[SOLVED] Captive portal is blocking port 80
-
Hi
I have the following issue : when a user is succesfully logged in the captive portal, she is able to access anything except for HTTP. It is as though packets are dropped because the browser times out. That also means an HTTPS connection works fine, and for that matter any protocol will work, but HTTP. I suspect something is wrong with the login interception magic but I can't figure out what.
I have a default configuration (I am using RADIUS auth though but it is working fine). Since I upgraded from at least 2.1, I had to change the NAT rule created by the CP from 8000 to 8002, but it didn't resolve my problem.
Here is some info :
$ ipfw zone list Currently defined contexts and their members: 2: em3,
$ ipfw -x 2 show 65291 0 0 allow pfsync from any to any 65292 0 0 allow carp from any to any 65301 2 74 allow ip from any to any layer2 mac-type 0x0806,0x8035 65302 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7 65303 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864 65307 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd 65310 1018 100441 allow ip from any to table(100) in 65311 934 248174 allow ip from table(100) to any out 65312 0 0 allow ip from any to 255.255.255.255 in 65313 0 0 allow ip from 255.255.255.255 to any out 65314 0 0 pipe tablearg ip from table(3) to any in 65315 0 0 pipe tablearg ip from any to table(4) in 65316 0 0 pipe tablearg ip from table(3) to any out 65317 0 0 pipe tablearg ip from any to table(4) out 65318 695 88423 pipe tablearg ip from table(1) to any in 65319 605 150682 pipe tablearg ip from any to table(2) out 65532 714 82204 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in 65533 648 86753 allow tcp from any to any out 65534 102 6243 deny ip from any to any 65535 0 0 allow ip from any to any
$ ipfw -x 2 table all list ---table(1)--- 192.168.30.102/32 mac 78:4f:43:8a:ed:c3 2036 ---table(2)--- 192.168.30.102/32 mac 78:4f:43:8a:ed:c3 2037 ---table(100)--- 192.168.30.254/32 0
where 192.168.30.254 is the CP address and 192.168.30.102 is my test client (ubuntu).
Here are the firewall rules for the interface :
NAT
Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions WIFIEXTERNE TCP * * * 80 (HTTP) 192.168.30.254 8002
Rules
Protocol Source Port Destination Port Gateway Queue Schedule Description Actions IPv4 * * * * * * none  0 /0 B IPv4 TCP/UDP * * WIFIEXTERNE address 53 (DNS) * none  0 /0 B IPv4 TCP * * 192.168.30.254 8002 * none NAT
I am currently running pfSense 2.3.4.
Thanks for your insight
-
The automatically generated ipfw firewall rules look good to me.
These rules :
... 65318 695 [b][color]88423 [/color][/b]pipe tablearg ip from table(1) to any in 65319 605 [b][color]150682 [/color][/b]pipe tablearg ip from any to table(2) out ...
indicate - see red numbers - that these two rules are accepting (pass) trafic.
Present in table 1 and 2 are the IP and MAC of your Ubuntu device, which is logged in.
You can see clearly that "logged in against the captive portal" is nothing more then being member of table 1 and 2.So, concerning 'ipfw', you are logged in. ipfw is transparent for your Ubuntu device.
But, could you mention the reason why you inserted this NAT rule (and the related firewall rule) ?
Now the GUI Firewall rules :
Your first firewall rule is a any-yo-any => pass.
The second rule (everyting that is TCP or UDP, coming from everywhere, going to "WIFIEXTERNE address" : port 53 == DNS => pass . But nothing will reach this rule, everything is already passed by the first rule.
Third rule : …. same thing, this rule will never be reached.Check out the image.
I added, for testing purposes, your first rule as my first rule in the captive portal firewall list.
A next line is a block all for IPv4 (everything after the second rule will never be reached). **
I can login against the captive portal - and have an internet access (port '80') afterwards.=> I can't tell you for sure what your problem is. Start by throwing away this NAT rule (and related firewall rule).
** : The captive portal is IPv4 only, IPv6 is not being used.
-
Thanks for your detailed answer.
But, could you mention the reason why you inserted this NAT rule (and the related firewall rule) ?
I did not. It is automatically created with the captive portal. I'll try and remove it.
Now the GUI Firewall rules :
Your first firewall rule is a any-yo-any => pass.
The second rule (everyting that is TCP or UDP, coming from everywhere, going to "WIFIEXTERNE address" : port 53 == DNS => pass . But nothing will reach this rule, everything is already passed by the first rule.
Third rule : …. same thing, this rule will never be reached.I'm aware of that. My final ruleset will be less permissive. It was just for testing.
I'll keep you updated shortly.
Thanks
-
Start by throwing away this NAT rule (and related firewall rule).
That did it. Thank you very much for your help.
-
Great !