Redirect does not work

Crunch1788

so if i use http there is no way to do an automatic redirect?

johnpoz

Depends on what the users is doing for their first call - many systems check for a captive port at with known urls (captive.roku.com for example) that are http.. But if the os/browser doesn't check for that and then the user just fires up their browser and tries to go to https://something then yeah it can be problematic.

https://docs.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals

If the initial connection attempted is made over Secure Sockets Layer (SSL), the browser displays a security warning to the user before the user is redirected to the captive portal. This creates a confusing experience for users because they must ignore the security warning to get connected.

Crunch1788

SO im using Chrome with Firefox with Win10 so what do I have to do to get an automatic redirect?

johnpoz

go to a http site first, and not some https site...

Crunch1788

So there is no way in my config that when i try to search something in google the portal will show up?

johnpoz

Depends - watch the official hangout.. and read the official documentation in the book I linked too. Haven't played with captive portals in years.. I have no use of them in my network.

Crunch1788

mhhh i dont get it i tried the steps from netgate but it didnt work

johnpoz

is the http working? Get that working before you move on to trying to get https working.

Crunch1788

so like the documentation my dns is working also i can reach the page if i type 192.168.20.3:8002 in my Browser.

johnpoz

https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html

if you want some help going to need some actual details of what is happening or not happening.

I turned on cp.. picked lan, picked local database as auth.. And tried to hit http://www.cnn.com and bam got the built in captive portal

I would suggest you get it working with bare min settings first, and then move to more complex setup. And validate it works by hitting a http://site in your browser first.

Gertjan

@Crunch1788 said in Redirect does not work:

type anything in the browser it just dont redirect...

This "anything" should not be a https site that you already visited before.
These days, certs are persistent, ans some of them even completely forbid that you use the http:// destination.

So, type in a http (not https) site that you never visited before. This would start the usual DNS questioning and when the answer comes in (the A one) then the browser will (try to) connect to it using port 80. Nifty ipfw firewall rules on the Captive portal interface will redirect any "connections to port 80" to the firewall itself.
And guess what, the web server that servers the captive login page is listening over there. So you see that, instead of the site you wanted to visit.

So, this "anything" should be something valid, if not the DNS exchanges "anything" for "does not exist" and you still have a no go.

But : these days there is no need any more to explain these things.
All OS's are captive portal aware these days so it works out of the box.

I tend to say : activate the portal with as Authentication Method : None.
and your done.

The trick is : a good working DNS isn't optional thing. The captive portal really needs it - that is, the clients do. So, people that m*ss up the DNS (Resolver) settings will wind up with a non working captive portal.

Most issues are being handled here : https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html

Btw : I could show you the video that my brother made about captive portals. Very nice except that it wouldn't help nobody.
If you want a video, use the real videos from Netgate, the official ones. "Done by the guys who build it". Like having Windows explained to you by the guy from Microsoft. Not your car dealer. really, it makes a difference.

edit : I was typing to slowly .... (during work hours) ...

What I advice you to do :
(All) device use DHCP - and pfSEnse should hand out the IP mask gateway and DNS.
The latter two are the IP of the network where the captive portal is running.
The DNS resolver settings should be "default" : example adding 8.8.8.8 and you're out of business.
First test : just use one (1) ether-net cable, no switches - no AP's, nothing except the one 1 $ cable. This should work.
Now you can include a switch. A switch has no settings so this can't go wrong.
Test again.
Now add an AP ... and be careful : an AP - not some "router-with-AP-with-router-functionalities" like DHCP/Firewall/NAT etc still activated.
Just an AP. Shut down the rest (DCP ... DNS ....).
Give this AP a static IP - gateway being the IP of pfSense - DNS is the IP of pfSense and you'll be fine.

About the OS detection : example : an iPhone :
Select the captive portal wifi network.
Wait 5 seconds.
The portal login page shows up "as by magic" : no need to open up a browser first.
Same thing for Microsoft Windows since version 7.
I think even "android" devices have it working out of the box these days.
No interaction from your side is needed.