Captive portal not redirect
-
@Gertjan I change DNS resolver, with this: https://imgur.com/a/1SFwXZ3
and didn't work -
@Martí-Ferret said in Captive portal not redirect:
@free4
nslookup : https://imgur.com/a/WRGCFYnICMP (= ping) won't work if not authenticated.
DNS Resolving should work.
ipconfig /all : https://imgur.com/a/FJgCTnO
pfSense = 10.0.0.2 ? Ok, why not, but why not 10.0.0.1 ?
-
I was authenticated when i make the nslookup, and idk why i put 10.0.0.2, this is not the error true?
-
Who is 10.0.0.2 ?
-
My Resolver settings :
edit : the Custom options are not related - not needed.
-
@Gertjan The PFSENSE server
-
Firewall rules on LAN ?
-
@Gertjan I copy ur config and didn't work my captive portal. ;(
not all, just i disallow DNS query forwarding like you. -
@Martí-Ferret said in Captive portal not redirect:
not all, just i disallow DNS query forwarding like you.
When you install pfSense, you setup WAN (if needed) and you change nothing, the captive portal works.
Ok if you change 192.168.1.0/24 for 10.0.0.0/24.My firewall rules on LAN :
with these rules, you're ok?
( but such rules are mayne not ok for a Captive portal - just ok to start with ) -
@Gertjan 0
what rule i should have -
As shown above - to start with.
-
@Gertjan I copy the second one and didn't work yet ;(
-
Afterwards, you can - and you should - adapt.
All depends on what type off public you have on your captive portal.
Familly ? You'll be fine?
Public network ? You should NOT activate the captive portal on your LAN, use a dedicated interface (OPT1) and depreciated rules.
For an example, I show you my firewall rules on my captive portal (a public portal - untrusted visitors) :
-
@Gertjan IDK why i put www.google.es and dont redirect but if i put 11.11.11.11 redirects to captive portal.
Before to configurate rules I want to get automatically redirected to captive portal not only if i put ip on URL -
Test this :
Disconnect all captive portal users (tricky, you are on LAN - you will disconnect yourself).
At this moment, a "nslookup" should work.
In other words : DNS should not be blocked
If 10.0.0.2 is your DNS and gateway, DNS request will be passed. DNS will work.If not : what did you change concerning DNS ?
-
@Martí-Ferret Your problem is coming from your DNS server, it's not related to the captive portal or to your firewall rules.
Few things :
- Use the "DNS Resolver" in pfSense. The DNS forwarder is a legacy option.
- What DNS server are you using for your pfSense appliance (in System->General Settings) ? Could you check that your pfSense can correctly ping this IP and that a DNS server is enabled on this IP?
- Could you verify your ACL in the DNS resolver settings? What are the logs of your pfSense when you try to resolve a random domain name using DNSSEC ( fbi.gov ) and not using DNSSEC ( kcna.kp ) ?
-
@Gertjan Idk why now internet on client don't work.
https://imgur.com/a/W4cfWeC -
Added to what @free4 said ; use https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html
Show us
ipfw table all listand
ipfw list(run these commands in the console)
Here is mine (last command) :
[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw list 01000 skipto tablearg ip from any to any via table(cp_ifaces) 01100 allow ip from any to any 02100 pipe tablearg ip from any to any MAC table(cpzone1_pipe_mac) 02101 allow pfsync from any to any 02102 allow carp from any to any 02103 allow ip from any to any layer2 mac-type 0x0806,0x8035 02104 allow ip from any to any layer2 mac-type 0x888e,0x88c7 02105 allow ip from any to any layer2 mac-type 0x8863,0x8864 02106 deny ip from any to any layer2 not mac-type 0x0800,0x86dd 02107 allow ip from any to table(cpzone1_host_ips) in 02108 allow ip from table(cpzone1_host_ips) to any out 02109 allow ip from any to 255.255.255.255 in 02110 allow ip from 255.255.255.255 to any out 02111 pipe tablearg ip from table(cpzone1_allowed_up) to any in 02112 pipe tablearg ip from any to table(cpzone1_allowed_down) in 02113 pipe tablearg ip from table(cpzone1_allowed_up) to any out 02114 pipe tablearg ip from any to table(cpzone1_allowed_down) out 02115 pipe tablearg ip from table(cpzone1_auth_up) to any layer2 in 02116 pipe tablearg ip from any to table(cpzone1_auth_down) layer2 out 02117 fwd 127.0.0.1,8003 tcp from any to any 443 in 02118 fwd 127.0.0.1,8002 tcp from any to any 80 in 02119 allow tcp from any to any out 02120 skipto 65534 ip from any to any 65534 deny ip from any to any 65535 allow ip from any to anyThe first 9 (nine) rules are not important here (they let through IPv4=>DHCP, etc)
These :02107 allow ip from any to table(cpzone1_host_ips) in 02108 allow ip from table(cpzone1_host_ips) to any outare very important.
They let through DNS requests. Always.
" cpzone1_host_ips " is 192.18.2.1 is my pfSense portal interface = gateway = DNS access.
Yours should be 10.0.0.2 ( see ipfw table all list ) -
@Martí-Ferret said in Captive portal not redirect:
@Gertjan Idk why now internet on client don't work.
https://imgur.com/a/W4cfWeCYour image tells me : DNS does not work for your clients .... => Clients can not access DNS ..... see my message above.
-
@Martí-Ferret maybe you still have captive portal enabled?
