Captive portal will not redirect to portal page
-
I attached screenshots, hopefully this helps. i am not using dhcp on pfsense.
-
And if you open a browser after authentication and enter www.cnn.com from host 04:7d:7b1c:7f / 172.16.1.184 you get the portal page again?
Let me spin up a quick captive portal on "pfSense B" LAN (diagram in the sig) and see what's what.
-
Works fine here.
$ ipfw -x 2 list
65291 allow pfsync from any to any
65292 allow carp from any to any
65301 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 allow ip from any to { 255.255.255.255 or 172.26.2.1 } in
65311 allow ip from { 255.255.255.255 or 172.26.2.1 } to any out
65312 allow icmp from { 255.255.255.255 or 172.26.2.1 } to any out icmptypes 0
65313 allow icmp from any to { 255.255.255.255 or 172.26.2.1 } in icmptypes 8
65314 pipe tablearg ip from table(3) to any in
65315 pipe tablearg ip from any to table(4) in
65316 pipe tablearg ip from table(3) to any out
65317 pipe tablearg ip from any to table(4) out
65318 pipe tablearg ip from table(1) to any in
65319 pipe tablearg ip from any to table(2) out
65532 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533 allow tcp from any to any out
65534 deny ip from any to any
65535 allow ip from any to any$ ipfw -x 2 table 1 list
172.26.2.100/32 mac 8a:7c:f4:f8:e1:6f 2000$ ipfw -x 2 table 2 list
172.26.2.100/32 mac 8a:7c:f4:f8:e1:6f 2001 -
Correct, I get the login page again and i cant ping anything.
any suggestions?
-
Sorry. No idea. What's the output of those commands on your system when a client is connected? SSH or Diagnostics > Command Prompt.
-
Wait a second…
Why do you have so many 172.16.0.0 subnets in your NAT entries? Are all those /24 networks other interfaces? If so, they all conflict with 172.16.1.2/16 you have defined on LAN.
-
Yes, they are vlan interfaces I set up so i can use captive portal on a certain vlan interface. that was the whole point. but now it won't even run correctly on LAN interface.
So, are you saying I should make the 172.16.1.2/16 -> 172.16.1.2/24 for my lan? in order to resolve this issue?
And If I do that, am I going to have to add some rules for my other subnets to work properly?
-
Yes, they are vlan interfaces I set up so i can use captive portal on a certain vlan interface. that was the whole point. but now it won't even run correctly on LAN interface.
So, are you saying I should make the 172.16.1.2/16 -> 172.16.1.2/24 for my lan? in order to resolve this issue?Are you trying to "bridge" VLANs via supernetting or, like… WTH. :o ::)
-
172.16.1.2/16 contains 172.16.0.1 through 172.16.255.254. 65534 hosts. None of your other subnets should be anywhere of overlap at all with that range.
Yes, I would change that netmask to /24 or size it properly for the number of clients/dhcp leases you'll think you need. Be sure to adjust your DHCP scope.
I don't know if it'll fix your problem but I do know what you have is unsound/broken.
-
Ok, I figured I would fix the subnet / vlans first.
I switched 172.16.1.2/16 -> 172.16.1.2/24
I can talk between subnets, but I am not able to access Internet. I have an interface 172.16.240.1/24 which is a vlan on my Cisco switch. The cisco switch vlan 240 has an ip address of 172.16.240.1/24. I am currently on the .240.0 network and I am on trying to access the internet. I cannot ping an outside address either. HOWEVER, i can traceroute an outside address. So how can i a traceroute and address but not be able to access or ping it?
thanks!
-
Traceroute does not necessarily use ICMP like ping. Are you passing ICMP in your rules ot just TCP/UDP? Anything in the firewall logs? Those will tell you far more than we can by guessing.
-
Sorry, I should have tried that. THis is all new to me. Attached is my firewall log where my computer was blocked and also i attached my rules for vlan 240.
-
Looks like your VLAN/layer 2 is hosed. The interface should be VLAN240 not LAN.
-
Can I post my cisco switch config or no? would you be able to take a look at it?
I changed my lan back to 172.16.1.2/16 and check out the attachment. some are showing the correct interface while others are still showing LAN for interface. You still think this has to do with my switch config?
thanks
-
The traffic from those hosts is hitting LAN, not VLAN240 so yes.
Instead of just making changes willy-nilly you need to document your network. What IP scheme is on what interface? In order to help you we'll need to know physical details as well as logical. For instance, I have no idea whether or not your VLANs are on the same physical interface as LAN.
If you don't understand basic subnetting and VLANs this is going to be difficult to get going for you.
-
vlans are on single physical LAN. I have cisco aironet APs. Each SSID is a different vlan. The APs are hard wired into a port on my switches. on my layer 2 switch i have my vlans enabled.
is this a start?
-
The APs are hard wired into a port on my switches.
Uhm… did you configure the VLANs on the APs?
-
vlans are configured on the APs. Just an FYI. Everything works as it should, but as soon as I change the LAN interface on the pfsense to /24 (the way it hsould be) i get the issues stated in my previous posts.
-
It's a start but with no detail it'd be guessing. Post some details.
-
Been messing with this all day…..
my switch: have a vlan 240 with ip address 172.16.240.2 /24
pfsense: have a vlan 240 with ip address 172.16.240.1 /24on the pfsense i changed my lan to /24 like we discussed. everything seems to be working great. firewall log is saying the correct interface now. BUT, i have a problem, of course. i am getting intermittent blocks from my firewall. for instance, i rdp into my print server. and i will get disconnected after awhile. but it will reconnect. so its intermittent. i look at my firewall log and it is telling me im getting blocked....
attached is the message - please note: it is going to say 172.16.0.0/16 in the attachement. thats because i started changing things back so that it would work like normal. so just pretend it says 172.16.0.0/24 :)