Not redirecting to login page

engwan

I know this is a very common problem and I searched the forum but couldn't find a solution. This problem started after I upgraded pfsense from 2.0.1 to 2.1.3

Logging in manually at router ip port 8000 works and internet access is fine after logging in. It's just the redirecting to the login page that I'm having a problem with.

It isn't a DNS issue because I'm using the pfSense DNS forwarder and it doesnt work even if I browse an IP address. Here's a sample curl output:

curl -vvvv 74.125.135.101
* Rebuilt URL to: 74.125.135.101/
* About to connect() to 74.125.135.101 port 80 (#0)
*   Trying 74.125.135.101...
* Adding handle: conn: 0xe90aa0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0xe90aa0) send_pipe: 1, recv_pipe: 0
* Connection timed out
* Failed connect to 74.125.135.101:80; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 74.125.135.101:80; Connection timed out

ipfw output:

65291     0        0 allow pfsync from any to any
65292     0        0 allow carp from any to any
65301   475    18124 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302     0        0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303     0        0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307   192     8928 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310  1398   630759 allow ip from any to { 255.255.255.255 or 192.168.3.1 } in
65311   295    40040 allow ip from { 255.255.255.255 or 192.168.3.1 } to any out
65312     0        0 allow icmp from { 255.255.255.255 or 192.168.3.1 } to any out icmptypes 0
65313     0        0 allow icmp from any to { 255.255.255.255 or 192.168.3.1 } in icmptypes 8
65314     0        0 pipe tablearg ip from table(3) to any in
65315 56855 26241914 pipe tablearg ip from any to table(4) in
65316 32358  3272117 pipe tablearg ip from table(3) to any out
65317     0        0 pipe tablearg ip from any to table(4) out
65318     0        0 pipe tablearg ip from table(1) to any in
65319     0        0 pipe tablearg ip from any to table(2) out
65532  1708    87296 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
65533    15    21024 allow tcp from any to any out
65534   235    16784 deny ip from any to any
65535   490   276606 allow ip from any to any

config xml:

 <captiveportal><cpzone>cpzone

                        <zoneid>8000</zoneid>
                        <interface>lan</interface>
                        <maxproc><timeout><idletimeout><freelogins_count><freelogins_resettimeout><enable><auth_method>local</auth_method>
                        <reauthenticateacct><httpsname><preauthurl><bwdefaultdn><bwdefaultup><certref>4f0d143adbf49</certref>
                        <noconcurrentlogins><radius_protocol><redirurl><radiusip><radiusip2><radiusip3><radiusip4><radiusport><radiusport2><radiusport3><radiusport4><radiusacctport><radiuskey><radiuskey2><radiuskey3><radiuskey4><radiusvendor>default</radiusvendor>
                        <radiussrcip_attribute>wan</radiussrcip_attribute>
                        <radmac_format>default</radmac_format>
                        <radiusnasid><page><allowedip><ip>10.0.0.0</ip>
                                <sn>16</sn></allowedip> 
                        <allowedip><ip>192.168.2.0</ip>
                                <sn>24</sn></allowedip> 
                        <allowedip><ip>192.168.70.0</ip>
                                <sn>24</sn></allowedip></page></radiusnasid></radiuskey4></radiuskey3></radiuskey2></radiuskey></radiusacctport></radiusport4></radiusport3></radiusport2></radiusport></radiusip4></radiusip3></radiusip2></radiusip></redirurl></radius_protocol></noconcurrentlogins></bwdefaultup></bwdefaultdn></preauthurl></httpsname></reauthenticateacct></enable></freelogins_resettimeout></freelogins_count></idletimeout></timeout></maxproc></cpzone></captiveportal> 

Gertjan

Hi there.

192.168.3.1 is your LAN and portal interface, right ?
Clients are using DHCP, ok ? (so they have an IP from 192.168.3.x) - NO fixe IP (outside 192.168.3.x).
This

                        <allowedip><ip>10.0.0.0</ip></allowedip> 
                        <allowedip><ip>192.168.2.0</ip></allowedip> 
                        <allowedip><ip>192.168.70.0</ip></allowedip> 

is new for me ….

What about using a dedicated interface "OPT1" for the captive portal ?
Last but not least: how do you connected to your portal interface ? Wired or an AP (which should not be in "router" mode).

I'm using myself a portal interface (on a dedicated NIC : 192.168.2.1 ) with some switches and AP's behind it.
Activated DHCP server (192.168.2.1 is gateway) - IP run from 192.168.2.10 to 192.168.2.253).
DNS Forwarder ON.
Loaded the user database.
And done.
This is real time : http://www.papy-team.org/munin/dyndns.org/brithotelfumel.dyndns.org/index.html#portalusers
I can see iPhone, Androids, iPad, Google devices, PC's tablets and whatever .....

Maybe you should re-setup your pfSense from scratch....

engwan

The allowedip section is just a list of IPs / subnets that I want my clients behind the Captive Portal to be able to access even if not logged in.

Yes, 192.168.3.1 is my LAN. I'm connected via a wired cable and I have a 192.168.3.x IP address.

The captive portal works as it should only the redirecting to the login page doesnt.

Gertjan

On your PC, type
ipconfig /all
Is the DNS (IPv4) the same as the gateway (and server DHCP): 192.168.3.1 (and only that one) ?

engwan

Yup, only that one.

And it isn't a DNS problem too, cause if I open like Google's IP address directly in the browser, I still get no redirect.

Gertjan

Ok.
Lets focus on the fact that your LAN (which has its own firewall and normally its own interface) is also your captive portal interface, using a different firewall.
Mine are seperated -> far more easy to handle.

What are your LAN Firewall rules ?

Note that the LAN interface uses pf (Packet Filter). Your troubles must be related to a conflict some conflict.

https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

engwan

One important thing to note is that this problem started after I upgraded pfSense w/ the multi instance captive portal.

Before that, everything was working fine.

In my LAN interface, I have a rule for WAN failover to a gateway group.

Gertjan

Multiple multi instance captive portal is a relative new thing.
A lot of work has been done last year, and their is no guarantee that every configuration type is upgraded correctly. This can explain unique (thus: hard to find) issues.

Note down your basic config lines, and do what works great: reset all to default and reconfig your system step by step.
Normally, good setups are easy to setup (I guess I cans setup mine from scrath in about 20 minutes if I don't count the user database).

Boot from Installer Live CD - re-install from zero.

A Former User

same problem here with pfsense 2.1.3-RELEASE (i386)
built on Thu May 01 15:52:17 EDT 2014
FreeBSD 8.3-RELEASE-p16

Authentification works when pointing to pfsense-ip on port 8000 but login page does not popup on client (navigation works on them)

here my $ ipfw -x zlycee show
65291    0        0 allow pfsync from any to any
65292    0        0 allow carp from any to any
65301  1339    50326 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302    0        0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303    0        0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307 53862  2477652 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310  4344    534258 allow ip from any to { 255.255.255.255 or 192.168.100.1 } in
65311  6453  4800905 allow ip from { 255.255.255.255 or 192.168.100.1 } to any out
65312    0        0 allow icmp from { 255.255.255.255 or 192.168.100.1 } to any out icmptypes 0
65313    0        0 allow icmp from any to { 255.255.255.255 or 192.168.100.1 } in icmptypes 8
65314 49183  5707857 pipe tablearg ip from table(3) to any in
65315    0        0 pipe tablearg ip from any to table(4) in
65316    0        0 pipe tablearg ip from table(3) to any out
65317 88454 104014630 pipe tablearg ip from any to table(4) out
65318    0        0 pipe tablearg ip from table(1) to any in
65319    0        0 pipe tablearg ip from any to table(2) out
65532    0        0 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
65533    0        0 allow tcp from any to any out
65534    67      8004 deny ip from any to any
65535    0        0 allow ip from any to any

any help is welcome

Gertjan

@pietropaolo:

any help is welcome

As said, don't put the portal Interface on the LAN network.
Start  from default settings, pfSense-out-of-the-box works.

Btw:

fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in

This means:
All TCP traffic coming IN on the interface,
Using port 80 as a destination,
Coming from everywhere,
Going where ever,
Will be forwarded to 127.0.0.1:8000
….. and from there the Portal Interface, listening on port 8000, will pick up.

Note: Starting with https (port 443) like https://google.com or https://www.facebook.com will not works - this is by design  ;)

The issue is - for both - that the ipfw rules don't seem to be used.
Like: conflict - wrong interface ...

When I have some time this afternoon (GMT+1), I'll activate the Portal Interface on my LAN (didn't even knew that was possible).
I'll see what happens.

engwan

As said, don't put the portal Interface on the LAN network.

Can you explain this further?

All the clients connected to the LAN interface are the clients I want to filter internet access using a captive portal. If I move my captive portal to OPT1 then I would have to move all my clients to OPT1. The setup would be exactly the same and the interface being the "LAN" interface shouldn't make a difference right?

Gertjan

@engwan:

….If I move my captive portal to OPT1 then I would have to move all my clients to OPT1.

My portal clients are hotel clients.
They don't know nothing about me using pfSense, my DNS, my DHCP, my Gateway (portal) IP, or what so ever.
The only thing they 'see' are these Wifi 'radio' names:
HotelWifi-1
HotelWifi-2
HotelWifi-3
etc.
Sometimes, the phone rings in the reception, and the client asks: Which one shall I chose ?
The answer is "What about the one with the strongest power ?"  ;D

What I want to say is: I never ever setup anything on a PC or other Wifi device of a client.

So, why should you ?

@engwan:

The setup would be exactly the same and the interface being the "LAN" interface shouldn't make a difference right?

Just one difference.
The one you looking for.
It will work because you will have the setup that we all use ….

Normally, the LAN interface is for you own private access, other private PC's and network devices like your NAS, printer, whatever.
People that you don't "trust", like clients or other invited connections that you want to propose a Free Wifi network (Internet) access, you put them  a separate LAN segment (OPT1), and special firewall rules on the OPT1 interface, like no netbios & Windows  scatter, no connection to 'LAN', scripple P2P connection, limit bandwidth, etc etc.
This is what I think, the normal, standard setup.

A Former User

I just try pfsense live 2.0.3 and it works fine using LAN interface as the captive portal interface..except for the problem of https first page

Another problem i have to fix now..with certificate may be..let see.

Gertjan

I activated the Portal Interface on the my LAN - I merely activated Local User Manager, not touching any other settings.
This means I had two portal interfaces, one on OPT1, and one on the LAN.

Just to be sure, I added the MAC of my PC to the MACC pass through page.

I switch on another PC on the LAN and launched a navigator.
Guess what popup up ? this one: http://www.test-domaine.fr/Capture-portal.PNG
I had access to the net after authentication …
I didn't really tested it for a long time, but a Portal Interface on LAN, it seems to work.