captive portal and no internet after authentication.
-
My server has 2 network adapters (WAN) and (LAN)
my lan users are using the internet without problem, but once i activate the captive portal on the LAN adapter with DHCP, then my client (after authentication) are not able to access any website. they can just ping to external sites and DNS resolve domains. but they can not access any website although they are authenticated.
I already added firewall rule into WAN and LAN to allow from (ANY) to (ANY). but still my authenticated users are not able to access any site. the problem disappear once captive portal is disabled.
the captive portal add rules (which is not visible in the portal) only visible with IPFW. it seems that these rules still block my clients although they are authenicated.
Please find the firewall LOG below which shows that the firewall is blocking my LAN clients 192.168.1.1/24 although they are authenticated.
can you please advise what i am missing here? how to solve this issue
Feb 22 16:48:11 pfSense filterlog: 6,,,1000000104,em0,match,block,out,4,0x0,,127,6663,0,DF,6,tcp,40,192.168.201.147,65.111.177.213,10410,80,0,FA,2203510099,1904358898,32597,,
Feb 22 16:48:12 pfSense filterlog: 6,,,1000000104,em0,match,block,out,4,0x0,,127,6668,0,DF,6,tcp,40,192.168.201.147,65.111.177.213,6138,80,0,FA,1220652558,2102718359,32768,,
Feb 22 16:48:12 pfSense filterlog: 5,,,1000000103,em1,match,block,in,4,0x0,,128,6671,0,DF,6,tcp,41,192.168.1.29,172.217.19.46,1626,443,1,A,287277383:287277384,1622947695,65535,,
Feb 22 16:48:12 pfSense filterlog: 5,,,1000000103,lo0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,165.212.168.200,192.168.1.29,80,1662,0,R,332788939,,0,,
Feb 22 16:48:15 pfSense filterlog: 5,,,1000000103,em1,match,block,in,4,0x0,,128,6682,0,DF,6,tcp,41,192.168.1.29,172.217.19.46,1629,443,1,A,710584795:710584796,2679125223,65535,,
Feb 22 16:48:15 pfSense filterlog: 5,,,1000000103,lo0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,40,165.212.168.200,192.168.1.29,80,1662,0,R,332788939,,0,,
Feb 22 16:48:16 pfSense filterlog: 6,,,1000000104,em0,match,block,out,4,0x0,,127,6684,0,DF,6,tcp,40,192.168.201.147,65.111.177.213,41513,80,0,A,,3999338333,32597,, -
Hi,
LAN rules ?
You've read https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html
The most common issue is ... DNS. Your are using the default Resolver and default DNS settings, right ?
The ipfw rules are rather static. What happens when a user authenticates is that it's IP and MAC are added to the two portal "pass" tables : is this the case ? (see link for examples and commands).Even when a user is not authenticated, he should be able to launch a ping command to google.com : no ICMP reply, but the URL google.com should be resolved. Is this the case ?
@roundcube222 said in captive portal and no internet after authentication.:
I already added firewall rule into WAN
There should be no WAN rules.
-
Before authentication, they can ping yahoo.com and dns resolve it , but they never receive icmp reply.
After authentication, they can resolve domains , and also they receive icmp back from yahoo.com for the ping.
The only problem is they can not browse at all after authentication although they can ping hosts and receive icmp reply and they can also resolve dns domains without issue
The only problem is the browsing ....
Any ideas for solution ?
-
LAN rules ?
What's shown in the two ipfw tables (see above) ?
-
@Gertjan said in captive portal and no internet after authentication.:
https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html
i have only 1 client and his ip is 192.168.1.107 and he have authenticated via the captive portal and his ip is written inside the tables as per the following output
[2.4.5-RC][root@pfSense.localdomain]/root: ipfw table captiveportal_lan_auth_up list
192.168.1.107/32 00:0c:29:f8:16:40 2000 84 4065 1582481378
[2.4.5-RC][root@pfSense.localdomain]/root: ipfw table captiveportal_lan_auth_down list
192.168.1.107/32 2001 11 440 1582481375and here is the ipfw entries for your info
[2.4.5-RC][root@pfSense.localdomain]/root: ipfw show
01000 6977 1457174 skipto tablearg ip from any to any via table(cp_ifaces)
01100 1685 56442 allow ip from any to any
02100 0 0 pipe tablearg MAC table(captiveportal_lan_pipe_mac)
02101 0 0 allow pfsync from any to any
02102 0 0 allow carp from any to any
02103 17 0 allow layer2 mac-type 0x0806,0x8035
02104 0 0 allow layer2 mac-type 0x888e,0x88c7
02105 0 0 allow layer2 mac-type 0x8863,0x8864
02106 0 0 deny layer2 not mac-type 0x0800,0x86dd
02107 615 66169 allow ip from any to table(captiveportal_lan_host_ips) in
02108 634 111323 allow ip from table(captiveportal_lan_host_ips) to any out
02109 0 0 allow ip from any to 255.255.255.255 in
02110 0 0 allow ip from 255.255.255.255 to any out
02111 0 0 pipe tablearg ip from table(captiveportal_lan_allowed_up) to any in
02112 0 0 pipe tablearg ip from any to table(captiveportal_lan_allowed_down) in
02113 0 0 pipe tablearg ip from table(captiveportal_lan_allowed_up) to any out
02114 0 0 pipe tablearg ip from any to table(captiveportal_lan_allowed_down) out
02115 93 4498 pipe tablearg ip from table(captiveportal_lan_auth_up) to any layer2 in
02116 13 520 pipe tablearg ip from any to table(captiveportal_lan_auth_down) layer2 out
02117 42 7983 fwd 127.0.0.1,8002 tcp from any to any 80 in
02118 97 6291 allow tcp from any to any out
02119 1246 87620 skipto 65534 ip from any to any
65534 2065 137757 deny ip from any to any
65535 0 0 allow ip from any to anywhat i am doing wrong ? why my authenticated client can not browse the web ? they can only resolve domain names, but they can not browse the internet.
thanks
Also here is the table list for your info and 192168.1.23/32 is my LAN adapter static IP.
[2.4.5-RC][root@pfSense.localdomain]/root: ipfw table all list
--- table(cp_ifaces), set(0) ---
em1 2100 621 61110 1582482492
--- table(captiveportal_lan_auth_up), set(0) ---
192.168.1.107/32 00:0c:29:f8:16:40 2000 50 2360 1582482492
--- table(captiveportal_lan_host_ips), set(0) ---
192.168.1.23/32 0 289 40087 1582482492
--- table(captiveportal_lan_pipe_mac), set(0) ---
--- table(captiveportal_lan_auth_down), set(0) ---
192.168.1.107/32 2001 10 2452 1582482483
--- table(captiveportal_lan_allowed_up), set(0) ---
--- table(captiveportal_lan_allowed_down), set(0) --- -
This :
@roundcube222 said in captive portal and no internet after authentication.:
--- table(captiveportal_lan_auth_up), set(0) ---
192.168.1.107/32 00:0c:29:f8:16:40 2000 50 2360 1582482492
....
--- table(captiveportal_lan_auth_down), set(0) ---
192.168.1.107/32 2001 10 2452 1582482483means that the ipfw firewall is transparent for 192.168.1.107 ( MAC )
pfSense with .23 ? Ok, but why ?
The device you use, 192.168.1.107, has it 192.168.1.23 as it's gateway ? As it DNS ?
If it's a Windows device, typeipconfig /allfor the answers.
Btw : Two official captive portal videos are here : https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos have a look at the fist one and do exactly the same setup with yours, then start modifying things, and as soon as it 'breaks' you know where to look ^^
Take note of this : If you change any settings on the captive portal settings page, throw every connected user of the portal right afterwards, and have them reconnect. In that order. (Status > Captive portal and hit the red button)
Your LAN rules are permissive like this :
right ?
-
@roundcube222 your problem seems related to your firewall rules, not to the captive portal
The logs you are sharing are (i guess) the logs of the WAN interface (because you didnt enabled logging on other rules).
Could you please check in the firewall rules of the LAN interface that you allowed TCP 80 and TCP 444 ?
there is an implicit rule "block everything that has not been previouslty allowed" applied under all rules on each interface. Therefore you need to allow these two ports if you want to be able to access the web from your LAN.
You should also whitelist other ports (such as the one for HTTP3/QUIC and Websocket) -
@free4
already in my LAN rules i input
ALLOW from ANY to ANYso there is no blockage from the portal firewall.
-
@Gertjan
ipconfig/all shows as followConnection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-F8-16-40
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.23
DHCP Server . . . . . . . . . . . : 192.168.1.23
DNS Servers . . . . . . . . . . . : 192.168.1.23
Lease Obtained. . . . . . . . . . : Monday, February 24, 2020 8:27:01 AM
Lease Expires . . . . . . . . . . : Monday, February 24, 2020 10:27:01 Amy lan/firewall static ip is 192.168.1.23 and my client got DHCP 192.168.1.107
After authentication, still the firewall is blocking 192.168.1.107 , i disconnected portal client and connect them again, but same problem that the firewall is blocking 192.168.1.107
here is the log from firewall as follow
Feb 24 06:53:08 LAN Default deny rule IPv4 (1000000103) 192.168.1.107:1156 172.217.18.228:443 TCP:Ai do not know why the firewall is blocking my captive portal clients, although in LAN FIREWALL rules i added rule ACCEPT from ANY to ANY and protocal ALL.
this is very strange and i can not find a solution or reason for the issue...
Maybe the rules i pasted in my earlier post can help you to identify the problem ?
any ideas to solve this ?
-
@roundcube222 said in captive portal and no internet after authentication.:
here is the log from firewall as follow
Feb 24 06:53:08 LAN Default deny rule IPv4 (1000000103) 192.168.1.107:1156 172.217.18.228:443 TCP:AWhen you look at this rule, you can see the rule number : 1000000103
Look up this rule number (for easy check : open the file that is loaded into 'ip' which you can find here : /tmp/rules.debug) and you'll be in for a surprise.#--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in inet all tracker 1000000103 label "Default deny rule IPv4"so you're hitting the default build in block all rule, valid for ALL interfaces.
So, again, what is/are your LAN (== Captive portal interface ??) rules ?
Please copy paste the entire image of your rules (use a capture tools, Window<s/MAC/Linux/whatever have one build in) and paste (Ctrl-V) it in your message.Like :
If there are no pass rules that match your traffic, the default 'hidden' block all rule kicks in.
Any floating rules ?
-
this is my LAN firewalland here is my FLOATING
i already added in all PASS (ANY ) IN and OUT
what is the problem.... ?
-
@roundcube222 said in captive portal and no internet after authentication.:
what is the problem.... ?
Well, ok, the pass rules are not missing. You've an entire collection of, them.
em0 = WAN
em1 = LAN = captive portal - right ?I can't figure out why IPv4 is being blocked on your LAN interface == captive portal interface.
This is pfSense 2.4.4-p3, right ?
Who is 192.168.201.147 ?
I advise you to re install clean.
Use the video as shown above to make the captive portal work.
Keep the LAN as default. Do not change DNS / do not add change any firewall rules.
When the portal works, start adding your changes.Btw : your Floating rule is scary ...
edit : Your using a VM, right ?
-
Correct Em0 - WLAN
and EM1 = LAN = Captive portal
This is pfsens 2.4.4 correct
and i am using VMware correct
192.168.201.147 is WAN IPAny recommendations , other than re-installing again ?
-
You talk about a WLAN interface. is that another LAN or the WAN ?
You selected in the captive portal the em1 interface = LAN , right ?
Here Services Captive > Portal > [ZONE] > Configuration:
edit : Yep, you did.
em1 2100 621 61110 1582482492Make a backup of your config - and re install.
Set up the portal as explain by the video.
And please, tell us what you found / was different, when done. -
no we used the captive portal on LAN as per this screen shot.
I have re-installed a clean copy.. and still the problem their.. my authenticated client can not browse any sites (they can only ping hosts and make dns lookups)
Any ideas??
-
I tend to say that this is still valid these days : https://www.youtube.com/watch?v=qb5TDpihnq4
-
@Gertjan said in captive portal and no internet after authentication.:
https://www.youtube.com/watch?v=qb5TDpihnq4
do i have to create a VLAN for the captive portal ?
only can i create the captive portal on the LAN ??
-
@roundcube222 said in captive portal and no internet after authentication.:
do i have to create a VLAN for the captive portal ?
only can i create the captive portal on the LAN ??It can be activated on the LAN.
Advisable is use a dedicated, other LAN (OPT1) interface. This way, managning is waaaaaaaay more simple.
VLAN's should be be possible also, never tried it myself.
But you should use a device (A VM in your case) with at least 3 real physical NIC's so you respect the golden rule : keep it simple. Simple things also tend to work right away. Afterwards, you can make it complicated again ... ^^Also : per definition : LAN is a trusted network where you connect only devices you trust.
On the captive portal you put devices that you no not trusted. -
@Gertjan
i tired every thing ... my authenticated users can not access internet,,,i have pasted all the firewall rules
Can please one of the admins help me..............
-
did any one tried to use captive portal on LAN ? maybe it is not working because i set the portal on LAN ?
IPFW already added my authenticated clients to the allow list. so why still they can not access internet and they can just ping clients and resolve domains ?
can any one have any ideas what is wrong ? i already pasted my firewall rules in the post which allow ANY from/TO.
The problem only happen when i enable captive portal. if i disable captive portal, then my clients can access internet without any problems.
Maybe there is some bug when using the captive on LAN ?
