Captive portal will not redirect to portal page

Derelict

"Does not work" gives us nothing to go on.

Post your config.  You probably don't have firewall rules for DNS, or wrong DNS servers, or no firewall rules allowing traffic out, or no NAT rules, or ??.  With what we have it'd just be a guess.  Did you go through the list in the link above?

jbrown

This use to work before so not sure what happened.

when i say does not work, i mean that it will go back to the portal page if i enter an outside url.

how do i post config?  just post the whole xml?

Derelict

Screen shots are probably better.  You have something hosed if you get a captive portal entry for the correct IP/MAC pair and keep getting redirected to the portal page when you enter other URLs.  How about just ping?  Can you ping, say, 8.8.8.8 after logging in?

jbrown

I cant ping 8.8.8.8 after logging into captive portal.  what screen shots would you want?  thanks again.

Derelict

Captive portal, LAN, LAN Rules, outbound NAT, DHCP Server.

Gertjan

… added to that: what services are running ? (Status => Services) - logs extracts from Stats => System logs => Portal Auth and DHCP (all lines that are related to the Portail Interface - you can remove the others)

Derelict

If this is squid again I give up.

jbrown

I attached screenshots, hopefully this helps.  i am not using dhcp on pfsense.

Derelict

And if you open a browser after authentication and enter www.cnn.com from host 04:7d:7b1c:7f / 172.16.1.184 you get the portal page again?

Let me spin up a quick captive portal on "pfSense B" LAN (diagram in the sig) and see what's what.

Derelict

Works fine here.

$ ipfw -x 2 list
65291 allow pfsync from any to any
65292 allow carp from any to any
65301 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 allow ip from any to { 255.255.255.255 or 172.26.2.1 } in
65311 allow ip from { 255.255.255.255 or 172.26.2.1 } to any out
65312 allow icmp from { 255.255.255.255 or 172.26.2.1 } to any out icmptypes 0
65313 allow icmp from any to { 255.255.255.255 or 172.26.2.1 } in icmptypes 8
65314 pipe tablearg ip from table(3) to any in
65315 pipe tablearg ip from any to table(4) in
65316 pipe tablearg ip from table(3) to any out
65317 pipe tablearg ip from any to table(4) out
65318 pipe tablearg ip from table(1) to any in
65319 pipe tablearg ip from any to table(2) out
65532 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533 allow tcp from any to any out
65534 deny ip from any to any
65535 allow ip from any to any

$ ipfw -x 2 table 1 list
172.26.2.100/32 mac 8a:7c:f4:f8:e1:6f 2000

$ ipfw -x 2 table 2 list
172.26.2.100/32 mac 8a:7c:f4:f8:e1:6f 2001

jbrown

Correct, I get the login page again and i cant ping anything.

any suggestions?

Derelict

Sorry.  No idea.  What's the output of those commands on your system when a client is connected?  SSH or Diagnostics > Command Prompt.

Derelict

Wait a second…

Why do you have so many 172.16.0.0 subnets in your NAT entries?  Are all those /24 networks other interfaces?  If so, they all conflict with 172.16.1.2/16 you have defined on LAN.

jbrown

Yes, they are vlan interfaces I set up so i can use captive portal on a certain vlan interface.  that was the whole point.  but now it won't even run correctly on LAN interface.

So, are you saying I should make the 172.16.1.2/16 -> 172.16.1.2/24 for my lan?  in order to resolve this issue?

And If I do that, am I going to have to add some rules for my other subnets to work properly?

doktornotor

@jbrown:

Yes, they are vlan interfaces I set up so i can use captive portal on a certain vlan interface.  that was the whole point.  but now it won't even run correctly on LAN interface.
So, are you saying I should make the 172.16.1.2/16 -> 172.16.1.2/24 for my lan?  in order to resolve this issue?

Are you trying to "bridge" VLANs via supernetting or, like… WTH.  :o ::)

Derelict

172.16.1.2/16 contains 172.16.0.1 through 172.16.255.254. 65534 hosts.  None of your other subnets should be anywhere of overlap at all with that range.

Yes, I would change that netmask to /24 or size it properly for the number of clients/dhcp leases you'll think you need.  Be sure to adjust your DHCP scope.

I don't know if it'll fix your problem but I do know what you have is unsound/broken.

jbrown

Ok,  I figured I would fix the subnet / vlans first.

I switched 172.16.1.2/16 -> 172.16.1.2/24

I can talk between subnets, but I am not able to access Internet.  I have an interface 172.16.240.1/24 which is a vlan on my Cisco switch.  The cisco switch vlan 240 has an ip address of 172.16.240.1/24.  I am currently on the .240.0 network and I am on trying to access the internet.  I cannot ping an outside address either.  HOWEVER, i can traceroute an outside address.  So how can i a traceroute and address but not be able to access or ping it?

thanks!

Derelict

Traceroute does not necessarily use ICMP like ping.  Are you passing ICMP in your rules ot just TCP/UDP?  Anything in the firewall logs?  Those will tell you far more than we can by guessing.

jbrown

Sorry, I should have tried that.  THis is all new to me.  Attached is my firewall log where my computer was blocked and also i attached my rules for vlan 240.

Derelict

Looks like your VLAN/layer 2 is hosed.  The interface should be VLAN240 not LAN.