Captive portal not working with some domains



  • Hi,
    I've got a Captive portal set on pfsense. When I connect to the network and open eg. google.com, wikipedia.org, facebook.com, the browser timeouts. But when i visit eg. google.cz, itnetwork.cz, seznam.cz, I'm instantly redirected to the captive portal login page. When I login and try to visit pages, that weren't working before (google.com, wiki, facebook), it works now.

    I think, it ma be because the captive portal is blocking access to the DNS server. However, when I disable the captive portal, connect to the network, use nm-tools in Linux to get the DNS server IP, I get only IPs that I already allowed in Captive portal.

    What should I do? Is it possible, that not .cz domains are translated by another DNS server, which doesn't shows up in nm-tools? If so, how to get this DNS server IP? Is there any command in linux, to show not only domain IP (like host command), but also IP of DNS server which was used?
    Thanks.



  • For the captive portal page to load, DNS must be working at the outset. So you can do one of two things:

    1. Activate the DNS forwarder on your PFS and set your DHCP settings on your clients to use the LAN address of the PFS as their primary DNS server.

    2. Set the IP address of your external DNS servers in the 'Allowed IP addresses' tab of your captive portal config. Set you DHCP server to give these DNS servers as the primary/secondary DNS entries for your clents.

    Either of these solutions should work. From the sound of things, your clients are using a DNS server which can't resolve some external addresses.



  • 2. I have this setted before, as I said.

    1. I activated DNS forwarder and set the DNS to the IP of pfsense's captive portal intefrace. It seem's it works in most cases, but even after login, I can't access google.com - chrome says DNS_PROBE_FINISHED_BAD_CONFIG. But all non-google.com pages (like youtube or google.cz) works fine.



  • So the problem solved itself. Propably it needed a while to let the changes take effect at all clients.
    Some web pahes still didn't redirect to cp login, but it showed up it's because of https…