Captive portal will not redirect to portal page
-
Correct, I get the login page again and i cant ping anything.
any suggestions?
-
Sorry. No idea. What's the output of those commands on your system when a client is connected? SSH or Diagnostics > Command Prompt.
-
Wait a second…
Why do you have so many 172.16.0.0 subnets in your NAT entries? Are all those /24 networks other interfaces? If so, they all conflict with 172.16.1.2/16 you have defined on LAN.
-
Yes, they are vlan interfaces I set up so i can use captive portal on a certain vlan interface. that was the whole point. but now it won't even run correctly on LAN interface.
So, are you saying I should make the 172.16.1.2/16 -> 172.16.1.2/24 for my lan? in order to resolve this issue?
And If I do that, am I going to have to add some rules for my other subnets to work properly?
-
Yes, they are vlan interfaces I set up so i can use captive portal on a certain vlan interface. that was the whole point. but now it won't even run correctly on LAN interface.
So, are you saying I should make the 172.16.1.2/16 -> 172.16.1.2/24 for my lan? in order to resolve this issue?Are you trying to "bridge" VLANs via supernetting or, like… WTH. :o ::)
-
172.16.1.2/16 contains 172.16.0.1 through 172.16.255.254. 65534 hosts. None of your other subnets should be anywhere of overlap at all with that range.
Yes, I would change that netmask to /24 or size it properly for the number of clients/dhcp leases you'll think you need. Be sure to adjust your DHCP scope.
I don't know if it'll fix your problem but I do know what you have is unsound/broken.
-
Ok, I figured I would fix the subnet / vlans first.
I switched 172.16.1.2/16 -> 172.16.1.2/24
I can talk between subnets, but I am not able to access Internet. I have an interface 172.16.240.1/24 which is a vlan on my Cisco switch. The cisco switch vlan 240 has an ip address of 172.16.240.1/24. I am currently on the .240.0 network and I am on trying to access the internet. I cannot ping an outside address either. HOWEVER, i can traceroute an outside address. So how can i a traceroute and address but not be able to access or ping it?
thanks!
-
Traceroute does not necessarily use ICMP like ping. Are you passing ICMP in your rules ot just TCP/UDP? Anything in the firewall logs? Those will tell you far more than we can by guessing.
-
Sorry, I should have tried that. THis is all new to me. Attached is my firewall log where my computer was blocked and also i attached my rules for vlan 240.
-
Looks like your VLAN/layer 2 is hosed. The interface should be VLAN240 not LAN.
-
Can I post my cisco switch config or no? would you be able to take a look at it?
I changed my lan back to 172.16.1.2/16 and check out the attachment. some are showing the correct interface while others are still showing LAN for interface. You still think this has to do with my switch config?
thanks
-
The traffic from those hosts is hitting LAN, not VLAN240 so yes.
Instead of just making changes willy-nilly you need to document your network. What IP scheme is on what interface? In order to help you we'll need to know physical details as well as logical. For instance, I have no idea whether or not your VLANs are on the same physical interface as LAN.
If you don't understand basic subnetting and VLANs this is going to be difficult to get going for you.
-
vlans are on single physical LAN. I have cisco aironet APs. Each SSID is a different vlan. The APs are hard wired into a port on my switches. on my layer 2 switch i have my vlans enabled.
is this a start?
-
The APs are hard wired into a port on my switches.
Uhm… did you configure the VLANs on the APs?
-
vlans are configured on the APs. Just an FYI. Everything works as it should, but as soon as I change the LAN interface on the pfsense to /24 (the way it hsould be) i get the issues stated in my previous posts.
-
It's a start but with no detail it'd be guessing. Post some details.
-
Been messing with this all day…..
my switch: have a vlan 240 with ip address 172.16.240.2 /24
pfsense: have a vlan 240 with ip address 172.16.240.1 /24on the pfsense i changed my lan to /24 like we discussed. everything seems to be working great. firewall log is saying the correct interface now. BUT, i have a problem, of course. i am getting intermittent blocks from my firewall. for instance, i rdp into my print server. and i will get disconnected after awhile. but it will reconnect. so its intermittent. i look at my firewall log and it is telling me im getting blocked....
attached is the message - please note: it is going to say 172.16.0.0/16 in the attachement. thats because i started changing things back so that it would work like normal. so just pretend it says 172.16.0.0/24 :)
-
bump…. :-\
-
Why are you messing around with firewall rules for captive portal?
On the interface with the portal on it:
Pass the traffic you want your portal users to be able to get to (DNS servers, etc. This also requires allowed IPs in the portal so they can get there before logging in)
Block the traffic you don't want them to be able to get to (protected local networks, etc)
Pass any any (the internet)172.16.0.0/24 does not include 172.16.240.0/24 so I'm not sure what you're trying to do with that rule.
-
I understand what you are telling me.
I have disabled captive portal until I figure out my other issues.
I did not mess with the firewall.
I was simply stating that when i changed my vlan to /24 it seems that my firewall is blocking traffic. For example, I RDP into one of my servers and i keep getting disconnected and reconnected.
The only rule I have in my firewall for that interface is any to any.
With that said, should I change my rules to what you stated?
thanks!
