I can't get Captive Portal login page in any browser else Firefox
-
I am currently in testing. I have a Virtual network of DC and PC in LAN side and pfsense VM with fixed IP on LAN side and WAN DHCP assigned IP. CP listens in LAN interface. DC (Windows 2003 server) has Firefox, Chrome, and IE 8.0 browsers, PC (Win 7) has Chrome and IE 8.0 browsers. There are no wifi clients.
-
Notice that now, when CP Login is shown successfully, after doing the Login the PC fails to ping external sites (www.google.com) like being blocked. I checked the CP status and the MAC address of the PC is registered successfully and active. So it should not be blocked.
-
Notice that now, when CP Login is shown successfully, after doing the Login the PC fails to ping external sites (www.google.com) like being blocked. I checked the CP status and the MAC address of the PC is registered successfully and active. So it should not be blocked.
Your portal interface is on an interface - probably named initially OPTx.
Please list the firewall rules (see GUI this time !) and gives us YOUR rules for this interface.
Remember : by default, LAN has ONE rule : let all pass. By default, all other interfacse have ONE hidden rule (the list will be empty) : BLOCK ALL.
Do you let in ICMP ? ("in" because it's from the point of view of the interface). -
I do not have OPT interfaces, only LAN and WAN. I think ICMP is allowed. When I have CP off I can ping from inside to outside successfully. With CP on I can ping the pfsense LAN IP.
-
I notice that I can ping the site which triggered the CP Login not other.
Example.
I Open browser (Chrome). The home page fails to load and does not trigger the CP Login.
I write in the address bar a http address (http://www.jetsystemservices.com). The CP Login is triggered.
I login successfully and the site is shown. (External links in the site fails, youtube links)
I go the command prompt in the browser computer and I can ping the www.jetsystemservices.com site. But I cannot ping other address.It is like CP only allows one address at a time instead of opening all internet.
-
….
I Open browser (Chrome). The home page fails to load and does not trigger the CP Login.Is this the locally build page that doesn't need any 'internet' access -
or
is this a page like http://www.google.com (and NOT https://www.google.com !!! ) that comes from the net ?….
I write in the address bar a http address (http://www.jetsystemservices.com). The CP Login is triggered.Great !
….I login successfully and the site is shown. (External links in the site fails, youtube links)
at that moment, go here https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
and list us your ipfw rules and tables (what IN these tables)also, at that moment:
open command prompt
and
ping www.yutoube.comThe URL is resolved ?
The ping replies ? (youtube.com might decide not to reply, that's ok) -
The home page is http://www.google.com
Ping to www.youtube.com does not resolve.
ipfw execution:
ipfw zone list
Currently defined contexts and their members:
2: em1,ipfw -x 2 table all list
–-table(1)---
192.168.56.100/32 mac 08:00:27:e8:c0:b4 2090
---table(2)---
192.168.56.100/32 mac 08:00:27:e8:c0:b4 2091
---table(3)---
192.168.56.1/32 2032
---table(4)---
192.168.56.1/32 2033
---table(100)---
192.168.56.1/32 0ipfw -x 2 show
65291 0 0 allow pfsync from any to any
65292 0 0 allow carp from any to any
65301 99 3978 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 2320 166643 allow ip from any to table(100) in
65311 2242 298979 allow ip from table(100) to any out
65312 4 1312 allow ip from any to 255.255.255.255 in
65313 0 0 allow ip from 255.255.255.255 to any out
65314 0 0 pipe tablearg ip from table(3) to any in
65315 0 0 pipe tablearg ip from any to table(4) in
65316 0 0 pipe tablearg ip from table(3) to any out
65317 0 0 pipe tablearg ip from any to table(4) out
65318 671 180692 pipe tablearg ip from table(1) to any in
65319 86 16287 pipe tablearg ip from any to table(2) out
65531 1696 82569 fwd 127.0.0.1,8003 tcp from any to any dst-port 443 in
65532 1927 136541 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533 2939 379068 allow tcp from any to any out
65534 3112 348052 deny ip from any to any
65535 2 955 allow ip from any to any -
Now I think got worst.
I reinstall pfsense 2.3.1 amd64 from cero, even format the HD to make sure no files remained. Did not install any package. I set the LAN IP static, WAN IP takes IP from Cable modem DHCP. I turn off DHCP on LAN interface as the LAN side takes the IPs from the Windows Domain DHCP server.
Added CP zone, with Local Authentication. HTTPS Login unchecked. Added the pfsense IP at Allowed IP Addresses.
The Win7 computer access internet as if CP is turn off, is not blocked.
Shell Output - ipfw -x 2 show
65291 0 0 allow pfsync from any to any
65292 0 0 allow carp from any to any
65301 20 776 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 131 17105 allow ip from any to table(100) in
65311 155 88607 allow ip from table(100) to any out
65312 0 0 allow ip from any to 255.255.255.255 in
65313 0 0 allow ip from 255.255.255.255 to any out
65314 582 80166 pipe tablearg ip from table(3) to any in
65315 0 0 pipe tablearg ip from any to table(4) in
65316 0 0 pipe tablearg ip from table(3) to any out
65317 672 429906 pipe tablearg ip from any to table(4) out
65318 0 0 pipe tablearg ip from table(1) to any in
65319 0 0 pipe tablearg ip from any to table(2) out
65532 0 0 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533 0 0 allow tcp from any to any out
65534 0 0 deny ip from any to any
65535 0 0 allow ip from any to anyShell Output - ipfw -x 2 table all list
–-table(3)---
192.168.56.0/24 2000
---table(4)---
192.168.56.0/24 2001
---table(100)---
192.168.56.1/32 0Note: the pfsense IP is 192.168.56.1/24, don't know why table(100) has 192.168.56.1/32
-
…...
...... I turn off DHCP on LAN interface as the LAN side takes the IPs from the Windows Domain DHCP server.
......Added CP zone, ...............
STOP.
While you set up your portal settings, read the foot note.https://forum.pfsense.org/index.php?topic=111737.msg632639#msg632639
( => case solved ;) )
-
…...
...... I turn off DHCP on LAN interface as the LAN side takes the IPs from the Windows Domain DHCP server.
......Added CP zone, ...............
STOP.
While you set up your portal settings, read the foot note.https://forum.pfsense.org/index.php?topic=111737.msg632639#msg632639
( => case solved ;) )
OK. I though that there was a posible work around.
Not being the case, for my needs CP in pfsense is not a viable solution. In my case as many others, DHCP and primary DNS must be kept on the Windows Domain Controller.
-
DHCP Relay (and keeping DNS to DC) is not an option?
-
DHCP Relay (and keeping DNS to DC) is not an option?
How will I use DHCP Relay?
My DHCP (DC/DNS) server IP is 192.168.56.10 (static, 255.255.255.0)
My pfsense IP is 192.168.56.1 (static, 255.255.255.0) in LAN side, WAN is DHCP assign from cable modem. I do not have any other interface. -
It happens that I have a client that has a Win Server with AD/DNS but without DHCP because it has a Wifi Router that is doing the DHCP Server role.
So I can turn on DHCP on pfsense and configure the router to use the pfsense's dhcp.
How should I configure the pfsense dhcp to register addresses in the AD/DNS?
Once I get this dhcp running I can turn on CP in pfsense
-
No idea why you wouldn't just use Windows DHCP in that case.
-
No idea why you wouldn't just use Windows DHCP in that case.
I tried Captive Portal with DHCP in the AD, but it did not work. Also in this thread was directed to the note referred by Gertjan on: June 21, 2016, 04:55:46 am , implying that DHCP must be done by pfsense as CP works correctly.
It was suggested to use DHCP relay but I do not how could I use that for this situation.
-
OH! Still does not work.
I turn dhcp off in the AD server and turn on dhcp on pfsense. The PC aquired the IP succesfully as can be seen on the dhcp leases in pfsense.
But chrome does not call the CP login page.
-
Is the AD DHCP server in the same subnet as your clients? If not you will have to use DHCP relay to get there and put the proper scope in the DHCP Server.
What happens if you go to http://10.10.10.10/ in chrome?
-
My network is really simple.
My LAN is 192.168.56.x, 255.255.255.0
AD has static IP 192.168.56.10
pfsense has static IP 192.168.56.1
DHCP server sets:
from 192.168.56.100 to 192.168.56.254
DNS = 192.168.56.10
Gateway = 192.168.56.1WAN is DHCP assigned by the Cable modem
Trying http://10.10.10.10 gives me "took too long to respond" error
ipfw zone list
Currently defined contexts and their members:
2: em1,Shell Output - ipfw -x 2 show
65291 0 0 allow pfsync from any to any
65292 0 0 allow carp from any to any
65301 66 2424 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 1569 143858 allow ip from any to table(100) in
65311 1456 434214 allow ip from table(100) to any out
65312 13 4327 allow ip from any to 255.255.255.255 in
65313 0 0 allow ip from 255.255.255.255 to any out
65314 0 0 pipe tablearg ip from table(3) to any in
65315 0 0 pipe tablearg ip from any to table(4) in
65316 0 0 pipe tablearg ip from table(3) to any out
65317 0 0 pipe tablearg ip from any to table(4) out
65318 878 108115 pipe tablearg ip from table(1) to any in
65319 858 899391 pipe tablearg ip from any to table(2) out
65532 282 14933 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533 223 25436 allow tcp from any to any out
65534 2141 218858 deny ip from any to any
65535 0 0 allow ip from any to anyShell Output - ipfw -x 2 table all list
–-table(1)---
192.168.56.100/32 mac 08:00:27:e8:c0:b4 2002
---table(2)---
192.168.56.100/32 mac 08:00:27:e8:c0:b4 2003
---table(100)---
192.168.56.1/32 0Note: The table(100) has 192.168.56.1/32 instead of /24. I have not added any Allow IP nor Allow Host at the zone.
-
Note: The table(100) has 192.168.56.1/32 instead of /24. I have not added any Allow IP nor Allow Host at the zone.
Table 100 contains the IP of the Captive Portal NIC.
My network is really simple.
My LAN is 192.168.56.x, 255.255.255.0
AD has static IP 192.168.56.10
pfsense has static IP 192.168.56.1
DHCP server sets:
from 192.168.56.100 to 192.168.56.254
DNS = 192.168.56.10
Gateway = 192.168.56.1Ok.
and what are these setting on the device that you used to :
@jetberrocal:Trying http://10.10.10.10 gives me "took too long to respond" error
Who is this IP :
@jetberrocal:–-table(1)---
192.168.56.100/32 mac 08:00:27:e8:c0:b4 2002
---table(2)---
192.168.56.100/32 mac 08:00:27:e8:c0:b4 2003
---table(100)---
192.168.56.1/32 0?
Table 1 and 2 contain the "logged in users" - so "192.168.56.100" has been logged in successfully. -
The device I am using for testing is a Win 7 Pro attached to the AD, that is assign an IP by the DHCP. Since is only one the IP assigned is the first DHCP assign value which is 192.168.56.100.
The test device using Chrome sometimes shows the CP Login page and I can logging successfully. Thus the table shows in this occasion the device MACs.
BUT after successful login, the trigger page is shown, but no other page. The network is broken as if the login were unsuccessful but worst because the CP no longer is trigger. (I close the browser, and remove/delete the line from the CP status in Diagnostics)
I cant ping any Internet address not even resolve the addresses.
I thought this was because the DHCP server was in the AD and not the pfsense, but I turn off the dhcp in the AD and activated the dhcp in pfsense and still have the same bad behavior.
-
Consider this : if you address your browser to the right pace (the captive portal IP address) you should see the login page.
A DHCP server gives more as a IP address for a client-device.
It also hands over the gateway (and a DNS, etc), which should be pfSense, and not some other IP.First the gateway is inaccessible, but a browser startup up will be 'captured' by the portal interface. Authentication will make the firewall in front of the portal transparent, and of you go …
What is the gateway that your server offers to its clients ?
What is the gateway your clients are using ? -
Consider this : if you address your browser to the right pace (the captive portal IP address) you should see the login page.
A DHCP server gives more as a IP address for a client-device.
It also hands over the gateway (and a DNS, etc), which should be pfSense, and not some other IP.First the gateway is inaccessible, but a browser startup up will be 'captured' by the portal interface. Authentication will make the firewall in front of the portal transparent, and of you go …
What is the gateway that your server offers to its clients ?
What is the gateway your clients are using ?Gateway = 192.168.56.1 (Set by DHCP clients, Set manually for static clients)
DNS = 192.168.56.10 (Set by DHCP, , Set manually for static clients)
pfsense = 192.168.56.1 (see attach png for pfsense dashboard)ipconfig output:
Ethernet adapter Local Area Connection:Connection-specific DNS Suffix . : jetdom.local
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
Physical Address. . . . . . . . . : 08-00-27-E8-C0-B4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9990:1817:5cc5:4efb%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.56.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, June 27, 2016 11:39:45 AM
Lease Expires . . . . . . . . . . : Tuesday, June 28, 2016 8:00:03 PM
Default Gateway . . . . . . . . . : 192.168.56.1
DHCP Server . . . . . . . . . . . : 192.168.56.1
DHCPv6 IAID . . . . . . . . . . . : 235405351
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-8B-C6-D4-08-00-27-E8-C0-B4DNS Servers . . . . . . . . . . . : 192.168.56.10
NetBIOS over Tcpip. . . . . . . . : Enabled
-
Humm.
Can't find anything wrong.When your "192.168.56.100" is logged in - you can check that using the pfSEnse GUI Captive portal Satuts page - or inspecting table '100' using the ipfw show …. test - the barrier "capive-portal-pfsense" will be inexistent for that device ("192.168.56.100") - it's like the captive portal has been shut down for this device.
So : my question is : if you shut down the portal function, does the 'internet' access work ? -
I turn off the zone, and the Internet access started to work.
-
To clarify. The pfsense IP is 192.168.56.1/24, but CP table(100) is register with 192.168.56.1/32. I dont know why /32.
-
To clarify. The pfsense IP is 192.168.56.1/24,
pfSense has an IP on it's LAN - it is 192.168.56.1 (or written as 192.168.56.1/32 ;) )
but CP table(100) is register with 192.168.56.1/32. I dont know why /32.
It means : This IP only - because the mask is '32'
edit : change the IPv4 firewall rule : remove the source (LAN net) and make it "all"
-
Why pfsense IP is written as 192.168.56.1/32 when the LAN Interface is setup as 192.168.56.1/24
I can't select /32 when setting the interface.
I only have the default firewall rules. You mean to change the IP4 default rule?
What would be the implication?
-
I still have CP failing to work normally.
I need CP with transparent Squid and squidguard, I need CP so squidguard can get the User name to select the group policy instead on general policy.
I am desperate, please help.
-
…
I need CP with transparent Squid and squidguard, I need CP so squidguard can get the User name to select the group policy instead on general policy.
...This seems a feature request to me.
I advise you to have a look over here Post a bounty -
According to this threads what I want seems a posible thing:
https://forum.pfsense.org/index.php?topic=74309.0
https://forum.pfsense.org/index.php?topic=74572.0Squid has CP as Authentication selection so this should work.
But if CP is not working obviously it can be done.
I just want to make CP work first. What I see is that it takes a genius to make CP work.
-
..
What I see is that it takes a genius to make CP work.I'm using pfSense because it has a Captive portal.
I'm using it for my work, an hotel.
It works perfectly for meany years now. Check it yourself : https://www.test-domaine.fr/munin/brit-hotel-fumel.net/pfsense.brit-hotel-fumel.net/portalusers.htmlBtw : never used "transparent Squid and squidguard" - I do not know what that is, neither why I should use it.
I'm a fan of keeping things simple.Btw2 : I'm working at a hotel …. so I can do many things, but being a "genius" isn't among them - neither are my clients ;)
-
I am sure that CP works in thousands of installations, but in mine is broken. I need help to fix it.
Using CP with Squid and squidguard is a matter for other thread. I removed squid from my installed packages before asking for help to eliminate the complications for now.
But the problem persists and I dont know what to do. I already apply the last pfsense update.
-
I think that I found the problem.
The DNS server was blocked by CP. I added the DNS IP to the allowed IP list and now the clients are calling CP successfully on all browsers every time. Only one glitch remains and that is another thread. Clients work but not the Server.
-
I think that I found the problem.
The DNS server was blocked by CP. I added the DNS IP to the allowed IP list and now the clients are calling CP successfully on all browsers every time. Only one glitch remains and that is another thread. Clients work but not the Server.
Hello
or did you put your permission for your dns in pfsens e?
thank you
-
…..
Shell Output - ipfw -x 2 table all list
....
---table(100)---
192.168.56.1/32 0Note: the pfsense IP is 192.168.56.1/24, don't know why table(100) has 192.168.56.1/32
Because this is THE DNS (and gateway) exposed to the visitors - it better should be open so info directed to it (TCP, UDP as DNS) passes to the portal.
Without it, all breaks down.Your DNS is not pfSense but some domain controller. Ok - seems possible to me, and in that case it's IP (the DNS) should be on the "Ok -> pass list", tab 2 or 3 off the Captive portal settings page.
DNS resolution, when connected to the captive portal network, before authenticating, should work.
And : your clients should obtain this IP when doing a DHCP request.edit :
–-table(3)---
192.168.56.0/24 2000
---table(4)---
192.168.56.0/24 2001Styrange to see a network range here …. I always saw IP's a.b.c.d/32
Important : 2.4.2 uses a new ipfw : commands have been changed.
Instead of something likeipfw -x zone1 table all list
you just use :
ipfw table all list
Like :
[2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw table all list --- table(cp_ifaces), set(0) --- sis0 2100 37325185 24618774112 1512502144 --- table(cpzone1_auth_up), set(0) --- 192.168.2.59/32 10:08:b1:fc:1e:f3 2090 214274 14772741 1512502143 192.168.2.82/32 58:48:22:6d:42:5d 2086 2079 451586 1512501887 192.168.2.89/32 34:e2:fd:8e:fb:ab 2088 51716 2950375 1512502144 192.168.2.125/32 d0:a6:37:9c:a6:18 2094 3657 333132 1512500905 192.168.2.136/32 58:fb:84:7b:ce:97 2084 67268 26306433 1512502120 192.168.2.143/32 8c:f5:a3:82:82:8a 2092 21620 12444173 1512502139 --- table(cpzone1_host_ips), set(0) --- 192.168.2.1/32 0 6659422 231934073 1512502144 --- table(cpzone1_pipe_mac), set(0) --- 64:80:88:99:9f:6c any 2075 8173 5291629 1512044939 any 64:80:88:99:9f:6c 2074 7848 2035912 1512044939 --- table(cpzone1_auth_down), set(0) --- 192.168.2.59/32 10:08:b1:fc:1e:f3 2091 307250 344511258 1512502144 192.168.2.82/32 58:48:22:6d:42:5d 2087 2106 1383269 1512501887 192.168.2.89/32 34:e2:fd:8e:fb:ab 2089 96353 139312244 1512502139 192.168.2.125/32 d0:a6:37:9c:a6:18 2095 4692 5860415 1512501180 192.168.2.136/32 58:fb:84:7b:ce:97 2085 79171 38729751 1512502119 192.168.2.143/32 8c:f5:a3:82:82:8a 2093 22295 14812322 1512502116 --- table(cpzone1_allowed_up), set(0) --- 188.165.53.87/32 2084 5889 3757968 1512493220 192.168.2.2/32 2076 590 61194 1512501902 192.168.2.3/32 2078 462 43154 1512501390 192.168.2.4/32 2080 0 0 0 2001:41d0:2:927b::3/128 2084 0 0 0 --- table(cpzone1_allowed_down), set(0) --- 188.165.53.87/32 2085 8453 744349 1512493220 192.168.2.2/32 2077 146 11096 1512501436 192.168.2.3/32 2079 148 11248 1512501390 192.168.2.4/32 2081 0 0 0 2001:41d0:2:927b::3/128 2085 0 0 0
cpzone1_auth_up and cpzone1_auth_down contain the info from the devices used by clients:visitors actually logged in - 5 in this case.
cpzone1_allowed_up and cpzone1_allowed_down contains IP's of the addresses I entered my self on the related tabs on the captive portal setup page. These have access / are accessible without portal authentication.
Note : 192.168.2.2 - 192.168.2.3 -192.168.2.4 are my AP'sTable cpzone1_pipe_mac is contains the MAC of a guy I gave direct access without using any authentication.
Table cpzone1_host_ips should contain the DNS server for my clients/visitors.
Btw : names of tables also changed :
[2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw list 01000 skipto tablearg ip from any to any via table(cp_ifaces) 01100 allow ip from any to any 02100 pipe tablearg ip from any to any MAC table(cpzone1_pipe_mac) 02101 allow pfsync from any to any 02102 allow carp from any to any 02103 allow ip from any to any layer2 mac-type 0x0806,0x8035 02104 allow ip from any to any layer2 mac-type 0x888e,0x88c7 02105 allow ip from any to any layer2 mac-type 0x8863,0x8864 02106 deny ip from any to any layer2 not mac-type 0x0800,0x86dd 02107 allow ip from any to table(cpzone1_host_ips) in 02108 allow ip from table(cpzone1_host_ips) to any out 02109 allow ip from any to 255.255.255.255 in 02110 allow ip from 255.255.255.255 to any out 02111 pipe tablearg ip from table(cpzone1_allowed_up) to any in 02112 pipe tablearg ip from any to table(cpzone1_allowed_down) in 02113 pipe tablearg ip from table(cpzone1_allowed_up) to any out 02114 pipe tablearg ip from any to table(cpzone1_allowed_down) out 02115 pipe tablearg ip from table(cpzone1_auth_up) to any layer2 in 02116 pipe tablearg ip from any to table(cpzone1_auth_down) layer2 out 02117 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in 02118 allow tcp from any to any out 02119 skipto 65534 ip from any to any 65534 deny ip from any to any 65535 allow ip from any to any