Default CP not working if enable



  • If I turn on CP no internet. If I keep turn off CP internet working fine. No cp page open, No redirection,  even on default cp. If I enter http://10.10.10.1:8002 no page & time out.  Using DNS Resolver with default setting.
    Here my pf settings.
    WAN is on ISP static, 2 ISP DNS + 8.8.8.8 are set in general setting with ISP Defaut GW.
    CP turn on on OPT1 (HOTSPOT) 10.10.10.0/24 DHCP enable. I try on pf 2.2.6 and  new pf 2.3.2 no luck. CP working fine on other 2.2.4 Boxes. I am trying to move working CP page from pf 2.2.4 to 2.2.6 & 2.3

    2.2.6-RELEASE (amd64)
    built on Mon Dec 21 14:50:08 CST 2015
    FreeBSD 10.1-RELEASE-p25

    Firewall rules on OPT1

    ALLOW  IPv4+6 TCP/UDP * * HOTSPOT address 53 (DNS) * none

    BLOCK    IPv4+6 TCP/UDP HOTSPOT net * HOTSPOT address 443 (HTTPS) * none

    BLOCK    IPv4+6 TCP/UDP HOTSPOT net * * 135 * none

    BLOCK    IPv4+6 TCP/UDP HOTSPOT net * * 137 - 139 * none

    BLOCK  IPv4+6 TCP/UDP HOTSPOT net * WAN net * * none

    BLOCK  IPv4+6 TCP/UDP HOTSPOT net * WAN address * * none

    ALLOW  IPv4+6 TCP/UDP * * ! LAN net * * none

    How do I fix this..If you need more info pl let me know…Thanks



  • Any one can help?



  • @sujyo1:

    Any one can help?

    Yes  ;)

    Remove all rules on OPT1, and place a simple 'allow all from all'.
    Then test.

    Also, visit https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting and tell us what are your 'ipfw' rules and tables.

    To rule out any AP 'problemes', use a direct cable connexion from OPT1 to a hardwired switch to a test PC (what is the IP - Gateway, DNS, etc that this device got (DHCP !) from pfSEnse)

    ( Any references to IPv6 are 'useless' because your OPT1 (CP) can't handle IPv6 anyway )



  • Thanks for reply…

    After try 3 days I went back to 2.2.6 still as is..
    Here what I did...

    1. I did disable dns resolver & enable dns forwarder with default settings.
    2. Also added list of ISP/google DNS Servers in OPT' DHCP Server's DNS list
    3. Added ISP/google dns IPs to CP pass IP list & in OPT1 FW pass rules
    4. Copy old working CP page from 2.2.4 to this box. also try Default CP Page but no luck
    5. In this hotel's box CP is OFF and all guest online as of now.

    Intel(R) Atom(TM) CPU C2758 @ 2.40GHz
    8 CPUs: 1 package(s) x 8 core(s)

    net.inet.ip.fastforwarding Enable fast IP forwarding 0

    $ ipfw -hotspot zone1 show
    ipfw syntax summary (but please do read the ipfw(8) manpage):

    ipfw [-abcdefhnNqStTv]<command></command>

    where <command></command>is one of the following:

    add [num] [set N] [prob x] RULE-BODY
    {pipe|queue} N config PIPE-BODY
    [pipe|queue] {zero|delete|show} [N{,N}]
    nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|reset|
    reverse|proxy_only|redirect_addr linkspec|
    redirect_port linkspec|redirect_proto linkspec}
    set [disable N… enable N...] | move [rule] X to Y | swap X Y | show
    set N {show|list|zero|resetlog|delete} [N{,N}] | flush
    table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}
    table all {flush | list}

    RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]
    ACTION: check-state | allow | count | deny | unreach{,6} CODE |
                  skipto N | {divert|tee} PORT | forward ADDR |
                  pipe N | queue N | nat N | setfib FIB | reass
    PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME]
    ADDR: [ MAC dst src ether_type ]
    [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]
    [ ipv6|ip6 from IP6ADDR [ PORT ] to IP6ADDR [ PORTLIST ] ]
    IPADDR: [not] { any | me | ip/bits{x,y,z} | table(t[,v]) | IPLIST }
    IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST }
    IP6LIST: { ip6 | ip6/bits }[,IP6LIST]
    IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]
    OPTION_LIST: OPTION [OPTION_LIST]
    OPTION: bridged | diverted | diverted-loopback | diverted-output |
    {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |
    {dst-port|src-port} LIST |
    estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |
    iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |
    ipttl LIST | ipversion VER | keep-state | layer2 | limit … |
    icmp6types LIST | ext6hdr LIST | flow-id N[,N] | fib FIB |
    mac … | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |
    setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |
    tcpdatalen LIST | verrevpath | versrcreach | antispoof

    $  ipfw -hotspot zone table all list
    ipfw syntax summary (but please do read the ipfw(8) manpage):

    ipfw [-abcdefhnNqStTv]<command></command>

    where <command></command>is one of the following:

    add [num] [set N] [prob x] RULE-BODY
    {pipe|queue} N config PIPE-BODY
    [pipe|queue] {zero|delete|show} [N{,N}]
    nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|reset|
    reverse|proxy_only|redirect_addr linkspec|
    redirect_port linkspec|redirect_proto linkspec}
    set [disable N… enable N...] | move [rule] X to Y | swap X Y | show
    set N {show|list|zero|resetlog|delete} [N{,N}] | flush
    table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}
    table all {flush | list}

    RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]
    ACTION: check-state | allow | count | deny | unreach{,6} CODE |
                  skipto N | {divert|tee} PORT | forward ADDR |
                  pipe N | queue N | nat N | setfib FIB | reass
    PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME]
    ADDR: [ MAC dst src ether_type ]
    [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]
    [ ipv6|ip6 from IP6ADDR [ PORT ] to IP6ADDR [ PORTLIST ] ]
    IPADDR: [not] { any | me | ip/bits{x,y,z} | table(t[,v]) | IPLIST }
    IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST }
    IP6LIST: { ip6 | ip6/bits }[,IP6LIST]
    IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]
    OPTION_LIST: OPTION [OPTION_LIST]
    OPTION: bridged | diverted | diverted-loopback | diverted-output |
    {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |
    {dst-port|src-port} LIST |
    estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |
    iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |
    ipttl LIST | ipversion VER | keep-state | layer2 | limit … |
    icmp6types LIST | ext6hdr LIST | flow-id N[,N] | fib FIB |
    mac … | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |
    setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |
    tcpdatalen LIST | verrevpath | versrcreach | antispoof

    Computer showing  received IP from pf: 10.10.10.123 sub:255.255.255.0, GW:10.10.10.1 DNS:97.xx.xxx.164, 8.8.8.8, 10.10.10.1
    & Search Domains: xxxxlocaldomain



  • Dashboard & FW Rules

    ![Hotspot FW Rules.JPG](/public/imported_attachments/1/Hotspot FW Rules.JPG)
    ![Hotspot FW Rules.JPG_thumb](/public/imported_attachments/1/Hotspot FW Rules.JPG_thumb)



  • Here is CP Settings…

    ![Service CP-1.JPG](/public/imported_attachments/1/Service CP-1.JPG)
    ![Service CP-1.JPG_thumb](/public/imported_attachments/1/Service CP-1.JPG_thumb)
    ![Service CP-2.JPG](/public/imported_attachments/1/Service CP-2.JPG)
    ![Service CP-2.JPG_thumb](/public/imported_attachments/1/Service CP-2.JPG_thumb)
    ![Service CP-3.JPG](/public/imported_attachments/1/Service CP-3.JPG)
    ![Service CP-3.JPG_thumb](/public/imported_attachments/1/Service CP-3.JPG_thumb)
    ![Service CP-4.JPG](/public/imported_attachments/1/Service CP-4.JPG)
    ![Service CP-4.JPG_thumb](/public/imported_attachments/1/Service CP-4.JPG_thumb)
    ![CP Allow MAC.JPG](/public/imported_attachments/1/CP Allow MAC.JPG)
    ![CP Allow MAC.JPG_thumb](/public/imported_attachments/1/CP Allow MAC.JPG_thumb)
    ![CP Allow IPs.JPG](/public/imported_attachments/1/CP Allow IPs.JPG)
    ![CP Allow IPs.JPG_thumb](/public/imported_attachments/1/CP Allow IPs.JPG_thumb)
    ![CP Files Manager.JPG](/public/imported_attachments/1/CP Files Manager.JPG)
    ![CP Files Manager.JPG_thumb](/public/imported_attachments/1/CP Files Manager.JPG_thumb)



  • CP Page html (just cut to show here)…both pages are working fine as of now in other 21 older pf v 2.1.5, 2.2.1,4,5 with same FW rules & other settings, also there are no dns ips added in CP bypass ip or in FW rules.

    ![CP Page HTML.JPG](/public/imported_attachments/1/CP Page HTML.JPG)
    ![CP Page HTML.JPG_thumb](/public/imported_attachments/1/CP Page HTML.JPG_thumb)
    ![Working CP HTML in other box.JPG](/public/imported_attachments/1/Working CP HTML in other box.JPG)
    ![Working CP HTML in other box.JPG_thumb](/public/imported_attachments/1/Working CP HTML in other box.JPG_thumb)



  • DNS Forwarder

    ![Service DNS Forwarder.JPG](/public/imported_attachments/1/Service DNS Forwarder.JPG)
    ![Service DNS Forwarder.JPG_thumb](/public/imported_attachments/1/Service DNS Forwarder.JPG_thumb)



  • I saw this image :
    Dashboard.JPG

    1. The captive portal isn't listed as a running service - so its normal that it doesn't work.
    2. No IPv4 on your internal interfaces - and know that the portal is IPv4 only …....

    Btw read  https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting again.
    No need to copy the explaination of ipfw - we all have this when ipfw doesn't understand its parameters.

    I have this :

    [2.3.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw zone list
    Currently defined contexts and their members:
    2: sis0,
    
    

    So, my zoner 'number' is "2" - my captive portal is running on interface "sis0" - which is correct for me, of course, because I have the captive portal running on the interface called "sis0".

    Now, it gets interresting :

    [2.3.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ipfw -x 2 show
    00002     13294      3314314 pipe 7406 ip from any to any MAC any 64:80:99:9a:47:4b
    00003     14586      9765900 pipe 7407 ip from any to any MAC 64:80:99:9a:47:4b any
    65291         0            0 allow pfsync from any to any
    65292         0            0 allow carp from any to any
    65301   1006283     39413138 allow ip from any to any layer2 mac-type 0x0806,0x8035
    65302         0            0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
    65303         0            0 allow ip from any to any layer2 mac-type 0x8863,0x8864
    65307     57897      2663300 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
    65310  19592183    837720144 allow ip from any to table(100) in
    65311  19625424   1358243240 allow ip from table(100) to any out
    65312     28184      7166550 allow ip from any to 255.255.255.255 in
    65313         0            0 allow ip from 255.255.255.255 to any out
    65314      1689       139547 pipe tablearg ip from table(3) to any in
    65315      6892       618631 pipe tablearg ip from any to table(4) in
    65316      8749     11036712 pipe tablearg ip from table(3) to any out
    65317       811        61692 pipe tablearg ip from any to table(4) out
    65318 144231430  32986871939 pipe tablearg ip from table(1) to any in
    65319 214155810 264765937187 pipe tablearg ip from any to table(2) out
    65531   3393392    462811178 fwd 127.0.0.1,8003 tcp from any to any dst-port 443 in
    65532    699424    107327290 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
    65533   3900137   1155321789 allow tcp from any to any out
    65534    416251     68860126 deny ip from any to any
    65535        13          404 allow ip from any to any
    

    I could explain all these rules, but first : but first WHAT do YOU have ?

    Btw : These 'ipfw' rules have nothing to do with the Captive Portal Firewall rules in the GUI.



  • Thanks for reply…

    1. The captive portal isn't listed as a running service - so its normal that it doesn't work.
      *  CP was turn off.

    2. No IPv4 on your internal interfaces - and know that the portal is IPv4 only .......

      I have to turn on CP and here what I get...

    $ ipfw zone list
    Currently defined contexts and their members:
    2: igb2,

    $  ipfw -x 2 show
    00002  6  396 pipe 2792 ip from any to any MAC any 88:dc:96:39:f5:b8
    00003  3  132 pipe 2793 ip from any to any MAC 88:dc:96:39:f5:b8 any
    00004  2  122 pipe 2794 ip from any to any MAC any 88:dc:96:3c:da:d5
    00005  1  28 pipe 2795 ip from any to any MAC 88:dc:96:3c:da:d5 any
    00006  0    0 pipe 2796 ip from any to any MAC any 88:dc:96:3c:dc:4c
    00007  0    0 pipe 2797 ip from any to any MAC 88:dc:96:3c:dc:4c any
    00008  2  122 pipe 2798 ip from any to any MAC any 88:dc:96:3c:dc:4f
    00009  1  28 pipe 2799 ip from any to any MAC 88:dc:96:3c:dc:4f any
    00010  2  122 pipe 2800 ip from any to any MAC any 88:dc:96:3c:dc:52
    00011  1  28 pipe 2801 ip from any to any MAC 88:dc:96:3c:dc:52 any
    00012  2  122 pipe 2802 ip from any to any MAC any 88:dc:96:3c:dc:55
    00013  1  28 pipe 2803 ip from any to any MAC 88:dc:96:3c:dc:55 any
    00014  2  122 pipe 2804 ip from any to any MAC any 88:dc:96:3c:dc:58
    00015  1  28 pipe 2805 ip from any to any MAC 88:dc:96:3c:dc:58 any
    00016  2  122 pipe 2806 ip from any to any MAC any 88:dc:96:3c:dc:5b
    00017  1  28 pipe 2807 ip from any to any MAC 88:dc:96:3c:dc:5b any
    65291  0    0 allow pfsync from any to any
    65292  0    0 allow carp from any to any
    65301 24  888 allow ip from any to any layer2 mac-type 0x0806,0x8035
    65302  0    0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
    65303  0    0 allow ip from any to any layer2 mac-type 0x8863,0x8864
    65307  0    0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
    65310  0    0 allow ip from any to table(100) in
    65311  0    0 allow ip from table(100) to any out
    65312  0    0 allow ip from any to 255.255.255.255 in
    65313  0    0 allow ip from 255.255.255.255 to any out
    65314  3  267 pipe tablearg ip from table(3) to any in
    65315 11  721 pipe tablearg ip from any to table(4) in
    65316 11 1053 pipe tablearg ip from table(3) to any out
    65317  3  411 pipe tablearg ip from any to table(4) out
    65318  0    0 pipe tablearg ip from table(1) to any in
    65319  0    0 pipe tablearg ip from any to table(2) out
    65532  0    0 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
    65533  1  83 allow tcp from any to any out
    65534 40 2820 deny ip from any to any
    65535  5  194 allow ip from any to any

    $ ipfw_context -1
    ipfw_context: not found

    ![HOTSPOT Any to Any Rule on top.JPG](/public/imported_attachments/1/HOTSPOT Any to Any Rule on top.JPG)
    ![HOTSPOT Any to Any Rule on top.JPG_thumb](/public/imported_attachments/1/HOTSPOT Any to Any Rule on top.JPG_thumb)


    ![Interface HOTSPOT.JPG](/public/imported_attachments/1/Interface HOTSPOT.JPG)
    ![Interface HOTSPOT.JPG_thumb](/public/imported_attachments/1/Interface HOTSPOT.JPG_thumb)
    ![Interface WAN.JPG](/public/imported_attachments/1/Interface WAN.JPG)
    ![Interface WAN.JPG_thumb](/public/imported_attachments/1/Interface WAN.JPG_thumb)
    ![General Setup.JPG](/public/imported_attachments/1/General Setup.JPG)
    ![General Setup.JPG_thumb](/public/imported_attachments/1/General Setup.JPG_thumb)
    ![Trafic Graph HOTSPOT.JPG](/public/imported_attachments/1/Trafic Graph HOTSPOT.JPG)
    ![Trafic Graph HOTSPOT.JPG_thumb](/public/imported_attachments/1/Trafic Graph HOTSPOT.JPG_thumb)
    ![ARP Table.JPG](/public/imported_attachments/1/ARP Table.JPG)
    ![ARP Table.JPG_thumb](/public/imported_attachments/1/ARP Table.JPG_thumb)



  • Your ipfw rules are look fine to me.

    Can you list what's in the "table(100)" ?
    (normally, its the IP of your HOSPOT interface.)

    Use:

    ipfw -x 2 table all list
    

    You have a switch with an IPv4 ??

    Can you confirm that connected devices became an IP from pfSEnse (DHCP server running on interface HOSPOT) ? And the gateway (== IP interface HOSPOT), -  DNS ?

    Can your devices resolve domaine names ? (aka : DNS works) this even when you are NOT authenticated to the portal.

    Normal that your LAN is down ?



  • Thanks for reply…

    Here what I did today... Make sure all interface's IPV6 set to none then remove IPV6 & keep IPV4 in all HOTSPOT firewall rules. then turn on CP & run this commend It show...its looks like few clients went through CP :)!! can see some are still struggling including switch(10.10.10.2) eventhough its mac is in cp pass list!

    $ ipfw -x 2 table all list
    $ ipfw -x 2 table all list
    ---table(1)---
    10.10.10.178/32 mac x0:xx:65:x7:1f:56 2942
    10.10.10.204/32 mac x4:xx:9f:xe:5x:5c 2944
    ---table(2)---
    10.10.10.178/32 mac 0x:88:x5:3x:1x:56 2943
    10.10.10.204/32 mac x4:5x:9x:cx:5x:5c 2945
    ---table(3)---
    8.8.4.4/32 2930
    8.8.8.8/32 2932
    10.10.10.1/32 2908
    10.10.10.12/32 2910
    10.10.10.13/32 2912
    10.10.10.14/32 2914
    10.10.10.15/32 2916
    10.10.10.16/32 2918
    10.10.10.17/32 2920
    10.10.10.18/32 2922
    10.10.10.19/32 2924
    10.10.10.20/32 2926
    xx.xx.xxx.13/32 2934
    xx.xx.xxx.162/32 2936
    xx.xx.xxx.164/32 2938
    xx.xx.xxx.35/32 2940
    xxxx:fdc8::/32 2928
    ---table(4)---
    8.8.4.4/32 2931
    8.8.8.8/32 2933
    10.10.10.1/32 2909
    10.10.10.12/32 2911
    10.10.10.13/32 2913
    10.10.10.14/32 2915
    10.10.10.15/32 2917
    10.10.10.16/32 2919
    10.10.10.17/32 2921
    10.10.10.18/32 2923
    10.10.10.19/32 2925
    10.10.10.20/32 2927
    xx.xx.xxx.13/32 2935
    xx.xx.xxx.162/32 2937
    xx.xx.xxx.164/32 2939
    xx.xx.xxx.35/32 2941
    xxxx:xxxx::/32 2929
    ---table(100)---
    10.10.10.1/32 0

    You have a switch with an IPv4 ??
    *Switch is Engenius EWS5912FP (managed L2 with wireless controller) set  to static IPv4 10.10.10.2 then 7 APs- 10.10.10.3 to 10.10.10.9
      All APs set to static (IPV4 as above) GW 10.10.10.1, DNS 10.10.10.1

    Can you confirm that connected devices became an IP from pfSEnse (DHCP server running on interface HOSPOT) ? And the gateway (== IP interface HOSPOT), -  DNS ?

    • Yes device receive IP 10.10.10.0/24 GW 10.10.10.1, and 4 dns servers....

    Can your devices resolve domaine names ? (aka : DNS works) this even when you are NOT authenticated to the portal.

    • Yes all clients can go online if CP is OFF, As soon as I turn on CP all are droping...then I manually xcle their DHCP leases and force them to get    dhcp again so CP can show up...


  • @sujyo1:

    Here what I did today… Make sure all interface's IPV6 set to none then remove IPV6 & keep IPV4 in all HOTSPOT firewall rules. then turn on CP & run this commend It show...its looks like few clients went through CP :)!! can see some are still struggling including switch(10.10.10.2) eventhough its mac is in cp pass list!

    Do you need THIS switch ? Why is it managed ?
    If you change it for the time being for a dumb 10 $ switch.
    A switch with an IP (MAC ??) (just trying to eliminate things that are off-standard)

    @sujyo1:

    $ ipfw -x 2 table all list
    $ ipfw -x 2 table all list
    –-table(1)---
    10.10.10.178/32 mac x0:xx:65:x7:1f:56 2942
    10.10.10.204/32 mac x4:xx:9f:xe:5x:5c 2944
    ---table(2)---
    10.10.10.178/32 mac 0x:88:x5:3x:1x:56 2943
    10.10.10.204/32 mac x4:5x:9x:cx:5x:5c 2945
    ---table(3)---
    8.8.4.4/32 2930
    8.8.8.8/32 2932
    10.10.10.1/32 2908
    10.10.10.12/32 2910
    10.10.10.13/32 2912
    10.10.10.14/32 2914
    10.10.10.15/32 2916
    10.10.10.16/32 2918
    10.10.10.17/32 2920
    10.10.10.18/32 2922
    10.10.10.19/32 2924
    10.10.10.20/32 2926
    xx.xx.xxx.13/32 2934
    xx.xx.xxx.162/32 2936
    xx.xx.xxx.164/32 2938
    xx.xx.xxx.35/32 2940
    xxxx:fdc8::/32 2928
    ---table(4)---
    8.8.4.4/32 2931
    8.8.8.8/32 2933
    10.10.10.1/32 2909
    10.10.10.12/32 2911
    10.10.10.13/32 2913
    10.10.10.14/32 2915
    10.10.10.15/32 2917
    10.10.10.16/32 2919
    10.10.10.17/32 2921
    10.10.10.18/32 2923
    10.10.10.19/32 2925
    10.10.10.20/32 2927
    xx.xx.xxx.13/32 2935
    xx.xx.xxx.162/32 2937
    xx.xx.xxx.164/32 2939
    xx.xx.xxx.35/32 2941
    xxxx:xxxx::/32 2929
    ---table(100)---
    10.10.10.1/32 0

    You have a switch with an IPv4 ??
    *Switch is Engenius EWS5912FP (managed L2 with wireless controller) set  to static IPv4 10.10.10.2 then 7 APs- 10.10.10.3 to 10.10.10.9
      All APs set to static (IPV4 as above) GW 10.10.10.1, DNS 10.10.10.1

    Can you confirm that connected devices became an IP from pfSEnse (DHCP server running on interface HOSPOT) ? And the gateway (== IP interface HOSPOT), -  DNS ?

    • Yes device receive IP 10.10.10.0/24 GW 10.10.10.1, and 4 dns servers....

    Ok for all this.
    Look fine and normal.
    Remember : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

    Section : Captive portal not redirecting
    If clients are not being redirected to the portal page when attempting to browse on an interface with captive portal enabled, it's most always one of the following causes.

    DNS resolution not functioning - the clients on the captive portal interface must either be using the DNS forwarder on pfSense, on the IP of the interface where the client resides (which is the default configuration), or if using some other IP for DNS, it must be an allowed IP entry. If DNS fails, the browser never issues the HTTP request, hence it cannot be intercepted and redirected.
        Firewall rules on the captive portal interface do not allow the initial HTTP request - if the user is trying to browse to google.com, but HTTP connections are not allowed to google.com, the HTTP request will be blocked and hence cannot be redirected. Under Firewall > Rules, on the interface where captive portal is enabled, the traffic to be redirected must be allowed to pass. This is most commonly HTTP to any destination.
        The client has an HTTPS home page - The request must be to an HTTP site in order for the portal to redirect the client.

    @sujyo1:

    Can your devices resolve domaine names ? (aka : DNS works) this even when you are NOT authenticated to the portal.

    • Yes all clients can go online if CP is OFF, As soon as I turn on CP all are droping…then I manually xcle their DHCP leases and force them to get    dhcp again so CP can show up...

    Note : An ISP normally hands over some of its own DNS. I never ever added extra ones like the "8.8.8.8" (why should I give Google the sites that I'm using ?). Why adding them ?
    I use the default "DNS resolver" - not the "forwarder" (although it should work).

    When the CP is being shut down (and GUI Firewall rules permit communication) all devices should have a 'internet connection'.
    As soon as you put on the CP - and you connect a device to your Wifi - or you cable it up, you can not communicate anymore (normal, you should use a browser, visit a http://… site) and then authenticate.
    BUT :
    Running a
    ping www.google.com
    should always resolve "www.google.com" to an IP …. (this proves that DNS resolution IS working). See point 3 listed under "Section : Captive portal not redirecting".
    Don't use always www.google.com to test - use an URL that IS NOT in your local (devices) DNS cache !!! (or flush your cache -> PC => ipconfig /flushdns !!!)

    So, if a device is not getting redirected :
    Check 1) what URL are you suing to start ? https ? then no go.
    Check 2 : ping to www.whatever.tld resolve the URL to an IP ? (no ICMP replies, that is normal) If no then DNS troubles.

    If DNS is working, a browser on a connected device obtains an IPv4 - et troughs out a "http GET" and that one request will be captured by this rule :
    65532  0    0 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
    => read : any communication coming in on port 80 (so : https => YOU LOOSE) will be redicted to 127.0.0.1 port 8002.
    and that"s where the Captive Portal web server will reply with the captive portal login page …...
    WHEN authentication succeeds, the client's device IP and MAC will be added to table 3 and 4.

    As you already saw when listing your ipfw rules, two devices were listed in these tables, so they managed to login.

    Of courses, after login, the "Captive Portal" firewall rules (ipfw !) become transparent - now are used  the other, GUI firewall rules - they still / will apply.

    My ISP hasn't ANY IPv6 capabilities.
    But, I'm using https://ipv6.he.net/ - I have a free account there, and pfSense WAN and my entire LAN is using IPv6 (DHCP6) - all my devices on LAN are IPv4 and IPv6 connected.
    But, the pfSense Captive Portal isn't IPv6 ready at all.
    …. but look again at the ipfw firwall rules ( using https://en.wikipedia.org/wiki/EtherType )
    65301 24  888 allow ip from any to any layer2 mac-type 0x0806,0x8035
    => ARP et RASP passes through.

    65302  0    0 allow ip from any to any layer2 mac-type 0x888e,0x88c7
    => EAP ET PBB passes through

    65303  0    0 allow ip from any to any layer2 mac-type 0x8863,0x8864
    => PPPoE passes through

    65307  0    0 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
    => IPv4 and IPv6 passes through ( !)



  • What a detail explanation abt CP!! Gertjan your are genious!! A BIG THANK YOU !!
    I keep CP open for 5 hrs yesterday. only few guest able to log in others keep trying. I think there are DNS problem exist some where. or client's devices already running other apps, browsers etc in back ground preventing cp to open & redirect on their devices as you explain above
    Q: Is http become auto https hotel's redirected website can causing this problem? As CP basic rule the redirect page must be a http site. So in CP page I put http://www.website.com not https. bcs when I go to hotel's http site its change to https automatic on my computer browser.

    Do you need THIS switch ? Why is it managed?
    If you change it for the time being for a dumb 10 $ switch.
    A switch with an IP (MAC ??) (just trying to eliminate things that are off-standard)
    *I keep this switch for remote tech support access so they don't have to mess with pf.



  • Read this https://forum.pfsense.org/index.php?topic=116386.msg645311#msg645311 to understand why nearly all devices today do present a login page to the visitor.
    If they don't, they are NOT "portal aware" ….. (and should be updated or recycled ;) )

    Btw : No, intercepting a direct, initial "https" GET and hoping that the portal login shows up is like hoping 'a man in the middle' interacts with your connection when you visit your bank account on the net. Don't ask for it - you won't want this .... ;)



  • Try to make a new user with full access to this page like SuperUser grant all access to this user.
    then enable your captive portal.
    open web browser and go to address bar and type the pfsense ip with 8000 port. e.g. http://192.168.1.1:8000
    login page will popup then use the new username & password that you created lately like the superuser.
    then done.
    Internet can pass tru your PC now.