Authentication page doesn't appear. Only passthrough MAC
-
…. just DNS responses being blocked.
Ah …. as stated here : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
It seems to me that captive portal is broke.
Don't worry.
I can make it work in a couple of minutes starting from scratch.
The Captive Portal works for thousands or multiples of that.
It's your setup. -
I don't disagree that it's my setup and obviously starting from scratch it'll work. It worked before just fine. The question remains why it worked on one interface and doesn't work on another when changed.
DNS works just fine, everything resolves when CP is turned off but nothing moves when CP is turned on. Everything goes into the hole and CP doesn't respond and give the page so the user can accept the eula agreement and start surfing.
So basically, the page is not coming up.
-
OK, I figured it out. PfBlocker put a custom entry in the "Custom options" under the DNS forwarder. You have to delete this option, save and apply. Once done DNS responds properly, the redirect happens and captive portal will answer.
Bottom line is it is a DNS resolution issue. If you are having problems with your captive portal coming up check your DNS resolver or forwarder. Disable one and test with the other. See if it comes up then.
-
Well tested it on the bench and the test worked.
Went to the site and CP still will not work. I thought that maybe it was the guest interface trying to resolve to the LAN interface so I disabled all the blocks. Still no go. I do a ping to pfsense via DNS and it tries to resolve to the LAN.
I moved the Guest interface to a physical NIC, still no go. I moved it back to the VLAN on that same physical NIC, no go.CP is buggy. I'm thinking I'm going to have to wipe and reload. I don't think CP likes moving to new interfaces.
-
OK, just wiped the firewall today, onsite and restored the config. I can make it work on the bench but it seems I can't make it work at the site. If I click the "view" in the captive portal it will come up but the firewall is not responding on the interface. I even put captive portal directly on igd1 and it just will not answer. I tried connecting with my phone and after it times out it shows in the address bar that it was trying to connect to 172.16.0.1 but there was no answer, it timed out.
So I'm going to try it again on the bench when i have a chance and if I get it working on the bench I'm going to swap their hard drive for mine since it will carry the configuration.
I have no idea why CP is being such a PITA and I've gotten no help from anyone in troubleshooting it on this forum. I'm half tempted to call the tech support number and pay to have them work on it. It sure would be nice to see if it was a configuration issue that I'm not seeing.
-
Just use common troubleshooting techniques.
Prior to logging in to the portal:
Does the client get DHCP? Does it get the proper address, gateway, and DNS servers that will allow DNS before portal authentication?
Can the client resolve DNS names?
Can the client curl http://10.10.10.10/ ?? Does the client get the portal page?
Can the client curl http://www.google.com/ ?? Does the client get the portal page?CP really does not care what interface it is on.
-
I completely agree.
To answer your questions
DHCP, Yes
DNS, with captive portal off yes, with carp on, no
client can ping the gateway but does not get a answer from captive portal
DNS won't respond, traffic stops with captive portal on. With captive portal off everything works.Edit: Changed Carp to Captive Portal as I'm talking about captive portal
-
So you have a CARP/HA problem, not a Captive Portal problem. That is a completely different thing. You'll need to take a look at exactly what IP addresses are involved and sort that out.
Nowhere near enough information to make a recommendation. I don't even know what "with carp on, with carp off" even means.
(Or does carp there really mean CP?) hard to say.
What are the DNS servers being assigned to the clients? Are they the pfSense interface CP is running on or something else? Your DNS servers need to be passed using Allowed IP addresses if they are being given anything other than the pfSense interface as a DNS server.
-
Crap, sorry, meant captive portal.
DNS is handled by the firewall. Clients pull DNS IP from the firewall
Only DNS is the gateway address 172.16.0.1. PfSense has 6 DNS addresses to resolve against using the PfSense DNS resolver.
When I tried to connect to the captive portal, after it timed out it showed it was trying to connect to 172.16.0.1, the address ending in index.php
I've also checked the firewall logs to see if anything on that interface was being blocked by rules. Nothing showed up.
-
Hard to say without more details what you are doing wrong. Start testing all those things, copying, and pasting I guess.
I just turned up a captive portal and it worked fine. Had to pass 8.8.8.8 if the clients were configured to use that for DNS. Did not have to pass the local interface address in the CP.
Note that the traffic has to pass both CP and the interface rules to work.
Concentrate on DNS. figure out why users cannot resolve names unless CP is off.
