't matter whether or not you use VLANs.

So don't use squid, which means squidguard too, so what do you use for proxy and proxy filter? Assuming you actually need these. No workarounds? No Squid on that particular LAN, maybe that would work? But what about liability, if some one is able to access something unsavoury on your network, then you MAY be liable?

Sorry pfSense newbie.

dhatz · Mar 17, 2012, 1:23 AM

If you'll be using CP then you shouldn't run transparent Squid on that same pfsense system.

I guess it's a matter of personal preference, but I'd prefer to run disk-intensive software like Squid on a separate system anyway, with its defaults tuned to be a "server". Others prefer to have an all-in-one system, running a dozen services (e.g. antivirus, caching proxy, URL filtering, reverse proxies etc).

IMHO a reasonable compromise would be to run a couple of VMs on the same physical server.