How to change the default TCP port 8002 for the captive portal ?

j4nus · Jun 16, 2017, 10:04 AM

Dear,

We are facing many issues with client pc's (from clients attending to authenticate on the captive portal).
The flow from the client to the port TCP/8002 is blocked by their local firewall.
It's typically pc's from financial companies running restricted policies.

It results they can't connect.

Is it possible to change the default port ? I don't find a way to do in the webgui.
I found a configuration file named /var/etc/lighty-captiveportal-CaptivePortal.conf which contains a port 8002. I tried to change it and modify the pre auth url (via web gui) but it doesn't work.

The best solution would be to assign a second ip on the pfsense and to use this second ip and port 80 (or 443) so i don't need to use exotic ports (8002,..) which are blocked by their local restricted policy.

Does have somebody a "standard" solution to my problem ?
Temporarily i hardcoded the mac address but it's a manual action and it's hard to maintain.

Gertjan · Jun 16, 2017, 12:27 PM

@j4nus:

Is it possible to change the default port ? I don't find a way to do in the webgui.
I found a configuration file named /var/etc/lighty-captiveportal-CaptivePortal.conf which contains a port 8002. I tried to change it and modify the pre auth url (via web gui) but it doesn't work.

The file:
/var/etc/lighty-captiveportal-CaptivePortal.conf
is the configuration file, regenerated every time the portal changes (read : when you make edits in the GUI).

You should there where the file is constructed ;)

The base port number "8000" can be found here : /etc/inc/captiveportal.inc
Look for "800" (not "8000") and you will find 6 references - the 8000 is the base for 'http' connections, 8001 for https.

Understand that every captive portal zone uses it own unique port.
I guess you will be able to position a listen port on 80 or 443.

But …. by default, the webserver of the GUI will bind to all interfaces also .... including the interface used for the Captive portal.
I'm pretty sure that one of the 2 won't start now (you can't share a port among 2 or more "listeners").
Up yo you to change the place where de de nginx config file is build (you will find the function used to do that in /etc/inc/captiveportal.inc also).
Idea : limit the webserver GUI to 'LAN only'.

So ....
It's you who gonna write some PHP - and you'll be fine BUT on your own to do so (and during next update you have to redo your changes),
OR:
Have this silly policy removed.

j4nus · Jun 18, 2017, 9:56 AM

Hi Gertjan,
Thanks for your answer.

Is there a way to specify the zone id ?
The zone id 80 (in place 2) would be a good match, so the captive portal would run on tcp/8080 which is usually allowed (at least to connect a proxy).

I would like to avoid to change the code (inc file) to avoid issues after upgrades.

Concerning your remark about the port 80/443 and the web gui, i can eventually change this port to a non standard port (e.g. 4430) to avoid any conflicts.

Gertjan · Jun 19, 2017, 5:17 AM

@j4nus:

Is there a way to specify the zone id ?
The zone id 80 (in place 2) would be a good match, so the captive portal would run on tcp/8080 which is usually allowed (at least to connect a proxy).

Using "8080" (http), it can be done.
The dumb solution : create a portal zone. You'll see the port number increments. Continue creating until you reached '8080' for your http.
Now, wipe all preceding zones.
Or:
The smart one : create a zone. Test drive it. Stop captive portal. Edit your config.xml (the captive portal is easy to find, change the ID (which will be added to 8000)). Save. Start portal. Check.