Pfsense lets some smart phones connect despite the captive portal setup with vouchers

Gertjan · May 19, 2019, 12:37 PM

@free4 said in Pfsense lets some smart phones connect despite the captive portal setup with vouchers:

Another possiblity

would be changing the behavior of your dd-wrt :

In this example I presume that your pfSense LAN is 192.168.1.0/24 - the wrt becomes '254'.

Do not use the WAN port on the dd-wrt, use one of the LAN ports.

Now, the dd-wrt becomes a simple AP.

edit : the dd-wrt has a NTP client. Consider whitelisting it's MAC or IP (it's static) so the AP itself can go through the portal.

tarandalinux · May 21, 2019, 1:04 AM

@free4 the only way that I've found to disable NAT is by goint into Setup / Advanced Routing then choosing Router from the dropdown box..login-to-view

I don't know if I'm doing it right and If I have to configure anything else but when I choose Router the traffic completely stops. I'm not able to connect to the Internet at all.
login-to-view

I can see what you mean by "all users share the same IP from pSsense's point of view"
login-to-view
That IP is from my router and all the connections share the same one.

Can you tell me if I'm going about disabling NAT the right way?

Derelict · May 21, 2019, 2:03 AM

Really more of a question for a DD-WRT forum but if you can get help here great.

tarandalinux · May 21, 2019, 2:07 AM

@Gertjan This is my configuration of my wrt54G using dd-wrt. It's a little bit different then yours but the configuration options are very similar.login-to-view

When you say "Do not use the WAN port on the dd-wrt, use on of the LAN ports" Do you mean to connect my Ethernet Cable coming out of my CPU to one of the four ports not the one labeled INTERNET.

How do I go about whitelisting the NTP client's MAC and where can I find it.

I've tried the configuration but the router just get stuck. I have to reset it and reconfigure it by restoring the configuration file.

free4 · May 21, 2019, 5:45 AM

@tarandalinux i am not using linksys AP myself, i canot help you here

you may however ask this question at community.linksys.com ?

Gertjan · May 21, 2019, 9:21 AM

@tarandalinux said in Pfsense lets some smart phones connect despite the captive portal setup with vouchers:

When you say "Do not use the WAN port on the dd-wrt, use on of the LAN ports" Do you mean to connect my Ethernet Cable coming out of my CPU to one of the four ports not the one labeled INTERNET.

Exact. Don't use the WAN (INTERNET port) : that one is routed by default.
Although it is possible to set up the WAN (INTERNET) port as a LAN port.
So, hookup pour pfSense to one of these LAN ports.

@tarandalinux said in Pfsense lets some smart phones connect despite the captive portal setup with vouchers:

I can see what you mean by "all users share the same IP from pSsense's point of view"

In the image you showed, the MAC is the one of your connected devices, or one of the MAC's of your router ? LAN WAN and Wifi have all there own MAC, you can find them in your router Linksys/Cisco setup pages.

@free4 said in Pfsense lets some smart phones connect despite the captive portal setup with vouchers:

you may however ask this question at community.linksys.com ?

That will be the dd-wrt forum. It's huge, everything is there.
As said, I'm using boatload's of E1200's etc myself. All with dd-wrt firmware - for many years now.

I never edited the Setup -> Advanced Routing page .... as of dd-wrt's instructions : you don't have to edit this page.

tarandalinux · May 29, 2019, 5:46 AM

@Gertjan said in Pfsense lets some smart phones connect despite the captive portal setup with vouchers:

AP

I've found that dd-wrt transmits in AP by default.

So assuming that I have that taken care of that what are the next steps to follow.

I've tried @free4 suggestions but in my case it is not working any more suggestions please!

free4 · May 29, 2019, 5:46 AM

@tarandalinux did you tried to enable "disable mac filtering "?

tarandalinux · May 29, 2019, 3:53 PM

@free4 I jus enabled it. Let me check to see if cell phones can connect without the voucher.

Derelict · May 29, 2019, 6:00 PM

This post is deleted!

tarandalinux · Jun 8, 2019, 8:56 AM

@free4 I did and thought that I had fixed the problem but some smart phones are still getting through without having to introduce a voucheer.

Gertjan · Jun 8, 2019, 10:35 AM

Time to dive into the console or SSH access.
Option 8.

Read https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html#ipfw-tables

Show use what your <name>_auth_up and <name>_auth_down tables are.
<name> is the name of your captive portal.

The IP's listed in these 2 tables are the devices that can pass through / are authenticated.

Take also a look at what
ipfw show
shows.

These rules represent basically the captive portal. A captive portal are some file wall rules - ipfw rules in this case - and a web server. And some underlying authentication code that injects and removes rules and/or items in tables.

Also : now that the AP set up correctly, I advise to to remove the check in front of "disable mac filtering ".

I still use some ancient WRT54GS devices with the DD-WRT firmware for b+g compatibility reasons. They work for nearly a decade now.

tarandalinux · Jun 20, 2019, 6:00 PM

@Gertjan This is what I get when I use ipfw show
[2.4.4-RELEASE][admin@pfSense.localdomain]/root: ipfw show
01000 385224 348557850 skipto tablearg ip from any to any via table(cp_ifaces)
01100 434577 348894659 allow ip from any to any
02100 0 0 pipe tablearg ip from any to any MAC table(los_portales_pipe_mac)
02101 0 0 allow pfsync from any to any
02102 0 0 allow carp from any to any
02103 2 0 allow ip from any to any layer2 mac-type 0x0806,0x8035
02104 0 0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
02105 0 0 allow ip from any to any layer2 mac-type 0x8863,0x8864
02106 0 0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
02107 21 1437 allow ip from any to table(los_portales_host_ips) in
02108 27 8764 allow ip from table(los_portales_host_ips) to any out
02109 0 0 allow ip from any to 255.255.255.255 in
02110 0 0 allow ip from 255.255.255.255 to any out
02111 0 0 pipe tablearg ip from table(los_portales_allowed_up) to any in
02112 0 0 pipe tablearg ip from any to table(los_portales_allowed_down) in
02113 0 0 pipe tablearg ip from table(los_portales_allowed_up) to any out
02114 0 0 pipe tablearg ip from any to table(los_portales_allowed_down) out
02115 0 0 pipe tablearg ip from table(los_portales_auth_up) to any layer2 in
02116 0 0 pipe tablearg ip from any to table(los_portales_auth_down) layer2 out
02117 0 0 fwd 127.0.0.1,8002 tcp from any to any 80 in
02118 47 6172 allow tcp from any to any out
02119 155 19025 skipto 65534 ip from any to any
65534 5762 467263 deny ip from any to any
65535 12 4314 allow ip from any to any
[2.4.4-RELEASE][admin@pfSense.localdomain]/root:

tarandalinux · Jun 20, 2019, 6:28 PM

@Gertjan said in Pfsense lets some smart phones connect despite the captive portal setup with vouchers:
When I do this the internet stops working.

remove the check in front of "disable mac filtering "

Gertjan · Jun 20, 2019, 8:40 PM

This :
login-to-view

Is the 'simple' setup.

The ipfw firewall works best when it 'sees' the MAC addresses of the connected devices.
If it doesn't, well ... check our AP again : make it work as an AP, not a router. Routers hide MAC addresses for upstream routers (= pfSense). That not good if you want the captive portal to work flawlessly.