Login is working but no Internet Access on some devices

lugaru

Hey all,

i've upgraded from 2.2.3 to 2.2.5 before some weeks. Everything worked fine for 1-2 Weeks. Now there is a really Strange behaviour:

You can enter your CP credentials and login to the System. I see the Session inside the CP Status. On some Clients (especially Mobile Devices, but not only) you cant connect to the Internet. So the Login Page is still displayed.

Any thoughts on this?

Thanks & Cheers
Elias

NickM

Works fine for me.
I have the same version. Are you running any other packages? Squid?

lugaru

Okay now it gets strange.

Reinstalled 2.2.5 fresh -> loaded config -> same Error
Reinstalled 2.2.3 again -> loaded config -> same Error

I dont have any additional Pakets installed.
Authentication is done over Radius Server. As it seems the Problem only occurs over WLAN. We're using Ubiquiti Unifi APs there with an external controller. But there were no changes on this system.

I really don't have any more Ideas how to fix this or find out where the Problem is… Also my own devices are all working fine.

doktornotor

Some mobie devices being Bitten Fruit (TM)? Yeah, they've broken RADIUS with latest IOS update. Has nothing to do with pfSense upgrade.

Derelict

Unless you are using EAP on the wifi there is no difference between a RADIUS backend and local user manager, etc, Apple device or not.

What is the nature of the failure? No DNS? No layer 2? no layer 3? Is it all wi-fi or just some?

lugaru

@doktornotor - this doesnt matter here. The Radius is only communicating with the pfsense box.

@Derelict
-nature: I don't know :(
-DNS is working on the client. Pinging any Site gives me the correct IP, but a timeout.
-Just some wifi devices. My Laptop and Phone is working, for 70-80% of the users it is working but for some it is not.
-Layer 2 and 3 seems to be okay.

Derelict

Then it's your firewall rules on the captive portal interface.

What is the IP scheme of your interface and what are the rules?

Most captive portal failures (given a proerly-configured captive portal/network) are:

Failure to bring up the CP login page - usually caused by initial navigation to an HTTPS site. http://10.10.10.10/ in a browser will always get the CP login page.
Client not configured for DHCP.
Client configured for DHCP but with static DNS servers.
A proxy set in the client device.

lugaru

Okay, we've got new Hardware with a lot more of Power and a Fresh configuration. But now it is even worse and some Clients cant even connect to the login Page. (The ones which had Problems before). But now this happens even with deactivated CP.

Most Times it is an DNS Error now (wasn't before)… and you cant even ping 8.8.8.8.

Gertjan

@lugaru:

Okay, we've got new Hardware with a lot more of Power and a Fresh configuration. But now it is even worse and some Clients cant even connect to the login Page. (The ones which had Problems before). But now this happens even with deactivated CP.
Most Times it is an DNS Error now (wasn't before)… and you cant even ping 8.8.8.8.

The questions stays up:
@Derelict:

Then it's your firewall rules on the captive portal interface [interface].
What is the IP scheme of your interface and what are the rules?
…..

How is your firewall set up ?
The NIC is LAN or a OPT1 interface ?

Derelict

I'm guessing a subnet mismatch somewhere - like /24 on the interface and /22 on the DHCP server.

Or a /22 on the interface and /24 in the firewall pass rules.

Or ???.

Post your interface config and your rules.

lugaru

Strange…

some hours later everything just worked fine on the new Machine... Until now there are no more problems.

I have multiple Nets...

Opt1, Opt2, Opt3, WAN -> Wan Connections
LAN -> Management Interface 192.168.30.0/24
Opt4 -> VLAN Interface for:
VLAN 31 -> WLAN 192.168.31.0/24
VLAN 32-36 -> Different LAN Vlans 192.168.32-36.0/24

I think that there was a Problem with the Multi WAN and the configured DHCP Servers...

Thanks @ all for the support ;) Hope that everything works now as expected.

Cheers