PfSense connecting to captive portal
-
I am running PFSense firewall and I live in Brazil. We are using a state run internet and everything was working great. However, they started using a hotspot captive portal. In order to use their network, you must agree to their conditions, and then it will allow you to use it for 1 hour.
My problem is that the form to agree with their conditions is not displaying on my browser because PFSense is blocking it. I know that PFSense is blocking it because if I hook directly to their connection it comes over fine. I have also hooked it up to a D-link router and it works fine with that as well. So, it must be the PFSense.
I have tried opening up all the ports but that did not work.
I am at a loss as to what to open up to get this "acceptance form" to pass through the PFSense firewall.
Any thoughts?
I really appreciate the considerations.
Blessings, Steve
-
Hi,
Could you please detail your network layout ?
I did understand that you have a Portal behind Portal construction. Yours (pfSEnse) and the one offered by "state run internet".
This construction is not good. The Captive portal offered by pfSEnse can not work well if itself also behind a captive portal.
pfSense itself NEEDS a direct connection to the net - this connection must be on the WAN interface.My problem is that the form to agree with their conditions is not displaying on my browser because PFSense is blocking it
Why do you think that pfSEnse blocks some content ?? By default, pfSEnse isn't filtering anything based on content.
When you disable the captive portal in pfSEnse, pfSense behave exactly like a "D-link router". This is because a router behaves like a router.
From LAN, when NOT using the captive portal (on pfSEnse) all is open, no need to open more.
-
Sounds like this might be a DNS issue. Until you sign in throught the provider's CP, you won't get any return traffic - possibly not even DNS. Either find out if you can set the DNS on your PFS to point to host your provider will allow prior to authentication, or else find out the DNS information for your provider's captive portal host and create a locally held A record so your clients will be able to get to the page.
PFS needs DNS to be able to get out onto the internet in the first place. Another thought - can you access the captive portal page if you put in the IP address of the site instead of the page name? If so, then DNS is the problem.
-
Thank you so much for the reply.
I hope this is what you are asking. I am attaching a diagram of our network.
Again, thanks for all your help. Blessings, Steve
![Captive portal dol5714.jpg](/public/imported_attachments/1/Captive portal dol5714.jpg)
![Captive portal dol5714.jpg_thumb](/public/imported_attachments/1/Captive portal dol5714.jpg_thumb) -
I think that you are right. I can only get to the page by the IP address.
When I try to access google.com. It goes to this address for me to accept the terms. http://172.16.0.18:8002/index.php?zone=hotzone&redirurl.
However, the form to accept the terms does not show up to accept.
Would the address 172.16.0.18 be the DNS server? Before they instituted the captive portal the DNS was, and I believe continues to be 10.1.1.2
I appreciate any other thoughts you may have. Thanks and blessings, Steve
-
Ok, a portal-behind-portal ….
Very special.
Very non-documented.
Can tell you some thing about pfSense portal - nothing about the other one. -
Well, I think pretty much the executive resume is that this will not work properly. Absurd setup. This is exact same broken like if you put another router behind your CP and try to authenticate clients behind that router against your CP. Does not work. The clients are invisible for the CP. It can only see the router's MAC and IP. Nothing else. Broken.
-
Yes. This setup makes no sense because the government does not account that I will have a firewall as well. I appreciate all of your help. Blessings, Steve
-
Sounds to me like just the sort of system you can expect from the government (whoever's in charge).
"Would the address 172.16.0.18 be the DNS server?" - No idea. It's not my network, or my government.
In truth, I'd be inclined to try to find another provider - preferably not one run by the state.