Captive Portal in Iphone

lucash · Sep 29, 2016, 10:42 AM

@lucash:

…
If someone can help me I'll get you all the informations needed.

Both zones uses the default 'pfSense' login page ?
iOS (Apple) devices will pop up the mini navigator if they do NOT receive the "Success" text after their internal 'http GET" to one of the "apple" url's.
This 'call' can by seen by using a tcpdump.

What about sharing the setup details ? All the details.

Btw : I can't test drive a second captive portal zone : I don't have any interfaces left.

Both captive portal use a personalized login page, and both login pages are working. I've tried to restore default login page, rebooted pfsense, but all remain the same.
Soon I'll post complete config.
Thanks

johnpoz · Sep 29, 2016, 12:13 PM

How exactly are you setting up a 2nd zone. Is this a different wifi network via a different SSID?

lucash · Sep 29, 2016, 1:09 PM

@johnpoz:

How exactly are you setting up a 2nd zone. Is this a different wifi network via a different SSID?

Different networks and different SSID. At the moment I can't post the whole configuration, but I think tomorrow I can do it.
Thanks

lucash · Oct 4, 2016, 12:45 PM

So, I'm going to post the whole configuration. Sorry for my not perfect english, I'm Italian.
PfSense version 2.2.6 and at the moment I can't upgrade.

First Captive Portal Zone (this one is the "broken" for iOS devices)

interface ip: 192.168.10.1
dhcp server on this interface from 192.168.10.15 to 192.168.10.254, options for the server are gateway set to 192.168.10.1 and first dns server set to 192.168.10.1
I've also set a dns forwarder on this interface and global dns servers are 8.8.8.8 and 8.8.4.4

It uses a non standard login page but also restoring the default page doesn't solve problem. And it was fully working before adding the second captive portal zone

This is the output of ipfw -x 2 list

00002 pipe 2102 ip from any to any MAC any f0:79:59:21:c1:c4
00003 pipe 2103 ip from any to any MAC f0:79:59:21:c1:c4 any
00004 pipe 2108 ip from any to any MAC any f0:79:59:21:c1:e4
00005 pipe 2109 ip from any to any MAC f0:79:59:21:c1:e4 any
00006 pipe 2172 ip from any to any MAC any f0:79:59:21:c1:f2
00007 pipe 2173 ip from any to any MAC f0:79:59:21:c1:f2 any
00008 pipe 2174 ip from any to any MAC any f0:79:59:21:c2:04
00009 pipe 2175 ip from any to any MAC f0:79:59:21:c2:04 any
00010 pipe 2176 ip from any to any MAC any f0:79:59:21:c2:06
00011 pipe 2177 ip from any to any MAC f0:79:59:21:c2:06 any
00012 pipe 2178 ip from any to any MAC any f0:79:59:21:c2:42
00013 pipe 2179 ip from any to any MAC f0:79:59:21:c2:42 any
00014 pipe 2180 ip from any to any MAC any f0:79:59:21:c2:4a
00015 pipe 2181 ip from any to any MAC f0:79:59:21:c2:4a any
65291 allow pfsync from any to any
65292 allow carp from any to any
65301 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 allow ip from any to table(100) in
65311 allow ip from table(100) to any out
65312 allow ip from any to 255.255.255.255 in
65313 allow ip from 255.255.255.255 to any out
65314 pipe tablearg ip from table(3) to any in
65315 pipe tablearg ip from any to table(4) in
65316 pipe tablearg ip from table(3) to any out
65317 pipe tablearg ip from any to table(4) out
65318 pipe tablearg ip from table(1) to any in
65319 pipe tablearg ip from any to table(2) out
65532 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
65533 allow tcp from any to any out
65534 deny ip from any to any
65535 allow ip from any to any

As you can see there are many entries regarding allowed mac addresses passing through the portal, but, I repeat, always was working perfectly before adding second zone. And there are also two allowed ip addresses passing through the portal, 192.168.10.2 and 192.168.10.3

Second Captive Portal Zone

interface ip: 172.16.10.1
dhcp server on this interface from 172.168.10.50 to 172.10.16.250, options for the server are gateway set to 172.16.10.1 and first dns server set to 172.16.10.1
I've also set a dns forwarder on this interface and global dns servers are 8.8.8.8 and 8.8.4.4

It uses a non standard login page. This zone works perfectly with any device.

This is the output of ipfw -x 4 list

65291 allow pfsync from any to any
65292 allow carp from any to any
65301 allow ip from any to any layer2 mac-type 0x0806,0x8035
65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7
65303 allow ip from any to any layer2 mac-type 0x8863,0x8864
65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
65310 allow ip from any to table(100) in
65311 allow ip from table(100) to any out
65312 allow ip from any to 255.255.255.255 in
65313 allow ip from 255.255.255.255 to any out
65314 pipe tablearg ip from table(3) to any in
65315 pipe tablearg ip from any to table(4) in
65316 pipe tablearg ip from table(3) to any out
65317 pipe tablearg ip from any to table(4) out
65318 pipe tablearg ip from table(1) to any in
65319 pipe tablearg ip from any to table(2) out
65532 fwd 127.0.0.1,8004 tcp from any to any dst-port 80 in
65533 allow tcp from any to any out
65534 deny ip from any to any
65535 allow ip from any to any

If you need other information I'll post them as soon as possible. I've also set in the system tunables the value of net.inet.ip.fastforwarding to 0.

Thanks to all

johnpoz · Oct 4, 2016, 1:23 PM

" first dns server set to 192.168.10.1
I've also set a dns forwarder on this interface and global dns servers are 8.8.8.8 and 8.8.4.4"

So if the client asks googledns for something, this could be your problem.

https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

DNS resolution not functioning - the clients on the captive portal interface must either be using the DNS forwarder on pfSense, on the IP of the interface where the client resides (which is the default configuration), or if using some other IP for DNS, it must be an allowed IP entry. If DNS fails, the browser never issues the HTTP request, hence it cannot be intercepted and redirected.

lucash · Oct 5, 2016, 12:56 PM

I've read hundred times the article you linked and tried again to add google's public dns to the list of allowed ip. Nothing to do it doesn't work, mini popup browser isn't shown and I get wifi icon in the top of phone, as a working wifi.
I
did a further test. I was connected via wifi but not authenticated by the captive portal (as described above), the I've tried to ping some internet hosts, such as google.it and many others that I've never used (to be sure to exclude dns cache) and hostnames are resolved. So this behavior let me think that dns resolution is working.

I really don't know what to do…

Ah, and there's a news: now also the second captive portal zone is broken for iOS devices!!
This happened this morning after adding dns servers in the allowed ip and did a reboot.

johnpoz · Oct 5, 2016, 12:59 PM

To be on the safe side your clients that are to use cp should really only use pfsense for dns. When I get home tonight I can try and test your setup using outside dns with client and cp. Iphones do a query for a specific apple fqdn and this determines if the wifi pops up the login for cp.

But if you tell your wifi not to login and then just fire up a browser it should be redirect to your cp..

lucash · Oct 5, 2016, 1:43 PM

@johnpoz:

To be on the safe side your clients that are to use cp should really only use pfsense for dns. When I get home tonight I can try and test your setup using outside dns with client and cp. Iphones do a query for a specific apple fqdn and this determines if the wifi pops up the login for cp.

But if you tell your wifi not to login and then just fire up a browser it should be redirect to your cp..

It works in this way. Turn on wifi –> connect to open wifi netwok --> get "connected state" wifi icon on the top of the screen --> fire up browser --> surfing to, for example, apple.com --> captive portal login page appears.
When was working, before getting "connected state" wifi icon captive portal login page was shown by "mini popup browser".
So you think I could try to change dhcp server settings using external dns and not the ip address of the captive portal's interface?

Thank you

johnpoz · Oct 5, 2016, 9:41 PM

no you should use the pfsense IP for dns for dhcp clients. But you need to make sure that you can query for it looks for.. I am not sure what that is off the top of my head but a simple sniff would give you what it does to get the popup.

From my understanding it does a dns query for something and depending on what it get backs determines if it should bring up that login popup what would show your cp login. I think its http://captive.apple.com/ but not 100% on that - I believe it looks to see if it can get back a 200 from there, if it doesn't than it assumes its behind a cp or something like.

A simple sniff should give you what the iphone does when connects to a new wifi network. I would forget your network in your iphone. Then reconnect to it.. While your sniffing on pfsense to see what sort of dns query it does and what http request it does, etc.

If I get a chance tonight I will do that. It has a method for determining if its behind a cp, when it thinks its behind cp it uses the login and should make a http request for something, that would have to be able to resolve before it can make the http request. Once it makes the http request to something then pfsense would redirect this to your cp login page.

If you can not do a dns query for something, then the client will not do a http request that could get redirect. This is why forcing a http request to something normally works, if your trying to connect to a badly configured cisco captive portal you can normally hit http://1.1.1.1 and get the login, etc.

Gertjan · Oct 6, 2016, 8:17 AM

@johnpoz:

….
I think its http://captive.apple.com/ but not 100% on that - I believe it looks to see if it can get back a 200 from there, if it doesn't than it assumes its behind a cp or something like.

I disconnected form an AP on the LAN (192.168.1.1/24 - my iPhone was using 192.168.1.25)
It obtains a 192.168.2.139 (my Captive portal is 192.168.2.1/24)
Some non-important local IPv6 hanshaking is also present.

10-06-2016	10:03:20	Local7.Info	192.168.1.1	Oct  6 10:03:24 dhcpd: Reply NA: address 2001:470:1f13:5c0:2::c6 to client with duid 00:01:00:01:14:20:18:e3:b8:ac:6f:47:2c:77 iaid = 246983791 static
10-06-2016	10:03:20	Local7.Info	192.168.1.1	Oct  6 10:03:24 dhcpd: Renew message from fe80::75cd:7073:d0a4:bc7c port 546, transaction ID 0x1239AA00
10-06-2016	10:03:20	Local7.Info	192.168.1.1	Oct  6 10:03:24 dhcpd: Sending Reply to fe80::75cd:7073:d0a4:bc7c port 546
10-06-2016	10:03:21	Local7.Info	192.168.1.1	Oct  6 10:03:24 dhcpd: DHCPREQUEST for 192.168.1.25 from 90:b9:31:77:5e:26 via fxp0: unknown lease 192.168.1.25.
10-06-2016	10:03:22	Local7.Info	192.168.1.1	Oct  6 10:03:25 dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 via sis0
10-06-2016	10:03:23	Local7.Info	192.168.1.1	Oct  6 10:03:26 dhcpd: DHCPOFFER on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
10-06-2016	10:03:24	Local7.Info	192.168.1.1	Oct  6 10:03:27 dhcpd: DHCPREQUEST for 192.168.2.139 (192.168.2.1) from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
10-06-2016	10:03:24	Local7.Info	192.168.1.1	Oct  6 10:03:27 dhcpd: DHCPACK on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0

Note : the DHCP server on pfSense tells my iPhone that DNS, Gateway, etc etc == 192.168.2.1 == the Captive portal 'pfsense' interface IP.
I'm still figuring out why I should use the DNS from "Google". Upfront, my FAI proposes two DNS's when pfSense opens a WAN connection. They always worked fine.
It's imprtant to understand that my visitors devices on the Captive portal have only 'pfsense' as a DNS server.
pfSense itself uses the DNS that came with the WAN connection.
That is the default setup.
Works fine for a decade now.

As soon as the link goes up (wifi in this case) the iOS launches a http request to http://captive.apple.com/hotspot-detect.html :

10-06-2016	10:03:26	Local5.Info	192.168.1.1	Oct  6 10:03:29 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:29 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr"
10-06-2016	10:03:27	Local5.Info	192.168.1.1	Oct  6 10:03:30 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:30 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr"
10-06-2016	10:03:28	Local5.Info	192.168.1.1	Oct  6 10:03:31 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:31 +0200] "GET /hotspot-detect.html HTTP/1.1" 302 5 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456"
10-06-2016	10:03:29	Local5.Info	192.168.1.1	Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.1" 200 849 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456"
10-06-2016	10:03:29	Local5.Info	192.168.1.1	Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /captiveportal-style.css HTTP/1.1" 200 836 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456"
10-06-2016	10:03:29	Local5.Info	192.168.1.1	Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr"
10-06-2016	10:03:29	Local5.Info	192.168.1.1	Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr"
10-06-2016	10:03:35	Local5.Info	192.168.1.1	Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "POST /index.php?zone=cpzone1 HTTP/1.1" 200 635 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456"
10-06-2016	10:03:35	Local5.Info	192.168.1.1	Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr"
10-06-2016	10:03:36	Local5.Info	192.168.1.1	Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr"

Btw : I'm using https portal authentication. This is just a detail.