Can't get Active Portal to Work on LAN Interface

dhatz

The captive portal does work in 2.0

It's hard to troubleshoot your particular problem without more info, but have you by any chance installed transparent squid on that same machine?

dcnconsult

Yes, I recently installed it but the results were the same with or without.  All VLAN clients are using the machine to access Internet, and nothing is being blocked.  All clients get DHCP from PFSense, with VLAN IP as the DNS and gateway.  Active portal is on VLAN interface only with local user authentication and portal page tests correctly from webconfig but clients never get request to authenticate nor redirect to page defined in Post Authentication or Error page, they just pass straight through firewall.

dhatz

Ideally the output of the following commands (at shell prompt) would be necessary to troubleshoot:

ipfw show
ipfw table all list
sysctl net.inet.pfil
ifconfig
cat /tmp/rules.debug
cat /conf/config.xml

You can start by checking if lighttpd is listening on port 8000 and if ipfw is forwarding connections to it
ipfw show | fgrep fwd

dcnconsult

OK, I will list the output of the basics, it does appear that ipfw is set to forward to a loopback address on port 8000.  No sessions going to port 8000 according to netstat

$ ipfw show
00002  204  52673 allow ip from any to any MAC 00:22:5f:60:f1:3e any
00003  127  12018 allow ip from any to any MAC any 00:22:5f:60:f1:3e
00004  164  38282 allow ip from any to any MAC 00:22:5f:60:f1:f5 any
00005  279  35360 allow ip from any to any MAC any 00:22:5f:60:f1:f5
65291    0      0 allow pfsync from any to any
65292    0      0 allow carp from any to any
65301  410  15486 allow ip from any to any layer2 mac-type 0x0806
65302    0      0 allow ip from any to any layer2 mac-type 0x888e
65303    0      0 allow ip from any to any layer2 mac-type 0x88c7
65304    0      0 allow ip from any to any layer2 mac-type 0x8863
65305    0      0 allow ip from any to any layer2 mac-type 0x8864
65306    0      0 allow ip from any to any layer2 mac-type 0x888e
65307  581  24492 deny ip from any to any layer2 not mac-type 0x0800
65310 3102 550970 allow ip from any to { 255.255.255.255 or 192.168.199.2 } in
65311 1405 412994 allow ip from { 255.255.255.255 or 192.168.199.2 } to any out
65312    0      0 allow icmp from { 255.255.255.255 or 192.168.199.2 } to any out icmptypes 0
65313    0      0 allow icmp from any to { 255.255.255.255 or 192.168.199.2 } in icmptypes 8
65314    0      0 allow ip from table(3) to any in
65315    0      0 allow ip from any to table(4) out
65316    0      0 pipe tablearg ip from table(5) to any in
65317    0      0 pipe tablearg ip from any to table(6) out
65318    0      0 allow ip from any to table(7) in
65319    0      0 allow ip from table(8) to any out
65320    0      0 pipe tablearg ip from any to table(9) in
65321    0      0 pipe tablearg ip from table(10) to any out
65322    0      0 allow ip from table(1) to any in
65323    0      0 allow ip from any to table(2) out
65531  16  1724 fwd 127.0.0.1,8000 tcp from any to any in
65532  41  3599 allow tcp from any to any out
65533  94  8139 deny ip from any to any
65534    0      0 allow ip from any to any layer2
65535    0      0 allow ip from any to any

$ ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:1b:21:b8:d5:3b
inet6 fe80::21b:21ff:feb8:d53b%em0 prefixlen 64 scopeid 0x1
inet 192.168.99.228 netmask 0xffffff00 broadcast 192.168.99.255
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=1209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter>ether 00:1b:21:b8:d5:ab
inet6 fe80::21b:21ff:feb8:d5ab%em1 prefixlen 64 scopeid 0x2
inet 192.168.250.124 netmask 0xffffff80 broadcast 192.168.250.127
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
nd6 options=3 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
pflog0: flags=100 <promisc>metric 0 mtu 33200
enc0: flags=0<> metric 0 mtu 1536
em1_vlan99: flags=108843 <up,broadcast,running,simplex,multicast,ipfw_filter>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:1b:21:b8:d5:ab
inet6 fe80::21b:21ff:feb8:d53b%em1_vlan99 prefixlen 64 scopeid 0x8
inet 192.168.199.2 netmask 0xffffff00 broadcast 192.168.199.255
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 99 parent interface: em1
ipfw0: flags=8801 <up,simplex,multicast>metric 0 mtu 65536

$ ipfw table all list
–-table(3)---
216.165.129.158/32 0
216.170.153.146/32 0
---table(4)---
216.165.129.158/32 0
216.170.153.146/32 0
---table(7)---
216.165.129.158/32 0
216.170.153.146/32 0
---table(8)---
216.165.129.158/32 0
216.170.153.146/32 0

$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address      (state)
tcp4      0      0 192.168.99.228.80      192.168.100.1.9370    ESTABLISHED
tcp4      0      0 192.168.99.228.2301    91.227.27.66.80        TIME_WAIT
tcp4      0      0 192.168.99.228.80      192.168.100.1.9356    ESTABLISHED
tcp4      0      0 192.168.99.228.80      192.168.100.1.9340    TIME_WAIT
tcp4      0      0 *.8000                .                    LISTEN
tcp4      0      0 *.80                  .                    LISTEN
tcp6      0      0 *.53                  .                    LISTEN
tcp4      0      0 *.53                  .                    LISTEN
tcp4      0      0 127.0.0.1.3128        .                    LISTEN
tcp4      0      0 192.168.199.2.3128    .                    LISTEN
udp4      0      0 *.67                  .                   
udp6      0      0 *.3576                .                   
udp4      0      0 *.31661                .                   
udp6      0      0 *.53                  .                   
udp4      0      0 *.53                  .                   
udp4      0      0 *.514                  .                   
udp6      0      0 *.514                  .                   
udp4      0      0 .                    .                   
udp4      0      0 .                    .                   
udp4      0      0 *.3401                .                   
udp4      0      0 *.4827                .                   
udp4      0      0 *.57679                .                   
udp4      0      0 .                    .                   
udp4      0      0 .                    .                   
udp4      0      0 127.0.0.1.6969        .                   
icm4      0      0 .                    .</up,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast,ipfw_filter></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast>

dcnconsult

$ cat /tmp/rules.debug
#System aliases

loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em1 }"
OPT1 = "{ em1_vlan99 }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot># User Aliases

Gateways

GWWAN = " route-to ( em0 192.168.99.254 ) "

set loginterface em1
set optimization normal
set limit states 341000
set limit src-nodes 341000

set skip on pfsync0

scrub in on $WAN all    fragment reassemble
scrub in on $LAN all    fragment reassemble
scrub in on $OPT1 all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules

Subnets to NAT

tonatsubnets = "{ 192.168.250.0/25 192.168.199.0/24 127.0.0.0/8  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 192.168.99.228/32 port 500 
nat on $WAN  from $tonatsubnets to any -> 192.168.99.228/32 port 1024:65535

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"
table <negate_networks>{ 192.168.99.0/24 192.168.250.0/25 192.168.199.0/24 }

Setup Squid proxy redirect

rdr on em1_vlan99 proto tcp from any to !(em1_vlan99) port 80 -> 127.0.0.1 port 3128

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

Block all IPv6

block in quick inet6 all
block out quick inet6 all

Snort package

block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

webConfigurator lockout

block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
pass in log quick on { em1_vlan99 } proto tcp from any to { 192.168.199.2 } port { 8000 8001 } keep state(sloppy)
pass out log quick on { em1_vlan99 } proto tcp from any to any flags any keep state(sloppy)
antispoof for em0

allow our DHCP client out to the WAN

pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

Not installing DHCP server firewall rules for WAN which is configured for DHCP.

antispoof for em1
antispoof for em1_vlan99

allow access to DHCP server on OPT1

pass in quick on $OPT1 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $OPT1 proto udp from any port = 68 to 192.168.199.2 port = 67 label "allow access to DHCP server"
pass out quick on $OPT1 proto udp from 192.168.199.2 port = 67 to any port = 68 label "allow access to DHCP server"

loopback

pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 192.168.99.254 ) from 192.168.99.228 to !192.168.99.0/24 keep state allow-opts label "let out anything from firewall host itself"

User-defined rules follow

anchor "userrules/*"
pass  in log  quick  on $WAN reply-to ( em0 192.168.99.254 )  proto tcp  from any to any port 8000  flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $WAN reply-to ( em0 192.168.99.254 )  proto tcp  from  192.168.100.0/24 to 192.168.99.228 flags S/SA keep state  label "USER_RULE: support access"
pass  in log  quick  on $LAN  proto tcp  from 192.168.250.124 to 192.168.199.2/24 flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $LAN  from 192.168.250.0/25 to any keep state  label "USER_RULE: Default allow LAN to any rule"
pass  in  quick  on $OPT1  proto udp  from 192.168.199.2/24 to 192.168.199.2 port 53  keep state  label "USER_RULE"
pass  in log  quick  on $OPT1  proto tcp  from 192.168.199.2/24 to 192.168.199.2 port 8000  flags S/SA keep state  label "USER_RULE"
pass  in log  quick  on $OPT1  proto tcp  from 192.168.199.2/24 to 192.168.250.124 port 8000  flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $OPT1  from any to !192.168.99.0/24 keep state  label "USER_RULE: No Access to WAN "

VPN Rules

anchor "tftp-proxy/*"

Setup squid pass rules for proxy

pass in quick on em1_vlan99 proto tcp from any to !(em1_vlan99) port 80 flags S/SA keep state
pass in quick on em1_vlan99 proto tcp from any to !(em1_vlan99) port 3128 flags S/SA keep state</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>

dhatz

It is recommended that you don't use VLAN tagged traffic (VLAN 99) and untagged traffic (LAN) on the same physical interface (em1).

dcnconsult

Trust me, I have done my homework and maybe a newbie to thsi forum but have 25 years of networking experience.  I tried it with just putting the LAN interface in the switch with same subnet as clients and it did not work either. 
Several posts said use VLANS, so that is where I am now.  Some say use Squid, some say not.  I am frustrated as ther is nothing special about the configuration and have reloaded from factory many times without any success.  The only time I ever got an authintcation request is testing the page from Webconfig. 
I think this version is bunk, as I see many other information that mirrors my frustration.  I have literally tried every configuration possible and don't see how all LAN traffic can pass through the firewall and access Internet without ever once being captive.

dhatz

Well, I have done extensive testing of pfsense's CP in various configurations and it works.

Anyway, try disabling the following rule:

pass in quick on em1_vlan99 proto tcp from any to !(em1_vlan99) port 80 flags S/SA keep state

and test again …

cmb

It's very widely used in 2.0.x (10,000+ hotel rooms, at least several dozen WISPs, and lots more - and that's just those I know of, a lot more that I don't), it works perfectly.

Really isn't much to it, for a start you can just enable it without filling anything in configuration-wise. This of course assuming you don't have some other device as your default gateway where you're getting out to the Internet. Don't use Squid, I believe with transparent proxying you can bypass the portal. Doesn't matter whether or not you use VLANs.

mibovrd

@cmb:

It's very widely used in 2.0.x (10,000+ hotel rooms, at least several dozen WISPs, and lots more - and that's just those I know of, a lot more that I don't), it works perfectly.

Really isn't much to it, for a start you can just enable it without filling anything in configuration-wise. This of course assuming you don't have some other device as your default gateway where you're getting out to the Internet. Don't use Squid, I believe with transparent proxying you can bypass the portal. Doesn't matter whether or not you use VLANs.

So don't use squid, which means squidguard too, so what do you use for proxy and proxy filter? Assuming you actually need these. No workarounds? No Squid on that particular LAN, maybe that would work? But what about liability, if some one is able to access something unsavoury on your network, then you MAY be liable?

Sorry pfSense newbie.

dhatz

If you'll be using CP then you shouldn't run transparent Squid on that same pfsense system.

I guess it's a matter of personal preference, but I'd prefer to run disk-intensive software like Squid on a separate system anyway, with its defaults tuned to be a "server". Others prefer to have an all-in-one system, running a dozen services (e.g. antivirus, caching proxy, URL filtering, reverse proxies etc).

IMHO a reasonable compromise would be to run a couple of VMs on the same physical server.