DNS forwarder, resolver or both
-
I don't know anything about CP, but if they say you need the Forwarder then you should disable Resolver, enable Forwarder and then add your upstream DNS servers to System - General Setup - DNS Server Settings, and lastly uncheck the Disable DNS Forwarder checkbox if it is checked.
-
Where does it say that? Are you using some really old version of pfsense?
Clearly states that forwarder or resolver be enabled is all
"Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work."
-
I have seens that, just wanted to make sure I did the right thing. I am still trying everything.
John you maybe also know where to look so laptops get the login page when they connect or try to surf?. I have seen so many topics the last days about this issue just havent seen a solution for it.
Mobiles and tablets I got to work.. Laptops not unless they type a http pafe first
-
well yeah did you enable https login? Mobiles and tables normally have a built in login into captive portal type thing when you join the wifi network. Laptops running full blown OS normally do not. So yeah http site is always first thing to do.
Https and captive portals can be problematic.. If user tries to go to https://www.google.com and gets redirect to https://yourpfensednsorIP your browser should throw a bitch fit about that.. Saying hey you wanted to go to https://www.google.com but this site does not have that name and cert is not for www.google.com, etc. Even your going to use https for login to the captive portal your client will need to trust that cert or your going to get an error so it needs to be a trusted CA that signs it, or your client has to trust the CA that signed the cert. Then your going to need to make sure fqdn matches the common name on the cert or you have SAN setup for how your accessing, etc.
How is that that users do not know this? Have they never been to a hotel? Or used any sort of captive before ever?
Keep in mind the https login does not fix users getting errors.. It just means your captive portal login will be via https.
By the very nature of https wanting to make sure its talking to who it wanted to talk to, any sort of redirection to something else when user asked for https://something is going to give you issues. Unless the captive portal can do a MITM on the fly for whatever fqdn the user tried to go to, etc.
-
I did try to enable the https option and got a certificate error, reading through forum and google i have seen some sites explaining.
https://forum.pfsense.org/index.php?topic=63791.0
http://www.rocainet.com/2014/03/securing-captive-portal-login-page-on.html
I did found another one but can't find it at the moment. I read that a proper ssl like StartSSl would help to get the error away.
and guest can login properly if the DNS is set to go the webpage of that SSlam I correct?
-
your correct that you need a cert your machines trusts if you don't want errors yes.
-
Thanks, i will get the cert and such and play around with it reading the topics to install it and set everything.
If i get an error I will report again :) -
I do not get it to work, I tried to follow the guide from the link in a earlier post, just what he is writing doesn't make sence to me and the website Startssl does not do the things he is writing.. is there another guide that shows how to install it, been searching for even with no luck.
chose certificate target “Webserver SSL/TLS Certificate”. Press continue and set a key that you remember. Press continue.
not possibl after selecting "Webserver SSL/TLS Certificate" you go directly to the screen to enter your domains
Once the wizard is done go to the Tool Box leaf and select the “Decrypt Private key” option.
I do not see any option to do this :/
I added the 2 cert into the CAs part of the certificate manager.
then i added the cert into the certificite leaf. on the name saide it gives me
ca: NO server: NO ..not sure if this is good.i use autentication local user manager
added IP in DNS forwarder
https:// hangs when i try to enter a website..
EDIT: when i use a http connection I get the green lock with the right sertificate and inlog page
but any other site still has a cert error :/"this certificate is only valid for the following names"
any idea's maybe?
-
Why do you need something from startssl.. Pfsense has a CA built right in, create a cert there and have your machine trust this CA. Are you needing this for machines that are not under your control? So a public CA that everyone trusts?
-
I thought the build in CA gave errors and wanted soemthing that did not gave any errors.. users or guest do not always click yes to something they don't know..
thats the reason i wanted guest to directly go to the login page in https without any error.. even in the build in one i cant get that to work with no error.
I am building this for a hotel and wanted to have it working properly and not half wayDo you know a guide or can you guide me through this?
-
Guide on trusting pfsense cert signed by pfsense.. Hmm I just went over this not so long ago in a thread..
https://forum.pfsense.org/index.php?topic=114712.0
Again this is for machines that you set to trust your CA that creates your cert. If these are like guests machines and you want them to trust your cert without them trusting your CA then yeah you need to get a cert from a public CA that everyone's machine will trust automatic.
How is it your using something your new to for building out a system for a hotel? So you have no SSL experience, no captive portal experience with working https and your building a captive portal system using something your new to pfsense.. And they are paying you for this?? Or is this some hotel that your uncle owns with like 3 rooms? And your computer guy in the family??
-
We have a pfsense system in the hotel that was made by the son of a technician that is working there.. He seperated the office and wifi, the only problem is that non guest around the hotel are using the wifi and like to have it guests only, from the 75Mbps I never reach higher then 10Mbps in the night.
Its needed to block this.. And his son doesn't work on the old machine anymore, so if this machine dies nobody knows anything..I also haven't found another solution for this and again an upgrade could be help full and also if I could make a proxy later on.
I know my knowledge is minimum, but asking and searching I mostly get things working..
I don't give up that easy, and I always like to learn new stuff.Your help is much appreciated :)
EDIT: from my LAN i can ping to domainname.com still when using http it redirects to https site.. https gives me an error that i cant go on..
DNS forward is set (it should) as decribed in the link earlier.. I am just not sure what i am missing.your link i followed it, it gave me an error that i need to execpt the cert first..
-
Is there a password that's only given to guests? If the WiFi is open, you can't stop others from using it. You might also want to change the password frequently.
-
the situation now is that everyone can use the wifi, guests and non guests.. the idea is to give the guests a username and pass when they check in that rotates every week/month so it block others out.. this way the internet speed is faster and more "protected" from non guests.
I know there are other ways like having guest accept the error, just i like to have things work properly then half work, till now I am almost there from working good, just when guests use https:// i get the error "ssl_error_bad_cert_domain" this because i visit a site other then what the domain is.. when this is solved everything work with the right ssl cert.. -
I could be wrong, but I don't see this as being a pfSense issue.
-
I believe I have it working, I was working the wrong way on to this, and tried most things though a wired connection while they only can connect through WIFI.
When connecting with a laptop and opening a page it sometimes takes a few moments before the inlog page shows up.The only thing I have now is that when i connect it gives me the wrong DNS any idea how to solve that?
system give me (example) 192.168.3.100 while it should be 192.168.3.254 -
"your link i followed it, it gave me an error that i need to execpt the cert first.."
You mean the link to a pfsense forum thread? Then you got something messed up with your CA's on your machine that is for sure.. As to your clients getting the wrong dns, well then you have something else handing out dhcp or your dhcp is not correct plain and simple. Or you set the dns on the client directly?
-
I fixed it.. it was the router that was giving the wrong DNS.. I did not have anything else to work with then this router. adding the right DNS IP solved the issue.
Thank you for your help john :)
Now I have everything working, even on win10 it will automatic gives you the inlog page when you connect to the WIFI like on mobile devices with the proper SSL cert and without asking people to import ANY cert.
I think I will make a topic on how I did this so others can use it as well..
next on the list squid proxy :)
-
"I did not have anything else to work with then this router. adding the right DNS IP solved the issue."
What router??
-
I do not have a wireless accesspoint to test the wireless devices like laptops and phones, for this I uses a router with WIFI (WNRT-627) I know pfsense has DHCP I just had nothing else lying around. with this Captive Portal is working as it should.. I still need to ask a friend to share a mac to see if this works as well. had a topic mac devices could not connect
